295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe
Size

2.6MB
MD5

d26b5adb1b5ea2d0fa196ec3b837a355
SHA1

9e7cd4f04c060c64d7773812b662dbeba3148b32
SHA256

295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32
SHA512

680a5265895eff8a09e9e3ebb7f70fc4d2d8a0fb07e48eafe869ceaf7c9bb5612e5a6614888d1eeade03b39d69016aa2139b239d18369df55293b90f82836c47
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUp7b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe

Executes dropped EXE 2 IoCs

pid	Process
724	sysxdob.exe
2764	adobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files9Z\\adobloc.exe"	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZK3\\boddevloc.exe"	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2780	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe
2780	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe
2780	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe
2780	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe
724	sysxdob.exe
724	sysxdob.exe
2764	adobloc.exe
2764	adobloc.exe
724	sysxdob.exe
724	sysxdob.exe
2764	adobloc.exe
2764	adobloc.exe
724	sysxdob.exe
724	sysxdob.exe
2764	adobloc.exe
2764	adobloc.exe
724	sysxdob.exe
724	sysxdob.exe
2764	adobloc.exe
2764	adobloc.exe
724	sysxdob.exe
724	sysxdob.exe
2764	adobloc.exe
2764	adobloc.exe
724	sysxdob.exe
724	sysxdob.exe
2764	adobloc.exe
2764	adobloc.exe
724	sysxdob.exe
724	sysxdob.exe
2764	adobloc.exe
2764	adobloc.exe
724	sysxdob.exe
724	sysxdob.exe
2764	adobloc.exe
2764	adobloc.exe
724	sysxdob.exe
724	sysxdob.exe
2764	adobloc.exe
2764	adobloc.exe
724	sysxdob.exe
724	sysxdob.exe
2764	adobloc.exe
2764	adobloc.exe
724	sysxdob.exe
724	sysxdob.exe
2764	adobloc.exe
2764	adobloc.exe
724	sysxdob.exe
724	sysxdob.exe
2764	adobloc.exe
2764	adobloc.exe
724	sysxdob.exe
724	sysxdob.exe
2764	adobloc.exe
2764	adobloc.exe
724	sysxdob.exe
724	sysxdob.exe
2764	adobloc.exe
2764	adobloc.exe
724	sysxdob.exe
724	sysxdob.exe
2764	adobloc.exe
2764	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 724	2780	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe	86
PID 2780 wrote to memory of 724	2780	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe	86
PID 2780 wrote to memory of 724	2780	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe	86
PID 2780 wrote to memory of 2764	2780	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe	87
PID 2780 wrote to memory of 2764	2780	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe	87
PID 2780 wrote to memory of 2764	2780	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe	87

C:\Users\Admin\AppData\Local\Temp\295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe
"C:\Users\Admin\AppData\Local\Temp\295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:724
- C:\Files9Z\adobloc.exe
  C:\Files9Z\adobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files9Z\adobloc.exe

Filesize
2.6MB

MD5
fdbd7a1152ab0db8965a7cfe90600512

SHA1
26ccd2ecaebcd8e2a19cfda267d7c078bde9a8ca

SHA256
564dfc1290a0a9a08ec5ae6a8cf666e5b9ecb737b4ba4c95ad39f7a3199659d9

SHA512
207c575de1adcfeb2dbc322f7a40e7a0ec0fd0093ec44c7a79c42395e709050fa72426027beec2bc4c419ba9c9fc9b0934d038611a19cc5ce2684d1feab8f3f2

Download Submit
C:\LabZK3\boddevloc.exe

Filesize
5KB

MD5
35d5f2180b8da2eaecad0679e66dc251

SHA1
3e782e20becd6567750bacb04faafd148aadac06

SHA256
2060beef29432b8908a388df4a1a966c34d69e51cbf1f836ab07935d52f94700

SHA512
15f574e8e815c44b4444d3eb87af7e00b262eebc14f1ab886d4912aae01cf910dc7d4f769f884a3659bce05e28faa5a23be0190cf13a203cff0f3afdb951c493

Download Submit
C:\LabZK3\boddevloc.exe

Filesize
2.6MB

MD5
d14f3a096f5d19a6584ee213bac7b994

SHA1
bb619f36d5c9e8eae2256ab8b810a60b1c5e5af1

SHA256
c42efbd329573ca13f589dea9dd0bbdf306517fcc497f5ed372c74779b39db52

SHA512
000ff53e3608193232ea37377f0fbe708ac244bedeba566573f42614f21c19f81a675a102766a2adf0cdd283bc7985b7a4e240cb5fd0d16f9e6951b6edd4a788

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
93f460237f451e4ccf701c52fba40e30

SHA1
31f0433907e768fcb2c397c965b0814b7fbf98ab

SHA256
6172a5e8d0853619ca11eb56a33345dd8bee711ee728eb82912d6e3e5daa1ef5

SHA512
d31496d79a970a0d6c9bf581f1a77f330a638c4d55e3ade2c14048e08e0e2c6d0288c1800122fd827a115b751fbf85bdab054682d9eb88be6fb73bc6ab60e477

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
0a816590c9f3757763af7e920b2e0835

SHA1
82620a2bf429e6952fd463e26267b8f9cefd1155

SHA256
1c5abc3641d6956a45ff7e55d55e81fea309256899b96c414f3d11af02b4b969

SHA512
4633c440d83fb77c92ad1e57d7c17f5c33523dab851d80555270d9979784f940a573b309eb884eca6f22f7b7e932f2e571b0dc9eb2a1917206b63c01fe7d6edc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.6MB

MD5
4140c56b2de7cec48ba10d0f93bb924f

SHA1
70f7f973927ed98f9bfe14b8ce131c1e856e804f

SHA256
8dffff1ecc1fc0982ff5dbc657a0693c3f05591882db11bd73adccb44cf7ce3e

SHA512
2fdbcb3f6027ff273bcdc8281e09c2fb7d1b0d6ddde1dec74ef54faa4dd4dfbae81c12073c16e57d332a3609a586721dd38054908605bc2bd3160bb5feb6b98b

Download Submit