bb0e31f1344738bf8de01c59bc33f4e0427cb85d6b238067d0533e65e78c2e59

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 01:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bb0e31f1344738bf8de01c59bc33f4e0427cb85d6b238067d0533e65e78c2e59.exe
Size

2.6MB
MD5

c7955bfb4aa2feca05c4bce9febd5147
SHA1

bf28201522dd04d476b2b0423242dff966958d15
SHA256

bb0e31f1344738bf8de01c59bc33f4e0427cb85d6b238067d0533e65e78c2e59
SHA512

8f3f72d1ccbe39355eb81fadc80fb518fe69b32c032333dc34fd497f34bba4e1c1d3a3e5de029cb97cdf06f12d11af078c705f767f1e1758d3fa0b483f58d898
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bS:sxX7QnxrloE5dpUppb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	bb0e31f1344738bf8de01c59bc33f4e0427cb85d6b238067d0533e65e78c2e59.exe

Executes dropped EXE 2 IoCs

pid	Process
1616	locadob.exe
3148	adobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeDI\\adobsys.exe"	bb0e31f1344738bf8de01c59bc33f4e0427cb85d6b238067d0533e65e78c2e59.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxCD\\optiaec.exe"	bb0e31f1344738bf8de01c59bc33f4e0427cb85d6b238067d0533e65e78c2e59.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb0e31f1344738bf8de01c59bc33f4e0427cb85d6b238067d0533e65e78c2e59.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1400	bb0e31f1344738bf8de01c59bc33f4e0427cb85d6b238067d0533e65e78c2e59.exe
1400	bb0e31f1344738bf8de01c59bc33f4e0427cb85d6b238067d0533e65e78c2e59.exe
1400	bb0e31f1344738bf8de01c59bc33f4e0427cb85d6b238067d0533e65e78c2e59.exe
1400	bb0e31f1344738bf8de01c59bc33f4e0427cb85d6b238067d0533e65e78c2e59.exe
1616	locadob.exe
1616	locadob.exe
3148	adobsys.exe
3148	adobsys.exe
1616	locadob.exe
1616	locadob.exe
3148	adobsys.exe
3148	adobsys.exe
1616	locadob.exe
1616	locadob.exe
3148	adobsys.exe
3148	adobsys.exe
1616	locadob.exe
1616	locadob.exe
3148	adobsys.exe
3148	adobsys.exe
1616	locadob.exe
1616	locadob.exe
3148	adobsys.exe
3148	adobsys.exe
1616	locadob.exe
1616	locadob.exe
3148	adobsys.exe
3148	adobsys.exe
1616	locadob.exe
1616	locadob.exe
3148	adobsys.exe
3148	adobsys.exe
1616	locadob.exe
1616	locadob.exe
3148	adobsys.exe
3148	adobsys.exe
1616	locadob.exe
1616	locadob.exe
3148	adobsys.exe
3148	adobsys.exe
1616	locadob.exe
1616	locadob.exe
3148	adobsys.exe
3148	adobsys.exe
1616	locadob.exe
1616	locadob.exe
3148	adobsys.exe
3148	adobsys.exe
1616	locadob.exe
1616	locadob.exe
3148	adobsys.exe
3148	adobsys.exe
1616	locadob.exe
1616	locadob.exe
3148	adobsys.exe
3148	adobsys.exe
1616	locadob.exe
1616	locadob.exe
3148	adobsys.exe
3148	adobsys.exe
1616	locadob.exe
1616	locadob.exe
3148	adobsys.exe
3148	adobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 1616	1400	bb0e31f1344738bf8de01c59bc33f4e0427cb85d6b238067d0533e65e78c2e59.exe	87
PID 1400 wrote to memory of 1616	1400	bb0e31f1344738bf8de01c59bc33f4e0427cb85d6b238067d0533e65e78c2e59.exe	87
PID 1400 wrote to memory of 1616	1400	bb0e31f1344738bf8de01c59bc33f4e0427cb85d6b238067d0533e65e78c2e59.exe	87
PID 1400 wrote to memory of 3148	1400	bb0e31f1344738bf8de01c59bc33f4e0427cb85d6b238067d0533e65e78c2e59.exe	88
PID 1400 wrote to memory of 3148	1400	bb0e31f1344738bf8de01c59bc33f4e0427cb85d6b238067d0533e65e78c2e59.exe	88
PID 1400 wrote to memory of 3148	1400	bb0e31f1344738bf8de01c59bc33f4e0427cb85d6b238067d0533e65e78c2e59.exe	88

