bcddf0a709348bd5fba69137c137e6a938a095504abdf7652a1bde4184209994

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 02:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bcddf0a709348bd5fba69137c137e6a938a095504abdf7652a1bde4184209994.exe
Size

2.6MB
MD5

1ef65379fb8b9a4031b68ee839b05fe6
SHA1

b695a9d3e4cd4904747935d76873d4479984c218
SHA256

bcddf0a709348bd5fba69137c137e6a938a095504abdf7652a1bde4184209994
SHA512

8079e975bb40e5f3bce8a18f4c030d9da6524b836d5f6e8e1abeed426db7106af54cbbec22344c472ef9080c12bf3e09d7c0b672f443ea29d30c5ae267e0fc05
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpCb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	bcddf0a709348bd5fba69137c137e6a938a095504abdf7652a1bde4184209994.exe

Executes dropped EXE 2 IoCs

pid	Process
60	sysadob.exe
2296	xoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeED\\xoptiloc.exe"	bcddf0a709348bd5fba69137c137e6a938a095504abdf7652a1bde4184209994.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBU3\\dobxloc.exe"	bcddf0a709348bd5fba69137c137e6a938a095504abdf7652a1bde4184209994.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcddf0a709348bd5fba69137c137e6a938a095504abdf7652a1bde4184209994.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3756	bcddf0a709348bd5fba69137c137e6a938a095504abdf7652a1bde4184209994.exe
3756	bcddf0a709348bd5fba69137c137e6a938a095504abdf7652a1bde4184209994.exe
3756	bcddf0a709348bd5fba69137c137e6a938a095504abdf7652a1bde4184209994.exe
3756	bcddf0a709348bd5fba69137c137e6a938a095504abdf7652a1bde4184209994.exe
60	sysadob.exe
60	sysadob.exe
2296	xoptiloc.exe
2296	xoptiloc.exe
60	sysadob.exe
60	sysadob.exe
2296	xoptiloc.exe
2296	xoptiloc.exe
60	sysadob.exe
60	sysadob.exe
2296	xoptiloc.exe
2296	xoptiloc.exe
60	sysadob.exe
60	sysadob.exe
2296	xoptiloc.exe
2296	xoptiloc.exe
60	sysadob.exe
60	sysadob.exe
2296	xoptiloc.exe
2296	xoptiloc.exe
60	sysadob.exe
60	sysadob.exe
2296	xoptiloc.exe
2296	xoptiloc.exe
60	sysadob.exe
60	sysadob.exe
2296	xoptiloc.exe
2296	xoptiloc.exe
60	sysadob.exe
60	sysadob.exe
2296	xoptiloc.exe
2296	xoptiloc.exe
60	sysadob.exe
60	sysadob.exe
2296	xoptiloc.exe
2296	xoptiloc.exe
60	sysadob.exe
60	sysadob.exe
2296	xoptiloc.exe
2296	xoptiloc.exe
60	sysadob.exe
60	sysadob.exe
2296	xoptiloc.exe
2296	xoptiloc.exe
60	sysadob.exe
60	sysadob.exe
2296	xoptiloc.exe
2296	xoptiloc.exe
60	sysadob.exe
60	sysadob.exe
2296	xoptiloc.exe
2296	xoptiloc.exe
60	sysadob.exe
60	sysadob.exe
2296	xoptiloc.exe
2296	xoptiloc.exe
60	sysadob.exe
60	sysadob.exe
2296	xoptiloc.exe
2296	xoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 60	3756	bcddf0a709348bd5fba69137c137e6a938a095504abdf7652a1bde4184209994.exe	88
PID 3756 wrote to memory of 60	3756	bcddf0a709348bd5fba69137c137e6a938a095504abdf7652a1bde4184209994.exe	88
PID 3756 wrote to memory of 60	3756	bcddf0a709348bd5fba69137c137e6a938a095504abdf7652a1bde4184209994.exe	88
PID 3756 wrote to memory of 2296	3756	bcddf0a709348bd5fba69137c137e6a938a095504abdf7652a1bde4184209994.exe	89
PID 3756 wrote to memory of 2296	3756	bcddf0a709348bd5fba69137c137e6a938a095504abdf7652a1bde4184209994.exe	89
PID 3756 wrote to memory of 2296	3756	bcddf0a709348bd5fba69137c137e6a938a095504abdf7652a1bde4184209994.exe	89

