2377e5c7fb9deeae097ceeeef8d168fcc9db1018cddc1f2f2172b8d60efef539

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1e36bec5b6893a77f788eff5293ff50N.exe
Size

2.6MB
MD5

d1e36bec5b6893a77f788eff5293ff50
SHA1

4f620d7513e6a2a44dfee5e5c090a5054a553bf6
SHA256

2377e5c7fb9deeae097ceeeef8d168fcc9db1018cddc1f2f2172b8d60efef539
SHA512

80ebb5f6b5459239f1ad773ae5ae7f34296d10f9b7b7c87de8c34d783133a5a507daa2383d65ae866f474295433c58ddb2ef04c7a49dacad0caf0ef84fc9d78e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bS:sxX7QnxrloE5dpUpRb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	d1e36bec5b6893a77f788eff5293ff50N.exe

Executes dropped EXE 2 IoCs

pid	Process
4616	sysabod.exe
1076	adobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvFE\\adobsys.exe"	d1e36bec5b6893a77f788eff5293ff50N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint68\\optialoc.exe"	d1e36bec5b6893a77f788eff5293ff50N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1e36bec5b6893a77f788eff5293ff50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4412	d1e36bec5b6893a77f788eff5293ff50N.exe
4412	d1e36bec5b6893a77f788eff5293ff50N.exe
4412	d1e36bec5b6893a77f788eff5293ff50N.exe
4412	d1e36bec5b6893a77f788eff5293ff50N.exe
4616	sysabod.exe
4616	sysabod.exe
1076	adobsys.exe
1076	adobsys.exe
4616	sysabod.exe
4616	sysabod.exe
1076	adobsys.exe
1076	adobsys.exe
4616	sysabod.exe
4616	sysabod.exe
1076	adobsys.exe
1076	adobsys.exe
4616	sysabod.exe
4616	sysabod.exe
1076	adobsys.exe
1076	adobsys.exe
4616	sysabod.exe
4616	sysabod.exe
1076	adobsys.exe
1076	adobsys.exe
4616	sysabod.exe
4616	sysabod.exe
1076	adobsys.exe
1076	adobsys.exe
4616	sysabod.exe
4616	sysabod.exe
1076	adobsys.exe
1076	adobsys.exe
4616	sysabod.exe
4616	sysabod.exe
1076	adobsys.exe
1076	adobsys.exe
4616	sysabod.exe
4616	sysabod.exe
1076	adobsys.exe
1076	adobsys.exe
4616	sysabod.exe
4616	sysabod.exe
1076	adobsys.exe
1076	adobsys.exe
4616	sysabod.exe
4616	sysabod.exe
1076	adobsys.exe
1076	adobsys.exe
4616	sysabod.exe
4616	sysabod.exe
1076	adobsys.exe
1076	adobsys.exe
4616	sysabod.exe
4616	sysabod.exe
1076	adobsys.exe
1076	adobsys.exe
4616	sysabod.exe
4616	sysabod.exe
1076	adobsys.exe
1076	adobsys.exe
4616	sysabod.exe
4616	sysabod.exe
1076	adobsys.exe
1076	adobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 4616	4412	d1e36bec5b6893a77f788eff5293ff50N.exe	87
PID 4412 wrote to memory of 4616	4412	d1e36bec5b6893a77f788eff5293ff50N.exe	87
PID 4412 wrote to memory of 4616	4412	d1e36bec5b6893a77f788eff5293ff50N.exe	87
PID 4412 wrote to memory of 1076	4412	d1e36bec5b6893a77f788eff5293ff50N.exe	88
PID 4412 wrote to memory of 1076	4412	d1e36bec5b6893a77f788eff5293ff50N.exe	88
PID 4412 wrote to memory of 1076	4412	d1e36bec5b6893a77f788eff5293ff50N.exe	88

C:\Users\Admin\AppData\Local\Temp\d1e36bec5b6893a77f788eff5293ff50N.exe
"C:\Users\Admin\AppData\Local\Temp\d1e36bec5b6893a77f788eff5293ff50N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4616
- C:\SysDrvFE\adobsys.exe
  C:\SysDrvFE\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint68\optialoc.exe

Filesize
2.6MB

MD5
87dcc7f76a3a74973eb0e26e4b5748bb

SHA1
30ff5177b4245bd01912d66639bd0de605af7936

SHA256
91634f43ea97625ccbe6387227698dd1aaf6b2b789dd725b4aaf9bbf92f2cd25

SHA512
8be82d9c8a3c5f4a94989c71a3dd71b028037216f4fe18197cb31bef7073084f79f9976482f80754bfbe6672d876b4b5ef834e87a90b4f8eefbf683902561d20

Download Submit
C:\Mint68\optialoc.exe

Filesize
298KB

MD5
42f7ad7849214974541e099cf5031b02

SHA1
21aebace0943c4b075a8df08167986dc35400171

SHA256
d69c1a6ea6cc7312fbd9c2e832accb7101939859b0328252f23db2d2892e88b2

SHA512
30fbed2d4605145d98706340c7d0b7469a5be814bea6434bda004a4ab69813974f2d1cecfe6af9de018b77eb51ca19e60994f7e5655f8a49f0b4fce4cee71063

Download Submit
C:\SysDrvFE\adobsys.exe

Filesize
2.6MB

MD5
5031dc07dd7f724265270cbcc568fd6a

SHA1
1fe05a03e3d710b2727301549412d2a85d64bf2c

SHA256
a0480e3a52b208dfec8a28ec42b0dada5ea0a5568a89b4b3f9d1ee6ccd55cdb8

SHA512
8fb6a3ded6f4422b031ab785a6327ec24dcf877d4699f845ad751fc10144cc5874154ef77e1f78c032fbb2e1b9340c077ccea854d8530163b01b7fd091953be3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
c4843afc2aa76b7656b890edc5d6f621

SHA1
8e2e74efc411a871d391d023648e5dae9582ccd8

SHA256
a109b11303ebaf1111f9343cde7b4af5b6b0748e6e5d71aa76048242e8fa7dd6

SHA512
bb7ec703432875ed904b8dab8fd86c597f7827a0588bcd3b726364c5a20d543ad01ab7cf629153492ad1c5372a5269f4a2946eaf55e783d045ede16f7b2fb7c6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
8166e2d9051292e99d091c9cbe7f7582

SHA1
2d3832be747fabdbead8e52506b25c8c9e33c04a

SHA256
772eb06d9c707eef69d50033e3d4160b6f551ebf77122354906f410ff957346b

SHA512
83b46a8b2ef18f82ece7ce063971badd378a32aa13a2df97461ac3a8b5d9bd8c8798cdcfd10a4cffec1b3f20864fa2d356bed2ec567662039b4c4da4f1ff3ba1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
2.6MB

MD5
4fe9a14f5380f919324b6be445ab2374

SHA1
4460a479300914863f8b51d89e3c90789fc02541

SHA256
165cce75820ed31b237e97fff2ec4bd2d9eef0894db9b2843dc8cb086a36afe6

SHA512
7349b44d1b635f3f1fe8aa921b8d868f1449db96f1e6c79245b4bb560b7d7c5c7265ec1f951bc08c090335a78b85fe501ddb71a98da527f8c4478412ed488cd3

Download Submit