d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe
Size

2.6MB
MD5

d710af8366496ca0d1a7cce597a3f7f8
SHA1

e5a817c5c529fe6cc3c39fcf1e602cbe43742d39
SHA256

d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4
SHA512

af60aa1de837baee68de18bc5f717f2b37b223f61de1f71aba1f7a74ab5efaee22acf83eb8a5a37c0a19e22174223890edb6ea899781b8b40bb059852394ca54
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bS:sxX7QnxrloE5dpUpgb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe

Executes dropped EXE 2 IoCs

pid	Process
4952	sysdevdob.exe
4996	adobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc4Z\\adobloc.exe"	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintAT\\dobxloc.exe"	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3956	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe
3956	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe
3956	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe
3956	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe
4952	sysdevdob.exe
4952	sysdevdob.exe
4996	adobloc.exe
4996	adobloc.exe
4952	sysdevdob.exe
4952	sysdevdob.exe
4996	adobloc.exe
4996	adobloc.exe
4952	sysdevdob.exe
4952	sysdevdob.exe
4996	adobloc.exe
4996	adobloc.exe
4952	sysdevdob.exe
4952	sysdevdob.exe
4996	adobloc.exe
4996	adobloc.exe
4952	sysdevdob.exe
4952	sysdevdob.exe
4996	adobloc.exe
4996	adobloc.exe
4952	sysdevdob.exe
4952	sysdevdob.exe
4996	adobloc.exe
4996	adobloc.exe
4952	sysdevdob.exe
4952	sysdevdob.exe
4996	adobloc.exe
4996	adobloc.exe
4952	sysdevdob.exe
4952	sysdevdob.exe
4996	adobloc.exe
4996	adobloc.exe
4952	sysdevdob.exe
4952	sysdevdob.exe
4996	adobloc.exe
4996	adobloc.exe
4952	sysdevdob.exe
4952	sysdevdob.exe
4996	adobloc.exe
4996	adobloc.exe
4952	sysdevdob.exe
4952	sysdevdob.exe
4996	adobloc.exe
4996	adobloc.exe
4952	sysdevdob.exe
4952	sysdevdob.exe
4996	adobloc.exe
4996	adobloc.exe
4952	sysdevdob.exe
4952	sysdevdob.exe
4996	adobloc.exe
4996	adobloc.exe
4952	sysdevdob.exe
4952	sysdevdob.exe
4996	adobloc.exe
4996	adobloc.exe
4952	sysdevdob.exe
4952	sysdevdob.exe
4996	adobloc.exe
4996	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 4952	3956	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe	87
PID 3956 wrote to memory of 4952	3956	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe	87
PID 3956 wrote to memory of 4952	3956	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe	87
PID 3956 wrote to memory of 4996	3956	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe	88
PID 3956 wrote to memory of 4996	3956	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe	88
PID 3956 wrote to memory of 4996	3956	d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe	88

C:\Users\Admin\AppData\Local\Temp\d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe
"C:\Users\Admin\AppData\Local\Temp\d81bb9b21fa2e5124b5815049026bcc9d428e8b8ee1424b9d0e3b55798696ee4.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4952
- C:\Intelproc4Z\adobloc.exe
  C:\Intelproc4Z\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc4Z\adobloc.exe

Filesize
2.6MB

MD5
7fba1a0c25ae01bf882cac0805998023

SHA1
cbcf4e115566f84fcc55e65c0e9331f05fa2c634

SHA256
43171574050c8beb910e198f4f1abf8d4ff3f70310101affe26de0a37f8c78a0

SHA512
e04ba49e583f03df53cbf3f66292b2ab04fb246127b13a3569fd11037ff153aa264701ec1de04e124e4e0d06cb896c74dbd2f70445d067d2aa0bae62a26b3e27

Download Submit
C:\MintAT\dobxloc.exe

Filesize
2.6MB

MD5
9da6c54dd0fe0d0bd1cfe52fbea128c7

SHA1
457649c51a1a34a55a0a0461b367551baef5355e

SHA256
6ce06f4364b2ea6e5bef6ef29cd37ea8d7074f09b63ac2b69b4cc9ac190e7a80

SHA512
4f905dfebb6043163dd27164b9d47b92a0763a59b573d3bc6ab50a39423d043245bd38909f3b1ca20cd8532c9cb7685aabae4b13576a24512ca764d8ea4bcdef

Download Submit
C:\MintAT\dobxloc.exe

Filesize
2.6MB

MD5
553a5d0fcdb540c79294cf030a7d46d1

SHA1
fad20af916b866a37df14ea284b669d55d9bb5e5

SHA256
54b36599fd7ef4f212ce9b7daeab528db4e7dd457b58b2072602214c77c32b7f

SHA512
89d5d9349aee28692d67daa234c71563ab2cceb5d40a6e0ba56001a5d30c42e14fdc168417e996bd4017b8f647f9616f6ec460e5fb76dd3524719393c75188a3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
a1dfdade677671c97b83cae2a5afd96f

SHA1
1242a671ad5b26938dcc398004c84b6955d84dff

SHA256
271d4345cd65932fb3d1e7fadd62f6158d81ca98548de7ac26bc6f987d070d2c

SHA512
300452c2c868cabe7bf4a5a477e97fe2c37e6fc248d7c4321f11285adc4c3615094dae92560ddf909c118f0d24fcdf14f196b6d3c3109ef16e2481c78b1ba8c8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
1abbd1142642f80d28e651863a56deb4

SHA1
fd69f2c6489e396d761f82d7fd44c7b78d0b2368

SHA256
d4ae92ae8e53294b81b11d5b1fc7444a2f4dc4e60727e3596a73a8624b6a31a0

SHA512
624ee62367d24fe13e2572541cc581567d6346e2e7bfa918b673d67f4a590ba271bdb49d435c93acf8d744ee98c6b3108a765011bd35bb511972fbc197bb1727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
2.6MB

MD5
a59764c0cc84cab114679d9825c2f9ce

SHA1
8a586bddbf111e5aece1ddd9da90f4fab7fa4c57

SHA256
fb2cbfc7dcd4ba6898a2071b93e27acf376b179085726adb2a933c01ce067cd4

SHA512
7a1b20df8cfea781bb8a8ec45b742772204abd4a260d0292603a82096397c443deac86a7b8fca3def0944ab31533185ce9c5b395f233d7b9efff678fa151485c

Download Submit