C:\Users\Admin\AppData\Local\Temp\bcddf0a709348bd5fba69137c137e6a938a095504abdf7652a1bde4184209994.exe
"C:\Users\Admin\AppData\Local\Temp\bcddf0a709348bd5fba69137c137e6a938a095504abdf7652a1bde4184209994.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:60
- C:\AdobeED\xoptiloc.exe
  C:\AdobeED\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeED\xoptiloc.exe

Filesize
6KB

MD5
c8190a91500bb1d9caa61e3b11eaf128

SHA1
ab7eb6ce00d2fb8ec932dee7fe6f72551ada8684

SHA256
6396e1bd18ed0ea864d8f56b7885ef5813fe836854b68c3ebafb7d49b8580b1e

SHA512
bc143ae225ca8cceb9e90f7dc6f36a8608eafed2d7e67396657444f3a004832c0c51921fe8c0487de4ca21430686dbc62c6a304de00cbbfb8c0e8dc538f5492b

Download Submit
C:\AdobeED\xoptiloc.exe

Filesize
2.6MB

MD5
5b04abfb70f63c3a9e891977319d2315

SHA1
74e1cfad10f3d1fd5b567902913e522bd89eb5ae

SHA256
8140cc46eba1960412cb1ba08a3d5fe21c647301f11314d02a53fe556ba978a6

SHA512
08821edf36b982fef03a93e07e188d8e1529deab86a605d4b5b871d44eab97acf6c20077d90b3fc7b26f9b4b3f5fd3b7c9b1a9ec5eb63d61f1b00448a1f41397

Download Submit
C:\KaVBU3\dobxloc.exe

Filesize
4KB

MD5
ede40b36034d11420daf9b761d447622

SHA1
83e69cb72e12fd8ccd507bfa21133e1fca0fd5d7

SHA256
6e27085c9b049479ed4b5d515c82d49091d1d0d6a70cc1af4fe1e085816236d4

SHA512
0fc2330cfab1d7a2fa7e55f9cc177aa246de7f672540212721ca9232920652a2306906719e60af2bd37ca2fc9074d2244a5514fdc7f344e7c4006b4c69a75120

Download Submit
C:\KaVBU3\dobxloc.exe

Filesize
2.6MB

MD5
43f3436f393593fdb2e5ab8f3569bd81

SHA1
1450e228c561e9f46646c024e8d72f97996a0d9d

SHA256
c19f5c0c62c5f9b5b88690323a1cfe4c5dcdeca2c293c6a0b0cc34e0a6143fca

SHA512
96fb2e302af0cb81f8beb5d89952f93f79299b7748e92c3ce5627fc023dbe6f528164e500d0e259394076bbcc63af15d49fe44c0bf13bbf04d793d33b10b26c0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
27cc22543cc4eafe166fd15152f4bc5a

SHA1
ec48e5c55284e687143f7835d8af4748d29c18b4

SHA256
bedb3757c991ff3224f45a590154238956621152434086a08d6f1edc2872a550

SHA512
66ab1836b67715def83db0484b2f2491b4260b0791658646831db2b41fa580cda499175a499636cf524b9b5dfdd4124b6662beff617c661e017304d33b6abd4c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
1626df9605f1df0f9b4c924b073a3138

SHA1
0d6e3f721bbf30814b0b50f225fbc4b9505cb169

SHA256
a2a2c7fdbd9ed5dc0bf26a22f76b3437a98c713d1b2e3d4909147201ca252cee

SHA512
936b18aa155f52ac37af0fd6613899d7cddace26fafe5005f3beda7d01e8ffc969a37a57473245762254ec2ef57fc2f1d195de167708731cd089e6c805cab2a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
2.6MB

MD5
0351be83c2b6a2a41484b67378becdaf

SHA1
e65c161c5d11db4a3222f1dab88b37cb6b13b933

SHA256
7a4b9611ef6163cc91a948e7d0361b3d8eca1615c19ada22a3a1b77994e7ef1d

SHA512
e39609698081edf37aa2d5cede2939bc277905c05328027bd26707c23a1d2baf49bc584f00daf43d4c81da98c12047042781bf09591a974251bfa4b33cd19588

Download Submit