f8ef150ffa64e2894583009c83f11154bdc45abda02e59f534c51def659104e1

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 16:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b176ea06a57fb9de514169eda1d3ed90N.exe
Size

2.6MB
MD5

b176ea06a57fb9de514169eda1d3ed90
SHA1

9e618ca9fc8cbdbfd5877f9766b19b056b5c4e48
SHA256

f8ef150ffa64e2894583009c83f11154bdc45abda02e59f534c51def659104e1
SHA512

77ee34bcd927c396d55fe45101f295fa4141a804c09621ccc09bfead8a9a281f2a51bdf4036c9e3816785a3be022de6fa273082f02baa0906dd55bc65d5226ee
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bS:sxX7QnxrloE5dpUpsb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	b176ea06a57fb9de514169eda1d3ed90N.exe

Executes dropped EXE 2 IoCs

pid	Process
2288	sysdevbod.exe
2668	adobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2312	b176ea06a57fb9de514169eda1d3ed90N.exe
2312	b176ea06a57fb9de514169eda1d3ed90N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocDB\\adobloc.exe"	b176ea06a57fb9de514169eda1d3ed90N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBF7\\dobdevec.exe"	b176ea06a57fb9de514169eda1d3ed90N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b176ea06a57fb9de514169eda1d3ed90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2312	b176ea06a57fb9de514169eda1d3ed90N.exe
2312	b176ea06a57fb9de514169eda1d3ed90N.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe
2288	sysdevbod.exe
2668	adobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2288	2312	b176ea06a57fb9de514169eda1d3ed90N.exe	31
PID 2312 wrote to memory of 2288	2312	b176ea06a57fb9de514169eda1d3ed90N.exe	31
PID 2312 wrote to memory of 2288	2312	b176ea06a57fb9de514169eda1d3ed90N.exe	31
PID 2312 wrote to memory of 2288	2312	b176ea06a57fb9de514169eda1d3ed90N.exe	31
PID 2312 wrote to memory of 2668	2312	b176ea06a57fb9de514169eda1d3ed90N.exe	32
PID 2312 wrote to memory of 2668	2312	b176ea06a57fb9de514169eda1d3ed90N.exe	32
PID 2312 wrote to memory of 2668	2312	b176ea06a57fb9de514169eda1d3ed90N.exe	32
PID 2312 wrote to memory of 2668	2312	b176ea06a57fb9de514169eda1d3ed90N.exe	32

C:\Users\Admin\AppData\Local\Temp\b176ea06a57fb9de514169eda1d3ed90N.exe
"C:\Users\Admin\AppData\Local\Temp\b176ea06a57fb9de514169eda1d3ed90N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2288
- C:\IntelprocDB\adobloc.exe
  C:\IntelprocDB\adobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocDB\adobloc.exe

Filesize
2.6MB

MD5
61510b80266f23e69cc1c87a166b800d

SHA1
59a3633ed87a5f441bc5fb75dbe26e8880c4c9ba

SHA256
cfe064303344088aadbae5ed3b7d96f68ab74d492d40ea9c5cfb4d56bd6c5812

SHA512
fef11b0a539098ad4d6559637d39fadb1386329a90587fcc01cb096a78e480668cfd0a6551cfcbb0f2b1854bc453b5a730fba428eb5c390b8513cf4cb39e846a

Download Submit
C:\KaVBF7\dobdevec.exe

Filesize
2.6MB

MD5
9f9bd906d61dcd6074cdaf0b9e91f553

SHA1
51c1a32170b6ce17530f27734fd209ae92040fb1

SHA256
5f74745579b77f7c8abb2e9dc406cf61e8c910a421535bbdd87bd2c6d698ef6a

SHA512
0bf9cb53e660fedf64ae4ab771bed381aaf3b29514c2ded819c5833b60e6833e214d7adfa9f2990c91490742dfb0b0cf45d3a7f6ed9b1d24b3f859a43a92eb80

Download Submit
C:\KaVBF7\dobdevec.exe

Filesize
2.6MB

MD5
10e00609335b8e17d69a386471db8a94

SHA1
e5c32733510f7573f2259a24dcfd075cc8fe02aa

SHA256
8f9d346e17515ce5999e816d528e96f087ff1e43b4f39d6bc5d9486faae59735

SHA512
9e454c2f92b6b42725a6ff57e3b63a304a073ce6968b1c5f5251d9483460ae80405c3e495e7526495fc58ae4605c43d4cb474db6c5811f767f12cd1db04901e1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
a1ade00cef97ad4939a060013edc915d

SHA1
b62b2b90d43315784f362ebeffe565d60318cd2e

SHA256
ac8a2c6c6a1a3d1c085ccf98dd7b3542a8df06a5b0591b1a7394217277bfff8c

SHA512
6224902e618d566eaddaa0d26ddf5ccda520d6fcabee24e7d23c9bd158f62b57b58d6af430af4ff9f543bbb5533f9f09caa26a108f7a3da5858957ad035fcded

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
b889c2d687da9228f2bd0d7107c94964

SHA1
8e62a0a37ae8ec1db3562398efd7479cf39fcfbc

SHA256
6fa3fb482ac375090ba9281b68ae1605b7a8d0a1a1e610d5d89bcd6d93be739d

SHA512
7cad0366aa0b29be57b3f4e6f54f511e200d17797094a41aa4c20985cc620154a8f8f990d07ceb5a0de525987c0e245b9ba73e6fcf55bd71bf84531e1655df4f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
e5a9aa7685a75c17169a05390b52c06b

SHA1
98c41918b155d6f3710f5b6a6526479cbdbd9378

SHA256
5d9e7dcdca9b43b2d59a30c6e9deacbeb981776a67bb64fd0d3f035beb684d11

SHA512
ea74e758ef05e57453a47a6335f93c7620b81bf14b8a4dcd517a327e52a245da4f3c54d5d06c613f2826b83f2b0634a3d36f86b6e90046245f9f2408dbc3798b

Download Submit