b31b77ae853bd0406f1827f487693770a124e1e83f33d8f0042b88ee2bd749a6

Analysis

max time kernel
120s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 10:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ccbd25c7faefbb3772d07bb2f9030f50N.exe
Size

2.6MB
MD5

ccbd25c7faefbb3772d07bb2f9030f50
SHA1

c50e64658c9a71b008e8bd269a905ceec0565fcf
SHA256

b31b77ae853bd0406f1827f487693770a124e1e83f33d8f0042b88ee2bd749a6
SHA512

e0f9eb333c22955ad7307f844772edf4312f6c3c50d871967a4950f9ad165b50321007dbfafa79c34421abfccd361e78bf7c9f8c0e79b7f06050ce46ace01c00
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpcb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	ccbd25c7faefbb3772d07bb2f9030f50N.exe

Executes dropped EXE 2 IoCs

pid	Process
2796	sysadob.exe
776	xdobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvI6\\xdobloc.exe"	ccbd25c7faefbb3772d07bb2f9030f50N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintX4\\optiaec.exe"	ccbd25c7faefbb3772d07bb2f9030f50N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccbd25c7faefbb3772d07bb2f9030f50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3856	ccbd25c7faefbb3772d07bb2f9030f50N.exe
3856	ccbd25c7faefbb3772d07bb2f9030f50N.exe
3856	ccbd25c7faefbb3772d07bb2f9030f50N.exe
3856	ccbd25c7faefbb3772d07bb2f9030f50N.exe
2796	sysadob.exe
2796	sysadob.exe
776	xdobloc.exe
776	xdobloc.exe
2796	sysadob.exe
2796	sysadob.exe
776	xdobloc.exe
776	xdobloc.exe
2796	sysadob.exe
2796	sysadob.exe
776	xdobloc.exe
776	xdobloc.exe
2796	sysadob.exe
2796	sysadob.exe
776	xdobloc.exe
776	xdobloc.exe
2796	sysadob.exe
2796	sysadob.exe
776	xdobloc.exe
776	xdobloc.exe
2796	sysadob.exe
2796	sysadob.exe
776	xdobloc.exe
776	xdobloc.exe
2796	sysadob.exe
2796	sysadob.exe
776	xdobloc.exe
776	xdobloc.exe
2796	sysadob.exe
2796	sysadob.exe
776	xdobloc.exe
776	xdobloc.exe
2796	sysadob.exe
2796	sysadob.exe
776	xdobloc.exe
776	xdobloc.exe
2796	sysadob.exe
2796	sysadob.exe
776	xdobloc.exe
776	xdobloc.exe
2796	sysadob.exe
2796	sysadob.exe
776	xdobloc.exe
776	xdobloc.exe
2796	sysadob.exe
2796	sysadob.exe
776	xdobloc.exe
776	xdobloc.exe
2796	sysadob.exe
2796	sysadob.exe
776	xdobloc.exe
776	xdobloc.exe
2796	sysadob.exe
2796	sysadob.exe
776	xdobloc.exe
776	xdobloc.exe
2796	sysadob.exe
2796	sysadob.exe
776	xdobloc.exe
776	xdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3856 wrote to memory of 2796	3856	ccbd25c7faefbb3772d07bb2f9030f50N.exe	88
PID 3856 wrote to memory of 2796	3856	ccbd25c7faefbb3772d07bb2f9030f50N.exe	88
PID 3856 wrote to memory of 2796	3856	ccbd25c7faefbb3772d07bb2f9030f50N.exe	88
PID 3856 wrote to memory of 776	3856	ccbd25c7faefbb3772d07bb2f9030f50N.exe	91
PID 3856 wrote to memory of 776	3856	ccbd25c7faefbb3772d07bb2f9030f50N.exe	91
PID 3856 wrote to memory of 776	3856	ccbd25c7faefbb3772d07bb2f9030f50N.exe	91

