aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe
Size

2.6MB
MD5

98615eb3bdf077c6d2fd904ab9345bd9
SHA1

ad29b0a62a148fa6921494a207cbe1911fa8b838
SHA256

aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47
SHA512

3364f34bab6483d7d30e16ac867c0cf71f6f658d9759c6fb2276f04298b018ca13ff75c8b554bbba0fa890d7ff6a743ca39ff38e5b27ed5eb71a166ac8d48a78
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUp3b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe

Executes dropped EXE 2 IoCs

pid	Process
1536	locdevopti.exe
1676	adobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocIY\\adobloc.exe"	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4U\\dobdevloc.exe"	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1904	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe
1904	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe
1904	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe
1904	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe
1536	locdevopti.exe
1536	locdevopti.exe
1676	adobloc.exe
1676	adobloc.exe
1536	locdevopti.exe
1536	locdevopti.exe
1676	adobloc.exe
1676	adobloc.exe
1536	locdevopti.exe
1536	locdevopti.exe
1676	adobloc.exe
1676	adobloc.exe
1536	locdevopti.exe
1536	locdevopti.exe
1676	adobloc.exe
1676	adobloc.exe
1536	locdevopti.exe
1536	locdevopti.exe
1676	adobloc.exe
1676	adobloc.exe
1536	locdevopti.exe
1536	locdevopti.exe
1676	adobloc.exe
1676	adobloc.exe
1536	locdevopti.exe
1536	locdevopti.exe
1676	adobloc.exe
1676	adobloc.exe
1536	locdevopti.exe
1536	locdevopti.exe
1676	adobloc.exe
1676	adobloc.exe
1536	locdevopti.exe
1536	locdevopti.exe
1676	adobloc.exe
1676	adobloc.exe
1536	locdevopti.exe
1536	locdevopti.exe
1676	adobloc.exe
1676	adobloc.exe
1536	locdevopti.exe
1536	locdevopti.exe
1676	adobloc.exe
1676	adobloc.exe
1536	locdevopti.exe
1536	locdevopti.exe
1676	adobloc.exe
1676	adobloc.exe
1536	locdevopti.exe
1536	locdevopti.exe
1676	adobloc.exe
1676	adobloc.exe
1536	locdevopti.exe
1536	locdevopti.exe
1676	adobloc.exe
1676	adobloc.exe
1536	locdevopti.exe
1536	locdevopti.exe
1676	adobloc.exe
1676	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1536	1904	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe	88
PID 1904 wrote to memory of 1536	1904	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe	88
PID 1904 wrote to memory of 1536	1904	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe	88
PID 1904 wrote to memory of 1676	1904	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe	89
PID 1904 wrote to memory of 1676	1904	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe	89
PID 1904 wrote to memory of 1676	1904	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe	89

C:\Users\Admin\AppData\Local\Temp\aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe
"C:\Users\Admin\AppData\Local\Temp\aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1536
- C:\IntelprocIY\adobloc.exe
  C:\IntelprocIY\adobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocIY\adobloc.exe

Filesize
4KB

MD5
7b41954bee8856da62ef57345adc3522

SHA1
11b72bcd158990287c7502b2d89a500dd528be97

SHA256
53500f97f1743cdbbb8e20fbd873c559d502902c5b946a3bf45608d9862e2df2

SHA512
6ca7be3c24637b2cebe059bfaf0b67d1447edda13807cc42ee42f4d621f67bc6378b464eaa122e4a1b1a0119b9d19e5ad9d40b4adfad582ede44ce86614f7c62

Download Submit
C:\IntelprocIY\adobloc.exe

Filesize
2.6MB

MD5
cbf6f6d095a87a5b6f2138732e2b502f

SHA1
324f9766ad1a1ca9c9f5d268867e75a55e399112

SHA256
53f924a90cbc3796a26963265941b29c18369f4f57ad72da5b3cb01e9b1e3f52

SHA512
3efd3bbd5db52580a1d4e89718c2cc02987b59f724c8e41ef7ae52b54b16127ae4f8bb0dc3d2f2503b6ad0c0804e700f35737063aeeda86a15011a76ee164b77

Download Submit
C:\LabZ4U\dobdevloc.exe

Filesize
2.6MB

MD5
47481cadf50bcf1883d6de9f486215ef

SHA1
0f0c360effc60be426f3a801a85f841fa6041a22

SHA256
9935955d7a9b4b01248c1824b717ccff19d5e69ec2b8c459d5bc575048317d15

SHA512
5ec77ce5b8b2430170a7d1e4221f61dd2baebc412da0b5d5ee53023f5120804d1e65d5ca636dce47c219206226b21002efbaa05aae408f4272684c47777724a3

Download Submit
C:\LabZ4U\dobdevloc.exe

Filesize
2.6MB

MD5
801eb4c2042efca71857e6dfaabdb14e

SHA1
eb942e09a6d1c75eeae7c14a50b0ea5d58745944

SHA256
cb5d569a586823435829ac21b741a655f057ca52f95b9965136523886a374f69

SHA512
e9e872c84d0ab73c8f62edf86745e5e9b9f1db3121ec81a5545587d6877d8719367932cdd84f22096d784541c6ea7a12f6e8259e0eadd75b76cdcf48626ea0cf

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
209B

MD5
ab2ee4eb83160d67c5ef6d15085c560e

SHA1
8bbcc17cf86b5db296f4cee68b5f84e217bccfd2

SHA256
567e09dd60645ffa24e0e8e75db20b54ba03d846cd433cace609fa42ff19e795

SHA512
58b8ce1253d96acb11ade7004e39c2b728ed42972127f540a450da5c5412d4e3394e2fd5a1f8538c7e307e53de863344dae26587e45847e728ce970d1850be41

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
177B

MD5
9e73eebf6e43c9e8bcc80345294a8cad

SHA1
7a2bfd07b07fd75f86747e295e4ca0b6558974f7

SHA256
b1cf67c9196980e783d7a6c0f90df19ebbaacf8f01671a9524b303d7a52752ac

SHA512
308fd64655414fa638305d1b7991d73ffda6d2b3d9924e94bbdf32b1368c753d8bd2854bb71a2b97b4588166bea8cf94252034876d146ad0eed8acecde5f73ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
2.6MB

MD5
687010e6a8e2f6ab52f6d17dce3c980a

SHA1
799b23b4a51b68498c883da3a123781ec6a2b0b3

SHA256
503bfd043ffd0ff3d1573101184086acbfd523e5141197e86a292a2d385aa79d

SHA512
3182305a375bc52699635ee5053be5d35a81e01bea68da573065e7a7d20212133a44f4f98953142f44a943192b0e6a16e0db00b274aaa2dd8ddb0d315cff1437

Download Submit