5a5278a67eac531f9b6c27e2410bf8c008ac9f5204672ec24862312b2d7a5dda

Analysis

max time kernel
119s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b39e98716029fad9961399c48c93dc20N.exe
Size

2.6MB
MD5

b39e98716029fad9961399c48c93dc20
SHA1

7863d214700f1dd6b8cb1b44fc2171a7e4f22771
SHA256

5a5278a67eac531f9b6c27e2410bf8c008ac9f5204672ec24862312b2d7a5dda
SHA512

e15b771de1629f9d532d2c33678f28af2c87e6aa66f7ce8156dab3d882114ae87eb229f4a962e0314cabea67798a42999c26fc1962b63d67d3d31e0c16198435
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpcb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	b39e98716029fad9961399c48c93dc20N.exe

Executes dropped EXE 2 IoCs

pid	Process
4836	sysxdob.exe
4596	adobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotDU\\adobloc.exe"	b39e98716029fad9961399c48c93dc20N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid1C\\dobxec.exe"	b39e98716029fad9961399c48c93dc20N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b39e98716029fad9961399c48c93dc20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3888	b39e98716029fad9961399c48c93dc20N.exe
3888	b39e98716029fad9961399c48c93dc20N.exe
3888	b39e98716029fad9961399c48c93dc20N.exe
3888	b39e98716029fad9961399c48c93dc20N.exe
4836	sysxdob.exe
4836	sysxdob.exe
4596	adobloc.exe
4596	adobloc.exe
4836	sysxdob.exe
4836	sysxdob.exe
4596	adobloc.exe
4596	adobloc.exe
4836	sysxdob.exe
4836	sysxdob.exe
4596	adobloc.exe
4596	adobloc.exe
4836	sysxdob.exe
4836	sysxdob.exe
4596	adobloc.exe
4596	adobloc.exe
4836	sysxdob.exe
4836	sysxdob.exe
4596	adobloc.exe
4596	adobloc.exe
4836	sysxdob.exe
4836	sysxdob.exe
4596	adobloc.exe
4596	adobloc.exe
4836	sysxdob.exe
4836	sysxdob.exe
4596	adobloc.exe
4596	adobloc.exe
4836	sysxdob.exe
4836	sysxdob.exe
4596	adobloc.exe
4596	adobloc.exe
4836	sysxdob.exe
4836	sysxdob.exe
4596	adobloc.exe
4596	adobloc.exe
4836	sysxdob.exe
4836	sysxdob.exe
4596	adobloc.exe
4596	adobloc.exe
4836	sysxdob.exe
4836	sysxdob.exe
4596	adobloc.exe
4596	adobloc.exe
4836	sysxdob.exe
4836	sysxdob.exe
4596	adobloc.exe
4596	adobloc.exe
4836	sysxdob.exe
4836	sysxdob.exe
4596	adobloc.exe
4596	adobloc.exe
4836	sysxdob.exe
4836	sysxdob.exe
4596	adobloc.exe
4596	adobloc.exe
4836	sysxdob.exe
4836	sysxdob.exe
4596	adobloc.exe
4596	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 4836	3888	b39e98716029fad9961399c48c93dc20N.exe	88
PID 3888 wrote to memory of 4836	3888	b39e98716029fad9961399c48c93dc20N.exe	88
PID 3888 wrote to memory of 4836	3888	b39e98716029fad9961399c48c93dc20N.exe	88
PID 3888 wrote to memory of 4596	3888	b39e98716029fad9961399c48c93dc20N.exe	91
PID 3888 wrote to memory of 4596	3888	b39e98716029fad9961399c48c93dc20N.exe	91
PID 3888 wrote to memory of 4596	3888	b39e98716029fad9961399c48c93dc20N.exe	91

C:\Users\Admin\AppData\Local\Temp\b39e98716029fad9961399c48c93dc20N.exe
"C:\Users\Admin\AppData\Local\Temp\b39e98716029fad9961399c48c93dc20N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4836
- C:\UserDotDU\adobloc.exe
  C:\UserDotDU\adobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotDU\adobloc.exe

Filesize
2.6MB

MD5
a925afbcfd77fc6d45921836f8454ecc

SHA1
ede9df1545c4ca31a36aad3453f6b307fbac3ab5

SHA256
6882e923013fd920be422287228dfdfb9704a128d38117a25aa542c65e625185

SHA512
b9f049f97fd8ff8bb4d6a729b90930f17f8f06e3b4d462b040b8b3ebff88f1f76c8df36d5b0159f0d1b2c8d5dca05c2c455c28821ccd9d20b3410f7bf01cdde1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
c7d84f889ee6a953db1ede54e5a09669

SHA1
d0e069936839fcfc0c48c6fc38b8131ccf7efcb1

SHA256
bde371db17e97cc9a3b7eba15310c6e6577956e9a419537c0a33aff5830a382e

SHA512
2c86ec5509478c19a424b53d4ab38c6bc8f067fe1a634c6a63dd6557314e3c004c04009bae7d3dc9ff91fdadd2bf81434a5efce0f8ac4cb73c5c6317c433f1c4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
11f2893729ed1d2951b0a02d697a5568

SHA1
db2ba20306689e4c580242e9171095870e6507ee

SHA256
f3e0fa0cf6ecc6700c214a4d0ce154ed15990b7889678ed22c04437679028107

SHA512
ebece52a3977b3596534bf4d775bbe284122c146b90380136626f6266c7587b131f86f3b151b3e1ad004ee9dab31bfe99ba06983d401ed544a6356635b3e1841

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.6MB

MD5
fef8c54dde14d6345a1acd5968b84d4c

SHA1
40cdbda542e282b05fe610343a59bc0515225cf4

SHA256
eac4d4b74d73af13502d3d6941b183120be7b9a04230cff63fd6bb9951e0aa15

SHA512
b33448daa6fabbfe6a1062818d41215718fb943537ca3ddcc179f8a85daaf8ba034bd1399eb92a23a5b9bcab87bc9a905da45a0e32217657050db831f6c1d4ce

Download Submit
C:\Vid1C\dobxec.exe

Filesize
2.6MB

MD5
395fcd50f4ee8febc782c5d570ebf731

SHA1
0a08943d2534a51282e7473ac4883bb005734e66

SHA256
1e91aa1b9d6b4351e75301092e063b57fe74dcda55313662342de3153dee159d

SHA512
4e0cf3b2c9b00ebe85fd59af4dd59bae2b25070c6642d72beea06f634904c302c9135be5e5ef93b060362e0b176b9674bc07e6c842ff37bab172868a614f7a6b

Download Submit
C:\Vid1C\dobxec.exe

Filesize
336KB

MD5
69357a24ef22b81a3ef595c49f7fd2a1

SHA1
7e209cbb268b3c4900ccf81d6ce6de036163d034

SHA256
8bc7290a4542640f40a6595bd39733fb288d5a7559914f78146f8caea64f24e2

SHA512
5f06d28ef7e77cd2ad7d60ff62846def4c36e72fe01bd034fa5fd10110842cbe6f4ba56806313a475e5579353eaa280ef6237a9c7b90739536d99517c4970aeb

Download Submit