605462499aec72f58acb9fa44400e0a527983a3841583d896dec263f94b9fef1

Analysis

max time kernel
119s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfbcc0a5058bbe4b43d97f2affeef770N.exe
Size

2.8MB
MD5

cfbcc0a5058bbe4b43d97f2affeef770
SHA1

5c3ea2f2cab84ad6abc4b531ff682213e8630774
SHA256

605462499aec72f58acb9fa44400e0a527983a3841583d896dec263f94b9fef1
SHA512

d3cd2c64bb83ab0deec74dc2023f189b42a19601f2b2e898547b2066dfebea979028516d46bf6e888b7f624e389f051fdb6d6abbbe3c9c13ba640323034eec8c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bSqz8:sxX7QnxrloE5dpUpJbVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	cfbcc0a5058bbe4b43d97f2affeef770N.exe

Executes dropped EXE 2 IoCs

pid	Process
4392	sysadob.exe
488	abodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesF9\\abodloc.exe"	cfbcc0a5058bbe4b43d97f2affeef770N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBC2\\optialoc.exe"	cfbcc0a5058bbe4b43d97f2affeef770N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfbcc0a5058bbe4b43d97f2affeef770N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4956	cfbcc0a5058bbe4b43d97f2affeef770N.exe
4956	cfbcc0a5058bbe4b43d97f2affeef770N.exe
4956	cfbcc0a5058bbe4b43d97f2affeef770N.exe
4956	cfbcc0a5058bbe4b43d97f2affeef770N.exe
4392	sysadob.exe
4392	sysadob.exe
488	abodloc.exe
488	abodloc.exe
4392	sysadob.exe
4392	sysadob.exe
488	abodloc.exe
488	abodloc.exe
4392	sysadob.exe
4392	sysadob.exe
488	abodloc.exe
488	abodloc.exe
4392	sysadob.exe
4392	sysadob.exe
488	abodloc.exe
488	abodloc.exe
4392	sysadob.exe
4392	sysadob.exe
488	abodloc.exe
488	abodloc.exe
4392	sysadob.exe
4392	sysadob.exe
488	abodloc.exe
488	abodloc.exe
4392	sysadob.exe
4392	sysadob.exe
488	abodloc.exe
488	abodloc.exe
4392	sysadob.exe
4392	sysadob.exe
488	abodloc.exe
488	abodloc.exe
4392	sysadob.exe
4392	sysadob.exe
488	abodloc.exe
488	abodloc.exe
4392	sysadob.exe
4392	sysadob.exe
488	abodloc.exe
488	abodloc.exe
4392	sysadob.exe
4392	sysadob.exe
488	abodloc.exe
488	abodloc.exe
4392	sysadob.exe
4392	sysadob.exe
488	abodloc.exe
488	abodloc.exe
4392	sysadob.exe
4392	sysadob.exe
488	abodloc.exe
488	abodloc.exe
4392	sysadob.exe
4392	sysadob.exe
488	abodloc.exe
488	abodloc.exe
4392	sysadob.exe
4392	sysadob.exe
488	abodloc.exe
488	abodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 4392	4956	cfbcc0a5058bbe4b43d97f2affeef770N.exe	90
PID 4956 wrote to memory of 4392	4956	cfbcc0a5058bbe4b43d97f2affeef770N.exe	90
PID 4956 wrote to memory of 4392	4956	cfbcc0a5058bbe4b43d97f2affeef770N.exe	90
PID 4956 wrote to memory of 488	4956	cfbcc0a5058bbe4b43d97f2affeef770N.exe	93
PID 4956 wrote to memory of 488	4956	cfbcc0a5058bbe4b43d97f2affeef770N.exe	93
PID 4956 wrote to memory of 488	4956	cfbcc0a5058bbe4b43d97f2affeef770N.exe	93

C:\Users\Admin\AppData\Local\Temp\cfbcc0a5058bbe4b43d97f2affeef770N.exe
"C:\Users\Admin\AppData\Local\Temp\cfbcc0a5058bbe4b43d97f2affeef770N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4392
- C:\FilesF9\abodloc.exe
  C:\FilesF9\abodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesF9\abodloc.exe

Filesize
2.8MB

MD5
7c559b2513040ea695bb2d77c5aed340

SHA1
99a062cf47c0b834b0c21275e1eeae0e5ffa0383

SHA256
325c4ed303ee9301a2f06acfcc2db34d6dcc37b8af969db3cb5fa5ba4e7e5570

SHA512
234a2f2bd81723c3cef25f0519de3f456074327abad9b72ba740aeb3eacfb6188acbd61528ffee3ef56f890966d3d62f14561ab24c1b30d16c57e59c211a7101

Download Submit
C:\KaVBC2\optialoc.exe

Filesize
2.8MB

MD5
85263919f64611b90a8bae44ad3f71b4

SHA1
af937df050c5ab38856b728f628321331d67b8eb

SHA256
d4502287dfddd3565dd233dd81dabba9f657a213d224e566881fd44246051643

SHA512
e384fc1090798c9b7dada7d2ffe3565d12243351929ab68666c601a5a21a00aa3738acabc34bcb4c19ee985020e1850adbf9220660620854fe0349cf7c80c600

Download Submit
C:\KaVBC2\optialoc.exe

Filesize
2.8MB

MD5
babae3eca34cb8a9f555c27a5cc686ad

SHA1
9e85112e934eeac52b1cf39037d3fd70fb8d1029

SHA256
8399b3ff72f4ab147f8b1b6e7d4c45737bb401b4d68d8c18020ea1164b9604d4

SHA512
267f56e1fad9904f119c3bf6a5a788071d94603b4447a0d5e95ac1216603cbb185a472724487f85e85ee49098fb9f74cb8ac12579d571e43f2dadbc18f5e6cfd

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
ddd91aac48e14f8ac60aa8240f6bc80b

SHA1
faa2349d047dcc191fcbf80cbd091f0e3bc56589

SHA256
c2bc8eb144f1a96c7d3dab24c2d572643afc8c894eca5dc848982501cb585430

SHA512
bb1c0d3b7b1329843eccb9e06ea21e4d14a4be6e3cc4cb6076ed944416b560b1092d69010f116c2a3342b1f7adac3fc1c7b0776283936d4db561c84684d7ea34

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
4330c564488cc867b670e1e78b238728

SHA1
5ddc0955ffa110407ee464955dda6cb24055b258

SHA256
829e22f648d52295a473d8933aba6b8161207c2319090f289c8c690d90d3a1ac

SHA512
cace530546b4facc035d5cd9720fcc52da50e305ae13a11b1b42fdf93b62ad693a44dc35f0b4303bdd61ddc5c2177fd1755a94caefb4ab943d855c005745e6f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
2.8MB

MD5
4c4ad8970bb948f5a006aab0f5772a0d

SHA1
ca7a44195dac96cb658982cf7e0437f2b0a347b7

SHA256
a12e2c2d8b218ef3622f39c3744d3ab65166948a00f2eef5f1fcaed552e05c72

SHA512
e29b1baadf2eaeedddfd7f1d7a3a16e69b2aa22e228ff793bd8e741f974a5742421ca60b999a825be5758535d2f68b11d968c063d6a75cc04bced3f5ce32b945

Download Submit