b82ee40d34fe9e409401531175d2890699ba9ac5fbe8a45b17c35f2d32650348

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c0f12b16600e9c7bca238aa73f42be0N.exe
Size

4.0MB
MD5

1c0f12b16600e9c7bca238aa73f42be0
SHA1

bdb41f2be44bbaf4d3cfd26bc15fb73a6e26e9eb
SHA256

b82ee40d34fe9e409401531175d2890699ba9ac5fbe8a45b17c35f2d32650348
SHA512

ad5882b3812813814295d698db9976b0d7b2c10fec1fa59b42a78b5e7039e08425d48d6b7cc27ddcb05b8227e1f5dd19dd0952b4c7529894dc6062126f41d026
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBSB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp1bVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	1c0f12b16600e9c7bca238aa73f42be0N.exe

Executes dropped EXE 2 IoCs

pid	Process
1692	sysadob.exe
2508	aoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1952	1c0f12b16600e9c7bca238aa73f42be0N.exe
1952	1c0f12b16600e9c7bca238aa73f42be0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot21\\aoptiec.exe"	1c0f12b16600e9c7bca238aa73f42be0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBIV\\dobdevloc.exe"	1c0f12b16600e9c7bca238aa73f42be0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c0f12b16600e9c7bca238aa73f42be0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1952	1c0f12b16600e9c7bca238aa73f42be0N.exe
1952	1c0f12b16600e9c7bca238aa73f42be0N.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe
1692	sysadob.exe
2508	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 1692	1952	1c0f12b16600e9c7bca238aa73f42be0N.exe	30
PID 1952 wrote to memory of 1692	1952	1c0f12b16600e9c7bca238aa73f42be0N.exe	30
PID 1952 wrote to memory of 1692	1952	1c0f12b16600e9c7bca238aa73f42be0N.exe	30
PID 1952 wrote to memory of 1692	1952	1c0f12b16600e9c7bca238aa73f42be0N.exe	30
PID 1952 wrote to memory of 2508	1952	1c0f12b16600e9c7bca238aa73f42be0N.exe	31
PID 1952 wrote to memory of 2508	1952	1c0f12b16600e9c7bca238aa73f42be0N.exe	31
PID 1952 wrote to memory of 2508	1952	1c0f12b16600e9c7bca238aa73f42be0N.exe	31
PID 1952 wrote to memory of 2508	1952	1c0f12b16600e9c7bca238aa73f42be0N.exe	31

C:\Users\Admin\AppData\Local\Temp\1c0f12b16600e9c7bca238aa73f42be0N.exe
"C:\Users\Admin\AppData\Local\Temp\1c0f12b16600e9c7bca238aa73f42be0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1692
- C:\UserDot21\aoptiec.exe
  C:\UserDot21\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBIV\dobdevloc.exe

Filesize
4.0MB

MD5
4b89ff54ec33db405de70292bf343c95

SHA1
2da1b9a5c4204690754bc7d09577e7e0ecdeda38

SHA256
bb2bad8c6e99f1d6f00bfc6deb47407be7853e6395c55a8f4ef4f04d9ae08593

SHA512
74e9f1f24df1ded281228aa3aae1388ac65ae11706e83c61b2f10e9e54f25af590481c6e74a5341f635a68c2868ea2c283a189b8948e71763fdf63995bb913a3

Download Submit
C:\KaVBIV\dobdevloc.exe

Filesize
4.0MB

MD5
350b47ca1874078e8eea456a7ed5afc4

SHA1
d6699f3680cbef0d82f6fa959648b3927f3c63b3

SHA256
af81292459c7696c08b453e8ad425ebddd491a5bc0e871848d587385f95ba6a0

SHA512
ad9335ad50f8cb3b9e81f129e2323ac89f429a5849c07f2bfc9f13b8ead55445724d2a6da95b693dab36f1aade4356d73836f634dca660f42dd19d9523a7ee03

Download Submit
C:\UserDot21\aoptiec.exe

Filesize
4.0MB

MD5
59430b7ddbe40b3e734712953c865722

SHA1
e9d42bc2bbe5e2c32370c5d15f3b7443fdc43660

SHA256
a94d6214a9131ccab783759419095f8126709301a4ea7598a0694f64b0298882

SHA512
9c31578fb525cd4584253febbdd26743c478b8b55f3cebe902116f6650a7e74bff26ae580cb6df977361ae3b08203e36d9e79b4c1adc85e8715e838b1c627cb6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
f4e29b57c47628f3f06dec72980ccc52

SHA1
e141895cc0f83ddbd42baf0c5c3d0566e2ab2f32

SHA256
c31f2c8ffe0174940b12acf210579894762806c8786cf8791ee67cc1a55faad7

SHA512
c053a4253861620286693a2d8fa61aaa94c03ca327d2b00f50598559f07e512bb595c04ccc3c7dd5b668b4ba6fbb3d16da9693daa8e91e1ef4e9b6b72a50c312

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
1c608fcbae698d8dff39f89004a04bff

SHA1
75588059be68c6df0464d87dbf5ac712473e86c7

SHA256
2bb691c38b7e1b4a6fab1f4c855cb2be7548c5ff71c4ded5f5fb334a4effdb06

SHA512
a364c63601ae29fe758a743d5b1993315c7e8dd1d7446515cd3e0d4a64f67b06623056974d430a83c75822c77190dd746b08bc1474d2ce665a8a6b3700447508

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
4.0MB

MD5
b224e19ff9904b122083f728e132723d

SHA1
d4eccafafb02ebdf83c75bd1c1df856901c3e9a8

SHA256
f58d60aff2fedf2f11c41a6df5a9652c7701fc333a125604bad61e79ffcaa6e6

SHA512
f64836c252c842cfc7a85e8029b8998a4cb19057ba58d8e374dcc64b3ef7d2c56419a6af0e5331db2f74f755cfd84396808416928a28718a6e2e5fbfa59f7aa7

Download Submit