Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 07:04
Static task
static1
Behavioral task
behavioral1
Sample
f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe
Resource
win10v2004-20240802-en
General
-
Target
f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe
-
Size
2.6MB
-
MD5
a5036f5b6a68443b3bc0b943593759dc
-
SHA1
72b024f1a9778ec9ce0c57e65003b4a31656fb45
-
SHA256
f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225
-
SHA512
b63e62b93d81c65ec1726832939cc6ac2f2ab3bbecc191909f4225613c8b1e4c49248587d42d58c227fa28cf674798a075a941dac7a417dc552b026202fb1546
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bS:sxX7QnxrloE5dpUpMb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe -
Executes dropped EXE 2 IoCs
pid Process 2952 sysadob.exe 2872 adobloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2676 f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe 2676 f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintGA\\optidevsys.exe" f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesPC\\adobloc.exe" f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2676 f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe 2676 f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe 2952 sysadob.exe 2872 adobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2676 wrote to memory of 2952 2676 f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe 30 PID 2676 wrote to memory of 2952 2676 f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe 30 PID 2676 wrote to memory of 2952 2676 f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe 30 PID 2676 wrote to memory of 2952 2676 f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe 30 PID 2676 wrote to memory of 2872 2676 f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe 31 PID 2676 wrote to memory of 2872 2676 f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe 31 PID 2676 wrote to memory of 2872 2676 f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe 31 PID 2676 wrote to memory of 2872 2676 f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe"C:\Users\Admin\AppData\Local\Temp\f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2952
-
-
C:\FilesPC\adobloc.exeC:\FilesPC\adobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2872
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5245f9c26a13a8076d49632e1e3bf1bc4
SHA115b2155ce4ec1d54cadd75e4b9a23a8a9db08fa2
SHA2561df30328e618ca2e31d1be8b719e9afe4c0905c9d0629f666e120f6dc8cfe2c6
SHA51245066ae27457f4f48391171bbc90e49418b38724c05feeb7d52da38ec572ef18a92ed87c72d24e3ec43351142adc4fd7411725cb5f9378782c5ab865c83190c1
-
Filesize
2.2MB
MD54691641486cc90e4c53c28b792e96ce0
SHA1fe3d100e51eeaa68be7e16720b889098e4c45a55
SHA256fd65ff15a510a3923968056bbd79420a74c896ff3a038eb4a7ee63cb60cb4a21
SHA5123af4da33b2876162144e41f5817e6370e71a9ead21a5e06b985c1b9631beaf3583c666586e270dcb00f87acc705446f23567f52de89a09ab899376722887a89a
-
Filesize
2.6MB
MD53e74ae0601275e9783f4d6f5936f5067
SHA14b79cebe449054fdc98c974e489066870cb13a04
SHA256c2b9d899c2f0f2313861a820b7b2e26c2495c1a3a717dbe2b8f936b51f10ed8f
SHA51259ed7c93250773e0858de0646fbc3ad61d2a6696e22b6bcd0efb6964815d0d0545bd1dc410d9b1e4ad87405f6a89f2fa2e6a22e9f3264b057ee4cb3910b3d0d2
-
Filesize
171B
MD5206bb4487a335ffd3451228f5d549c0d
SHA18d0fe5b2728e8d9fdb5497a44e2774988250bfb4
SHA2560e016b67b16fa2455aa055451befdae2af6cbedc71fd861237613e41898cb648
SHA51267d69009eec2b68e9d7d9a2e7a969160546ac254f389b1efca11e1ccc5c6499318675a4aa1e820ad4ffe8679884bd8e7d5c932a30d32fa1ba6f23f98f5989626
-
Filesize
203B
MD579e7cdca22aea32dcc09cccbf277e37d
SHA10cb298b674a3b95277bc9c2528819be51dea4554
SHA256b34e886db526b360a53ebd2a05b1954dc4d0864c48eebf55a7ae892f257f8718
SHA5128120bf6d099fa693335b4bbc8607bbec97f02ed8ad378452f8c7e0d66e09709da5cf871d06ee982661c5a02811423c92b80f67c15c41ffcaa1873efe81a797a2
-
Filesize
2.6MB
MD584c8993e219aa46574a92ae55d29ba3c
SHA12d9d374addf1f4180085f968dd4350c5a2aaae30
SHA256b1571fe5ef2c91e5a7da3304f42f870a918c41b4cb05ab85aaa472e3b2994287
SHA512b45486aefa5dcf06599c0a61069343662f0a91774d6ecbdc97d359ee949e81206b05073f8917962bc97d507c11497dd8ee3c1210e5875553e45fe9a9e29bd537