78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe
Size

2.6MB
MD5

77ae978e70a61e48348de3de0fe1c507
SHA1

b83817213588ed4a1c6d62eaf36d0ad02b5dbeb2
SHA256

78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e
SHA512

44d5b525a7ba8042af22918d5d27ae9d98df81a627382253a577d400f488bbf983d70dd037be7e2a07077463a31622c36571fd187e0968ea3e12a44c8c15e050
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpCb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe

Executes dropped EXE 2 IoCs

pid	Process
32	sysdevbod.exe
1916	adobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB0Y\\optidevloc.exe"	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesDG\\adobsys.exe"	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1436	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe
1436	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe
1436	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe
1436	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe
32	sysdevbod.exe
32	sysdevbod.exe
1916	adobsys.exe
1916	adobsys.exe
32	sysdevbod.exe
32	sysdevbod.exe
1916	adobsys.exe
1916	adobsys.exe
32	sysdevbod.exe
32	sysdevbod.exe
1916	adobsys.exe
1916	adobsys.exe
32	sysdevbod.exe
32	sysdevbod.exe
1916	adobsys.exe
1916	adobsys.exe
32	sysdevbod.exe
32	sysdevbod.exe
1916	adobsys.exe
1916	adobsys.exe
32	sysdevbod.exe
32	sysdevbod.exe
1916	adobsys.exe
1916	adobsys.exe
32	sysdevbod.exe
32	sysdevbod.exe
1916	adobsys.exe
1916	adobsys.exe
32	sysdevbod.exe
32	sysdevbod.exe
1916	adobsys.exe
1916	adobsys.exe
32	sysdevbod.exe
32	sysdevbod.exe
1916	adobsys.exe
1916	adobsys.exe
32	sysdevbod.exe
32	sysdevbod.exe
1916	adobsys.exe
1916	adobsys.exe
32	sysdevbod.exe
32	sysdevbod.exe
1916	adobsys.exe
1916	adobsys.exe
32	sysdevbod.exe
32	sysdevbod.exe
1916	adobsys.exe
1916	adobsys.exe
32	sysdevbod.exe
32	sysdevbod.exe
1916	adobsys.exe
1916	adobsys.exe
32	sysdevbod.exe
32	sysdevbod.exe
1916	adobsys.exe
1916	adobsys.exe
32	sysdevbod.exe
32	sysdevbod.exe
1916	adobsys.exe
1916	adobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 32	1436	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe	87
PID 1436 wrote to memory of 32	1436	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe	87
PID 1436 wrote to memory of 32	1436	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe	87
PID 1436 wrote to memory of 1916	1436	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe	90
PID 1436 wrote to memory of 1916	1436	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe	90
PID 1436 wrote to memory of 1916	1436	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe	90

C:\Users\Admin\AppData\Local\Temp\78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe
"C:\Users\Admin\AppData\Local\Temp\78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:32
- C:\FilesDG\adobsys.exe
  C:\FilesDG\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesDG\adobsys.exe

Filesize
2.6MB

MD5
9686dc27d771e7f9b6a8d143d279007e

SHA1
bc99e856c9fabd94ca9461577f21a5627df2c508

SHA256
f4d4741fcba256eebc78a3a48d74590b9bdec76c1a96d8076063651e754a2cb9

SHA512
c51fe716afa708cca320c652cc7d95070957bfae58cafc225e1a193d2dfc0e39646515dc60ac4664ca25ec4a759a8cd93f1d17bc265ea281b48accc6478ab674

Download Submit
C:\KaVB0Y\optidevloc.exe

Filesize
207KB

MD5
166c335674af2af322d9c3ce8f19af02

SHA1
691710ba0a767494c751e22e74ac888e89027afd

SHA256
96d1a70d13b932ef68f7a36d78e9324b279887500b26b88eb292810559037622

SHA512
dd28102a56152f1d96ab9eccb92dc2bee13f767584e7c13ed44e5ba1d2642e3027dc49d56784e305345381648dfa0ca8ba0a386081d5db469b5b97932d780190

Download Submit
C:\KaVB0Y\optidevloc.exe

Filesize
122KB

MD5
d213a094de4d099b3e2a4c787d9c885a

SHA1
14f4aeca921d59ece0134facf902ee9563396259

SHA256
603e04591db8d72f15a21f2cd749a96bdecf37f8aec2585c11dafa8199c1a916

SHA512
8992cf048052dab11925969b1c76f0bbb235e65085c08b629f7a3dece6f79c0ca01dabfb34200cb1947b3812a4e2327e8a3afa91bdff0d94a9f00988af3c2439

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
a443bc637a63b08c59432acfdd9a5eb5

SHA1
73aabd5d876a7b6b69386e4ba0e31d5ec11198be

SHA256
a416a2af2b2238ba01695fb2b89a571936f4918cb424a1c71893d7483fdf97aa

SHA512
4b2356676604746fb28124db69ee8bb596bce4796f505c6c3ad422d52406e19604a3e6d02063639e0581d4d6661189c878da008dded680b86c4de86b920522e8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
54277c804c92047d8ba049e33b9f9603

SHA1
864a07f2e1fb1cc8dcc26b71df527bee8276ad69

SHA256
f7e1ea4de8cdf0b0d7735380be132ff88143b1b0a77667e76e3e76bccb14b66e

SHA512
be9fe9ee70fab07fea583a209db87e1635310647d156e2acb2df4bda8fb2dd4266ba1c0fd9af2e12fc25208e834e45da5248f1792276a3184606d57edde0b912

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
d867b7d2c5bf3349cb5c76b00a1ecc08

SHA1
8bbfdff4ce643627ffe2d4755dcc2479c1219994

SHA256
316deb43f4b27ba74b05a0e53c443cd706262da14bf96fc84f753cfe2cc16f99

SHA512
9c4500f06009859daace46b0755b1c44ac826b528e69362ba21c8590b77f7808dfba88f3328961265d338beaedfd43e6a6d0b4c863c0de13072b4d1aceda2e89

Download Submit