1ba57a10a08f57ece7fc8a23424143f8dc1db7299fe986ff4064f8276d36cb2a

Analysis

max time kernel
119s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 11:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

133175d5e61fd1f6aab6cef422c10ef0N.exe
Size

2.6MB
MD5

133175d5e61fd1f6aab6cef422c10ef0
SHA1

73b01b73dd0b67fcb730c336c23e37dcde79edd4
SHA256

1ba57a10a08f57ece7fc8a23424143f8dc1db7299fe986ff4064f8276d36cb2a
SHA512

2805453dc9389be563f1aff7a98b2e8a85e1eb37e6fccf6aa70519727d2f8f3aa240149a201e331d2aa4e774a03124c2837eddec8d1d30f20f1d0247933eab22
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bS:sxX7QnxrloE5dpUp8b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	133175d5e61fd1f6aab6cef422c10ef0N.exe

Executes dropped EXE 2 IoCs

pid	Process
4552	sysadob.exe
5068	xbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeD3\\xbodec.exe"	133175d5e61fd1f6aab6cef422c10ef0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB8Z\\optidevloc.exe"	133175d5e61fd1f6aab6cef422c10ef0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	133175d5e61fd1f6aab6cef422c10ef0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1660	133175d5e61fd1f6aab6cef422c10ef0N.exe
1660	133175d5e61fd1f6aab6cef422c10ef0N.exe
1660	133175d5e61fd1f6aab6cef422c10ef0N.exe
1660	133175d5e61fd1f6aab6cef422c10ef0N.exe
4552	sysadob.exe
4552	sysadob.exe
5068	xbodec.exe
5068	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
5068	xbodec.exe
5068	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
5068	xbodec.exe
5068	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
5068	xbodec.exe
5068	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
5068	xbodec.exe
5068	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
5068	xbodec.exe
5068	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
5068	xbodec.exe
5068	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
5068	xbodec.exe
5068	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
5068	xbodec.exe
5068	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
5068	xbodec.exe
5068	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
5068	xbodec.exe
5068	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
5068	xbodec.exe
5068	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
5068	xbodec.exe
5068	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
5068	xbodec.exe
5068	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
5068	xbodec.exe
5068	xbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 4552	1660	133175d5e61fd1f6aab6cef422c10ef0N.exe	90
PID 1660 wrote to memory of 4552	1660	133175d5e61fd1f6aab6cef422c10ef0N.exe	90
PID 1660 wrote to memory of 4552	1660	133175d5e61fd1f6aab6cef422c10ef0N.exe	90
PID 1660 wrote to memory of 5068	1660	133175d5e61fd1f6aab6cef422c10ef0N.exe	91
PID 1660 wrote to memory of 5068	1660	133175d5e61fd1f6aab6cef422c10ef0N.exe	91
PID 1660 wrote to memory of 5068	1660	133175d5e61fd1f6aab6cef422c10ef0N.exe	91

C:\Users\Admin\AppData\Local\Temp\133175d5e61fd1f6aab6cef422c10ef0N.exe
"C:\Users\Admin\AppData\Local\Temp\133175d5e61fd1f6aab6cef422c10ef0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4552
- C:\AdobeD3\xbodec.exe
  C:\AdobeD3\xbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeD3\xbodec.exe

Filesize
2.6MB

MD5
3560fd61020e97822c5a599dc2002d83

SHA1
30fe4875c9f9628ec79ffcf5ba58c74f5f067d7b

SHA256
f39258c29a06e2f9fdd984c7594a4dcbdee69d126e5d90d3cb25b12015540ecb

SHA512
b46e812d5c999277fb78e45f578fcfc1cf1b22d7b42e2b27ebad93e1d39d75d5593ef87e70e8888dea86e9ae320e5726d03f5b920723ae93b10c1f3fc0be49a1

Download Submit
C:\KaVB8Z\optidevloc.exe

Filesize
2.6MB

MD5
de173ff7e81e16dd3bda23bab5c40f58

SHA1
a559d41016419bedb44c34aa6c0f97613bbadd2c

SHA256
c71ab14b20cedd47ccea4c834f4052748fc32e142e7e1b63b59048bf480ef34e

SHA512
a5c146803f13ed00d6cd598507d8db1cf8ecdfea17a9f46aee3b86dc63b62a4c7a8aa97486fae542a5d7266df32c0ce5e0f26ca8a32d1571239169399c0677c8

Download Submit
C:\KaVB8Z\optidevloc.exe

Filesize
2.6MB

MD5
733ba6ebb1453e533b460aad8f5ecbe4

SHA1
2e7faa325f815e9bae2b98cfb25be87b5b98fce6

SHA256
673ad6e8420d90a7a0b25f7e73d1cf89d026978336f9b08795b37c766ac3aeb5

SHA512
781126efc6e189c12687e13d466ba006849cd88126a9dd6643e90e4a25bdcc4034d0f87698ecba8b47e16ccfcd64423bca770a7933d27363fd22b914bf2d878e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
cf06e28f7c677f4a36095ff1da6d84a1

SHA1
9bf2975cbe2920260b4125055f23f8358e714244

SHA256
cab0182a23741fdbacb22effd7483364a303b4cecec9cb85f329308b6a0cadcf

SHA512
dba9f65d01d667b9784ec0e06781fac6c501df4f7d1a66871add662c4e5ee7db91a2fbfce81077cd21f0c73f83715c387357a5b0d7fbab8cdf2f4ea61e30a3c8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
7d6da27ce56fc87c525b8550181d81cf

SHA1
a1162c0c108f73f77258cacdc1eb9de6a46eca97

SHA256
951e5a44dad248f9c5233d195f2b33330189094c787bba061a9a371e464e6983

SHA512
7d6ab910b32f4428d19ebe5d57e86385cb42d7dd18cd0adef9031cd4369d267eacd746acea91f1087af7aebb22df7386edb3392542043ba21cb95dd0ad4daaf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
2.6MB

MD5
441dff8f755219994dd2dec0ec79e4c1

SHA1
ba0167fc6626cc854a24881fb7d355e8ff82e536

SHA256
5234685823bc5fcbcfc0bff6ccffa0bcf16798f8321703a08f958607016c70f1

SHA512
eb5b417930da3401351c8682963c6ce0c740ab7803d406f51a0be099b3dc021e3a4bd0de4bfe9752960406a4d56aa65a819227c9a1869afe1b11f793e8bbc0c4

Download Submit