14bb8089f60455e3c63b11190c3c016e052dccfd4bb7a3ff5c3ce5b71774b695

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3777391aa10c9f219311bcbc0a8723e0N.exe
Size

3.6MB
MD5

3777391aa10c9f219311bcbc0a8723e0
SHA1

14cc5d502851c8efd8140184f8205c38b50eec05
SHA256

14bb8089f60455e3c63b11190c3c016e052dccfd4bb7a3ff5c3ce5b71774b695
SHA512

8e3821eb12a535e175554fce4837c5c5e6a0b97c6441fbfc7c6dc2600b571b6169521af4a85169c88be96abe7bb77c6eed5a91a1a233121499cadf202ae089b0
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bSqz8:sxX7QnxrloE5dpUpQbVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	3777391aa10c9f219311bcbc0a8723e0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2156	sysadob.exe
1936	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1320	3777391aa10c9f219311bcbc0a8723e0N.exe
1320	3777391aa10c9f219311bcbc0a8723e0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeXK\\xbodsys.exe"	3777391aa10c9f219311bcbc0a8723e0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintKZ\\optialoc.exe"	3777391aa10c9f219311bcbc0a8723e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3777391aa10c9f219311bcbc0a8723e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1320	3777391aa10c9f219311bcbc0a8723e0N.exe
1320	3777391aa10c9f219311bcbc0a8723e0N.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe
2156	sysadob.exe
1936	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2156	1320	3777391aa10c9f219311bcbc0a8723e0N.exe	30
PID 1320 wrote to memory of 2156	1320	3777391aa10c9f219311bcbc0a8723e0N.exe	30
PID 1320 wrote to memory of 2156	1320	3777391aa10c9f219311bcbc0a8723e0N.exe	30
PID 1320 wrote to memory of 2156	1320	3777391aa10c9f219311bcbc0a8723e0N.exe	30
PID 1320 wrote to memory of 1936	1320	3777391aa10c9f219311bcbc0a8723e0N.exe	31
PID 1320 wrote to memory of 1936	1320	3777391aa10c9f219311bcbc0a8723e0N.exe	31
PID 1320 wrote to memory of 1936	1320	3777391aa10c9f219311bcbc0a8723e0N.exe	31
PID 1320 wrote to memory of 1936	1320	3777391aa10c9f219311bcbc0a8723e0N.exe	31

C:\Users\Admin\AppData\Local\Temp\3777391aa10c9f219311bcbc0a8723e0N.exe
"C:\Users\Admin\AppData\Local\Temp\3777391aa10c9f219311bcbc0a8723e0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2156
- C:\AdobeXK\xbodsys.exe
  C:\AdobeXK\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeXK\xbodsys.exe

Filesize
3.6MB

MD5
fe4fb70ef649575b87822e5e42d24054

SHA1
cead2824aa6c51e83604cfe16429b49ae63957d0

SHA256
07908d1260bd835a2b30c38b4c583ea21addf4af13b8d4e07d934e792b865578

SHA512
1c550005c0ffed6a6d9166edad4d9664142067ff77622e9dc32149e346ff8dadd8f27052c49690158b7a15beca0940a758faa71db0223f0bdd0fbb924fabae49

Download Submit
C:\MintKZ\optialoc.exe

Filesize
3.6MB

MD5
68936abc0580e977c60f9a97101ebafd

SHA1
efc6c539a05539ba17544d01049d9d58e8b6fe6d

SHA256
d67c68e9ea31a3b5742bcbcb5bfd45ae09074b08c691784f33334d88b2e7acf9

SHA512
a6ad9ae8b82f21258a596d5149e15f3b3bde20b865599bd048ae77e1a03adf6770363342f73a09f6fa97fbcbe8b28bae7192cedbe4360defdd78e489d4bb636a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
6ac4a8d78745cc6ea7b5ae94d9cc719b

SHA1
3a2713a1a417e190b556a8489c97b15eaa75d80a

SHA256
c639ced3fabfbec9fa3a63c27bf3293daeb523ee0202adb31ea7251204da6809

SHA512
ddbddaa6f9f3d42008af1d8c0a540abf96f8db8d97287f7e53bc928945b571ed95fd298c8a59a7bb129e8145394726267ca32e0417c8e489229d8476799150de

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
0aef782e71874a302d8e94771b316458

SHA1
6512ec0c998ba8ddc06fa2b4d8ce6553ab0dbaad

SHA256
510c5f27a66fc2f91aa27cc770971287ba34b192ce11ed25a8129d4e0631dcf3

SHA512
b706b08ab57c8f83f0375c0be82d907df84468d442350e2d285cda6523267a9b749824cceb6a1ee5080f192e717db2293bd9a066a36b2deea7a1c47d5589adb5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
3.6MB

MD5
f63dabe5faa3d8c7875fa23121190f8b

SHA1
8878298520ffd3bb8d93f460ce284ccbbdd0e2bb

SHA256
b48ecb6f6994f176badcff5b19e2a75d705b31d02fe3ab0025401dc174c35ba3

SHA512
fff82aed028a79967a6a7794d1d597ba8e5caf639de3984ed4c40ec587c64384fd4c2e7b9fcb396cddb224910c2382a8dc39e6fee9b5775760d2a113e567bb72

Download Submit