d36f1550867d993a3042cb7a1235fb4adb02cacdc7477f329985c3fb3d36f819

Analysis

max time kernel
119s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13a7d99f039d8bea8659dfe66cd7c170N.exe
Size

2.6MB
MD5

13a7d99f039d8bea8659dfe66cd7c170
SHA1

47f427b1a3b89bcc1370af11c0826642a4586485
SHA256

d36f1550867d993a3042cb7a1235fb4adb02cacdc7477f329985c3fb3d36f819
SHA512

1c9c26d2435de00aa2ad10068b77c55f216da624dc450fa870da18648989663ec4892c6dc504a6311bc3c89465bc3e71c72b60cf8950bbc341805c77cd383f3e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bS:sxX7QnxrloE5dpUpab

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	13a7d99f039d8bea8659dfe66cd7c170N.exe

Executes dropped EXE 2 IoCs

pid	Process
764	sysxdob.exe
5036	adobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv7L\\adobsys.exe"	13a7d99f039d8bea8659dfe66cd7c170N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ1J\\optidevloc.exe"	13a7d99f039d8bea8659dfe66cd7c170N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13a7d99f039d8bea8659dfe66cd7c170N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2040	13a7d99f039d8bea8659dfe66cd7c170N.exe
2040	13a7d99f039d8bea8659dfe66cd7c170N.exe
2040	13a7d99f039d8bea8659dfe66cd7c170N.exe
2040	13a7d99f039d8bea8659dfe66cd7c170N.exe
764	sysxdob.exe
764	sysxdob.exe
5036	adobsys.exe
5036	adobsys.exe
764	sysxdob.exe
764	sysxdob.exe
5036	adobsys.exe
5036	adobsys.exe
764	sysxdob.exe
764	sysxdob.exe
5036	adobsys.exe
5036	adobsys.exe
764	sysxdob.exe
764	sysxdob.exe
5036	adobsys.exe
5036	adobsys.exe
764	sysxdob.exe
764	sysxdob.exe
5036	adobsys.exe
5036	adobsys.exe
764	sysxdob.exe
764	sysxdob.exe
5036	adobsys.exe
5036	adobsys.exe
764	sysxdob.exe
764	sysxdob.exe
5036	adobsys.exe
5036	adobsys.exe
764	sysxdob.exe
764	sysxdob.exe
5036	adobsys.exe
5036	adobsys.exe
764	sysxdob.exe
764	sysxdob.exe
5036	adobsys.exe
5036	adobsys.exe
764	sysxdob.exe
764	sysxdob.exe
5036	adobsys.exe
5036	adobsys.exe
764	sysxdob.exe
764	sysxdob.exe
5036	adobsys.exe
5036	adobsys.exe
764	sysxdob.exe
764	sysxdob.exe
5036	adobsys.exe
5036	adobsys.exe
764	sysxdob.exe
764	sysxdob.exe
5036	adobsys.exe
5036	adobsys.exe
764	sysxdob.exe
764	sysxdob.exe
5036	adobsys.exe
5036	adobsys.exe
764	sysxdob.exe
764	sysxdob.exe
5036	adobsys.exe
5036	adobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 764	2040	13a7d99f039d8bea8659dfe66cd7c170N.exe	87
PID 2040 wrote to memory of 764	2040	13a7d99f039d8bea8659dfe66cd7c170N.exe	87
PID 2040 wrote to memory of 764	2040	13a7d99f039d8bea8659dfe66cd7c170N.exe	87
PID 2040 wrote to memory of 5036	2040	13a7d99f039d8bea8659dfe66cd7c170N.exe	88
PID 2040 wrote to memory of 5036	2040	13a7d99f039d8bea8659dfe66cd7c170N.exe	88
PID 2040 wrote to memory of 5036	2040	13a7d99f039d8bea8659dfe66cd7c170N.exe	88

C:\Users\Admin\AppData\Local\Temp\13a7d99f039d8bea8659dfe66cd7c170N.exe
"C:\Users\Admin\AppData\Local\Temp\13a7d99f039d8bea8659dfe66cd7c170N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:764
- C:\SysDrv7L\adobsys.exe
  C:\SysDrv7L\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ1J\optidevloc.exe

Filesize
2.3MB

MD5
9be3f94ffa756fb681b8d21b7a4a7486

SHA1
31a5efdc17993c173458931619cedb1b098a041b

SHA256
b57ddd74a71353eeb36d7f9669eeee1397d962c4ad87cdc0e742053f344c8dff

SHA512
e3318e42b3e8a1efb3447a9e57cfd8e2f97b5ba77890dd3a08bc2a6b18a33400b274ef109ec7ed77c1e1dad603eb474574f6aa3b5d1f35a5b35b6f14e8194ff4

Download Submit
C:\LabZ1J\optidevloc.exe

Filesize
2.6MB

MD5
936e0c6816a46fd05e22088def7d884d

SHA1
da41e58a95bbbaf9e90b48008ece762022248e34

SHA256
a1974c51c581daa01f9a82f94c1d90448c95afa2ee55fb06a4bd00372992108f

SHA512
d733abbd3260d4da7b3cb937eb811a015e26f5ffd3769ca1d8d8580974e2ac2036006dfee40217ba06b5f55e23dce5a0c982258143ce961d67dd28fecb2e680c

Download Submit
C:\SysDrv7L\adobsys.exe

Filesize
2.6MB

MD5
97cf1ec5b786d79c46b832d84bcc65e8

SHA1
50fd6e4fb134aed8c8120fa907e4e94ab9a1f500

SHA256
81c3c5cb62545b3d44a76239af935ae36c4cb841ffb4a30ce18f0305733ede02

SHA512
280034e73023e4da57388a20075cad782786a050a4653939136b1b355b37d97e814fd3a436a100b5e3c48dfcbdabe077f1cafc4a6555a0272c7a1352894b1527

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
14d5e0f61344c529149080f1bb672608

SHA1
6adf7029975fe2d7f5a8687df55e25ab08957ad1

SHA256
3aabafe93fac566ab409dc8047a82305e8f575f9d680575aaf4cead264b1a7b0

SHA512
3c9ed3e83563661b86d7c073318823b91dafaaa45c58790b783127167b36eb73e10c80bddb6da62641daaf4571b44c69bd9c2bd1537f751eb0de1e3d8019194d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
ea2bcb4880a11f9573b32f5d614529aa

SHA1
c2b513e817e4a335132edf0f1e83bf3bf1e14bc8

SHA256
8b396329d6dd8927afcbf49732c3c4cde91a6f97ef7008b743869770fc66d196

SHA512
fbf3d776f9e0962fece2ccd804267b62f53fa988882aba3fa32942286723e1418e1d65daff6a9decd69020ba34838f5cc1fb4b26c85255f857133dc079efe801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.6MB

MD5
1fb9d945492143497a71e8f59d725684

SHA1
6b7701f3116b6e24df3300f0880b7c78d13a020a

SHA256
e4b81d622e0ec7ccc37e3a02979e7425def1999ba1530c5a359af3fd85a7aefb

SHA512
82bbac14031473690d6c5d5188951dde1b2f71fbcd932a5203cb5804d9a18cee3f1a17a29efd165f67eeff7470432a52b84051e54d3c8512862bb4548f2dfc5c

Download Submit