d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4

Analysis

max time kernel
150s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe
Size

2.6MB
MD5

d710af8366496ca0d1a7cce597a3f7f8
SHA1

e5a817c5c529fe6cc3c39fcf1e602cbe43742d39
SHA256

d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4
SHA512

af60aa1de837baee68de18bc5f717f2b37b223f61de1f71aba1f7a74ab5efaee22acf83eb8a5a37c0a19e22174223890edb6ea899781b8b40bb059852394ca54
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bS:sxX7QnxrloE5dpUpgb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe

Executes dropped EXE 2 IoCs

pid	Process
2328	sysdevbod.exe
2856	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2560	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe
2560	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocXZ\\adobsys.exe"	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4I\\dobasys.exe"	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2560	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe
2560	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe
2328	sysdevbod.exe
2856	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2328	2560	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe	30
PID 2560 wrote to memory of 2328	2560	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe	30
PID 2560 wrote to memory of 2328	2560	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe	30
PID 2560 wrote to memory of 2328	2560	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe	30
PID 2560 wrote to memory of 2856	2560	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe	31
PID 2560 wrote to memory of 2856	2560	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe	31
PID 2560 wrote to memory of 2856	2560	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe	31
PID 2560 wrote to memory of 2856	2560	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe	31

C:\Users\Admin\AppData\Local\Temp\d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe
"C:\Users\Admin\AppData\Local\Temp\d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2328
- C:\IntelprocXZ\adobsys.exe
  C:\IntelprocXZ\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocXZ\adobsys.exe

Filesize
2.6MB

MD5
2cd458e7c73eb5c72677b25b9f9e767a

SHA1
ae80b17659748c5493cf44024b841752324278c4

SHA256
3994716fcb9978bfb293cb0498d7e8f7c96c091d4b14fb6e73c109856e37311c

SHA512
1aa1581433dc9b5c728d1dd192cc68a3a5c8f406fa9f20b87e12ac0d7158eb911c29248aed059da0a0f68fd33f147779c6688d5d2a817efb42c50c9a66f9f6fe

Download Submit
C:\LabZ4I\dobasys.exe

Filesize
2.6MB

MD5
09935387e3608350f166a424272f8d2c

SHA1
08ee3899ab1e9899684d58d8a913e03f8f70506b

SHA256
1f965cf51e0d180fb2627cbdf7c9e013c8d1ae1b0176bb31598a374c8e132fe8

SHA512
91d89a0c14fd14de7879749717025b77dbc9459f32a3269168940c92bfd307114f6bc5676c284f87bcc232c5ed6ebb07f551f412f4dbd43ac9c3625be4289cd1

Download Submit
C:\LabZ4I\dobasys.exe

Filesize
307KB

MD5
ab3cfb2685a999a0da778ad3d7cf0e38

SHA1
1820b8a2e73ff66b31ba7011a4c1d8babad8d705

SHA256
65351b2511a933647f73c2bebdf4f744690a6fbadf24e715af55a48d173e541f

SHA512
8b0f1c83cfeb8b8df993f4aaade855ce0e6a069be34a9f8ddda9669ae28897b1298fa3bbd92853deed5a16a991f18639693dae8352808b4f66bf6b5dcad77fa6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
0febb0eba6ae7d01fc46ef4ac0d597b0

SHA1
636b0544b9335958b2f744de0b33bff03a70bd8f

SHA256
2cef2fc82011ec7095f7f1f1642fe9b3e740491073b870014c8f72216bece8a4

SHA512
76e8d9630c0a13e3b08891f7746990b3cfcc4b87ad60a351bf4cbb91cfa24f2ddaf6b5afc878492efe6f213e28daa1a804b529f933dad3b1b163ccb795078c46

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
0ccec821f3bbd78258aa35900f686d54

SHA1
035ddb6f70537bef3ba3f36557095a973dfbb7eb

SHA256
488ced8791cb010641e781279d218721a004490e7c74b45a4d06e11088ce7bf1

SHA512
e89ce07f0c6a9e8a6217c8c7a9e439415884c25323ec8ef381ea511e1fea9be6aa91b3df20b59b687c26d6892453bb12438af28b231ee5ee1d53cc3fd92bfddd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
9325b0d5ac4c2d9789b49f986b5da8a7

SHA1
3fb3f0f9dcbf05d5d13e6e8b1f361e6bb9df0d4d

SHA256
25d142363b94029dd767efdad94803f9356b511b2f32e58beaa07ac1fa13cde6

SHA512
81a403e2eb4d74caea9ac0aa256cc8fc0523d7efa1a3f85251ad6a009991009704f2b0c48299910f4076507d97dd7358b41672c2375e4e4cf4c644e10b705e94

Download Submit