C:\Users\Admin\AppData\Local\Temp\bb0e31f1344738bf8de01c59bc33f4e0427cb85d6b238067d0533e65e78c2e59.exe
"C:\Users\Admin\AppData\Local\Temp\bb0e31f1344738bf8de01c59bc33f4e0427cb85d6b238067d0533e65e78c2e59.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1616
- C:\AdobeDI\adobsys.exe
  C:\AdobeDI\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeDI\adobsys.exe

Filesize
951KB

MD5
bc54e73490b4c363f31305bb863c1a34

SHA1
30ca50399c495e8c6ebc77dd8f2efeab982bb5b8

SHA256
9c3a18be5686492f085bcec4f9fca514d37453deac587654f67c4ee54b985203

SHA512
323fef1509c9368d2c992fdaecd398ce68f1a0db1de3149c80acf094277b97356a956120816a308eb5c90fd346756694003b6c21843459b31b1161d712f592a1

Download Submit
C:\AdobeDI\adobsys.exe

Filesize
2.6MB

MD5
2d6af5c23c4fd661c1a0837e08dde814

SHA1
32eb9bc95e5cb95786cb345281bc86fdf2e546ef

SHA256
5d3fed025588f9c0b9ba03cd999befd2526691fbd1ed20190988da192194275b

SHA512
4a3513205b65ab31ddb05f69169bd6f7d5213482cb6d7ef21110020d1384fdcb9dcb3e700587994ebad5be66945ab69cb9a6a76c5e0c065917259034fd0ba61b

Download Submit
C:\GalaxCD\optiaec.exe

Filesize
4KB

MD5
b61f1c7ad73efe910c92dd7a7c9a7a0e

SHA1
da9ddf3e1877afc7efd9c8d203fc7f7be3458ddd

SHA256
b362504c75e4817110ee35bd9d522710e988aa3feb5cfb08054cbe0cfa6e45f0

SHA512
224073e4b1011e45541352166fffbcb47dc06282baa16dc5279ee78e858f642e1495bf79dc1ee547b1db3adc2c1a1fbb08ea75a50ef49d2a238000e931ebc155

Download Submit
C:\GalaxCD\optiaec.exe

Filesize
2.6MB

MD5
4b94524dc536921fe09ea6349ea1dda2

SHA1
5188381e79125a501fb898634aab6a254ffe783e

SHA256
b1f346e6072548e64a3158d0687931c2206af6d820c66b8e43510a0997fd0d4a

SHA512
4543d598ef9e78b567b87a1bc57c1a57b4de1c59b542d9dde6c4def3cde650b85d59207644068a95401ef2ab21f1acba44534223cd372fe2252ad9ab1d9fcc3d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
0bc44eea92af88a8c0d85ede58c9c9ba

SHA1
4174f206da897e723857fc3db072d2eafc49664d

SHA256
7e0b98d70082c1da844d7b5455cbb1882f01d5a256dd52fa550b92f1253c18cc

SHA512
36bb0231a4b64e20590bd59630d50ff7c1f089c199865ed8d4192a3943ddeccab2c8264751da1025783ff744e1e8210e7deda630f61e7ad242788d5a8ab9f131

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
6e5d120f28dda3f43a07df5a3fe9161c

SHA1
fb5510e7069471b491c213032196ae5372b323eb

SHA256
23205a571cb483c95d6c1c5739cf339597c164da010ace8966b005d7a2b30d49

SHA512
5b075123e3463008e93484f6c6012631da32d1385b3a8b44dee000c3ea090ba7fad9f24d376dac1d90c6e8eb3d302756eef7543743d346d5dc436ba14d587825

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
2.6MB

MD5
bd02f4d5940769e8102af5de8472ec1e

SHA1
dfca1ce4c7ea2a5e3119998c575e43728d82180f

SHA256
4fb19ec47fe7a4071c1e5fecb455dca9974add43f4988a8cd4a1cbeacf1fa53e

SHA512
4b7427c51dd8a3266a51ba4f5d54bd94f28fddb4b793516f831bece162bb9cba643806cc195270e9decec2bb83a30d1ce768f6ae2a2419098e28d9653fc1a13c

Download Submit