C:\Users\Admin\AppData\Local\Temp\ccbd25c7faefbb3772d07bb2f9030f50N.exe
"C:\Users\Admin\AppData\Local\Temp\ccbd25c7faefbb3772d07bb2f9030f50N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2796
- C:\SysDrvI6\xdobloc.exe
  C:\SysDrvI6\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintX4\optiaec.exe

Filesize
2.6MB

MD5
d77b035f3e76c73ac656113d74dd0ca9

SHA1
7b786612ef917c27410f917c1d10bcbe83e270c1

SHA256
0c48b1064c2ec05055892828bcf7079d13ce8f224d7b529238a98f98b440d0ee

SHA512
6ffacf912dd041adad3aa6b6cdde9ab8b3b6dd8c13b6a2b212576884a3a9fb0f9671a3913abc0ebc3e76ff0da4dffff0e9b64b81247c26e782756954411ca5fd

Download Submit
C:\MintX4\optiaec.exe

Filesize
2.6MB

MD5
f6580a7c4f4d1896393a45fa4244879b

SHA1
0709588d052dc8ad912090f090c0513d3acad301

SHA256
c74561a1037368bb502dc937b4d6104e5fbf0d386d7e8b5333b1383118e93a6b

SHA512
ad238d1b937a033bb3be87d5f55dea371dfbc89d70b844e983b5442e4543b48a3f3872749883f951ca0a497967378362fbe44f6e645a363b602f7b859a50ff6f

Download Submit
C:\SysDrvI6\xdobloc.exe

Filesize
221KB

MD5
64766604f02197f265368877ad5414f4

SHA1
70107ed36bd1d4d1026fd31f0266a3802d6e73a5

SHA256
1a77cffdcf46652d56edf84a919ee3d6994b40f161e08278d1ee48fee24ab77f

SHA512
52d84e6e06fbdbdd35f9b09863b07cf0c9d6df3a15c749121ea31029e13b23ce988da2457a5bf4558907fa771d26bf0bed85e3453f7cbb6c0a52bc8bdfe393e2

Download Submit
C:\SysDrvI6\xdobloc.exe

Filesize
2.6MB

MD5
7c6cc8a2292fced3834bfec1ba8270c6

SHA1
49c697ac163c3e1cf34a3b2b07111104cbc6d5c0

SHA256
728338c9746b2eec0082278cc6d541cd7bd474f334f7ad25b70936ccde9616ab

SHA512
a0f409726cf9ae1fbb06c23571c417fa8f75dac3471650fdcffafce003d8a7138f9450d6985a71feb5c7a5534add7646608a8a1502457515cfaee17f32e35446

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
b7a17337d693c47c9150767275f15b7d

SHA1
9ac4170174df9e2b73b065f7200adc33fe1c7d50

SHA256
32f551e258afb0f21f3fe25be8dab70eb5bee7d5baf44ea14061b37e4d023437

SHA512
94f8bd8e0fb853783d0a2ae5a224d0766af5cfc1176dae7875c936a8c81b95ce0ad3f44bb37520e0bfa8852ece783fe745078786b706b509cc6fbc5ad0bfe1a9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
396e73b7ae2f6de8a8ac35750c2e8dd7

SHA1
1b4981db941612599314ed83795cd6be3baeea3e

SHA256
778fadb294625d94a2ef2c79b284ce46f0b8aec5c41830070f0a6430b5f1ec2b

SHA512
a7c8e1e71f4a01a0553f64f5379ab05f74d0794bfd6d6ede79a6156f2827fd4243ceaaf3d8de4f17cf5f95cf412f04770fa6dc24b426b53927da48e588df0683

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
2.6MB

MD5
600e2978ac00830fa0a8f4339f07d758

SHA1
3e4ef24ab63d9d95b9c00688251362450e2ba5ce

SHA256
abda4dc1854176cbffb4c663f3615acb32b0ae127a5f9a0ff2cdfd599a041ccf

SHA512
bf2ca8acbe8be7677f911bcbcf02fa2b872a90aaa3af73df0b1aa5c13a044bf7e52bf0285938237b54b2b670d854146cc43be10d5f1d148b196261ec18591f0e

Download Submit