daec4197a40cf30b5cd73625259b3898aea8718c198ede3ef898794db28ab6f1

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 03:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

daec4197a40cf30b5cd73625259b3898aea8718c198ede3ef898794db28ab6f1.exe
Size

2.6MB
MD5

b37421dd8f43486ac4e4dab5dd313f74
SHA1

0fd6d6bc5f9e91340a2ba070d6fe2a9cc701401a
SHA256

daec4197a40cf30b5cd73625259b3898aea8718c198ede3ef898794db28ab6f1
SHA512

a7a1e13c8330336e58063d7d22fd7bb6deb28181468bff7db914679a9ae760d159c03f6fab4f0cacfe86a724c7f3ff4098cfd86d2b58b421b1c04e74d193f992
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBZB/bS:sxX7QnxrloE5dpUpWb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	daec4197a40cf30b5cd73625259b3898aea8718c198ede3ef898794db28ab6f1.exe

Executes dropped EXE 2 IoCs

pid	Process
3852	sysdevopti.exe
3412	adobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvUS\\adobloc.exe"	daec4197a40cf30b5cd73625259b3898aea8718c198ede3ef898794db28ab6f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint3O\\dobaloc.exe"	daec4197a40cf30b5cd73625259b3898aea8718c198ede3ef898794db28ab6f1.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	daec4197a40cf30b5cd73625259b3898aea8718c198ede3ef898794db28ab6f1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1856	daec4197a40cf30b5cd73625259b3898aea8718c198ede3ef898794db28ab6f1.exe
1856	daec4197a40cf30b5cd73625259b3898aea8718c198ede3ef898794db28ab6f1.exe
1856	daec4197a40cf30b5cd73625259b3898aea8718c198ede3ef898794db28ab6f1.exe
1856	daec4197a40cf30b5cd73625259b3898aea8718c198ede3ef898794db28ab6f1.exe
3852	sysdevopti.exe
3852	sysdevopti.exe
3412	adobloc.exe
3412	adobloc.exe
3852	sysdevopti.exe
3852	sysdevopti.exe
3412	adobloc.exe
3412	adobloc.exe
3852	sysdevopti.exe
3852	sysdevopti.exe
3412	adobloc.exe
3412	adobloc.exe
3852	sysdevopti.exe
3852	sysdevopti.exe
3412	adobloc.exe
3412	adobloc.exe
3852	sysdevopti.exe
3852	sysdevopti.exe
3412	adobloc.exe
3412	adobloc.exe
3852	sysdevopti.exe
3852	sysdevopti.exe
3412	adobloc.exe
3412	adobloc.exe
3852	sysdevopti.exe
3852	sysdevopti.exe
3412	adobloc.exe
3412	adobloc.exe
3852	sysdevopti.exe
3852	sysdevopti.exe
3412	adobloc.exe
3412	adobloc.exe
3852	sysdevopti.exe
3852	sysdevopti.exe
3412	adobloc.exe
3412	adobloc.exe
3852	sysdevopti.exe
3852	sysdevopti.exe
3412	adobloc.exe
3412	adobloc.exe
3852	sysdevopti.exe
3852	sysdevopti.exe
3412	adobloc.exe
3412	adobloc.exe
3852	sysdevopti.exe
3852	sysdevopti.exe
3412	adobloc.exe
3412	adobloc.exe
3852	sysdevopti.exe
3852	sysdevopti.exe
3412	adobloc.exe
3412	adobloc.exe
3852	sysdevopti.exe
3852	sysdevopti.exe
3412	adobloc.exe
3412	adobloc.exe
3852	sysdevopti.exe
3852	sysdevopti.exe
3412	adobloc.exe
3412	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 3852	1856	daec4197a40cf30b5cd73625259b3898aea8718c198ede3ef898794db28ab6f1.exe	92
PID 1856 wrote to memory of 3852	1856	daec4197a40cf30b5cd73625259b3898aea8718c198ede3ef898794db28ab6f1.exe	92
PID 1856 wrote to memory of 3852	1856	daec4197a40cf30b5cd73625259b3898aea8718c198ede3ef898794db28ab6f1.exe	92
PID 1856 wrote to memory of 3412	1856	daec4197a40cf30b5cd73625259b3898aea8718c198ede3ef898794db28ab6f1.exe	94
PID 1856 wrote to memory of 3412	1856	daec4197a40cf30b5cd73625259b3898aea8718c198ede3ef898794db28ab6f1.exe	94
PID 1856 wrote to memory of 3412	1856	daec4197a40cf30b5cd73625259b3898aea8718c198ede3ef898794db28ab6f1.exe	94

C:\Users\Admin\AppData\Local\Temp\daec4197a40cf30b5cd73625259b3898aea8718c198ede3ef898794db28ab6f1.exe
"C:\Users\Admin\AppData\Local\Temp\daec4197a40cf30b5cd73625259b3898aea8718c198ede3ef898794db28ab6f1.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3852
- C:\SysDrvUS\adobloc.exe
  C:\SysDrvUS\adobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint3O\dobaloc.exe

Filesize
2.6MB

MD5
5a195905acb49f6b98348ce40a451043

SHA1
2b7eb3d4b281efa9a29cf9f7907bc2e343d6c37a

SHA256
1d1c2102787dd2c6da7f6b75515e0011362d2419057e63ba88d59204be3108b0

SHA512
d5d40711596320b02369885277e9cca7ec915b5304605eab6367099070d45c0dd5e6180fbc072b2da5e2d9b42d414eb4ff8fae4a95d5af50348dda651ef4a030

Download Submit
C:\Mint3O\dobaloc.exe

Filesize
144KB

MD5
194dc3ba26207312c1ab8e16ee731b41

SHA1
ceb5b8e43249ffd531d6bd59d28c3a7aa4ecab07

SHA256
99ed0e776bf5332f4ff75a564adaeac9c22bf7aec315e3cf8ef38d5d00257485

SHA512
5eb9078cab7914deca1cea51ce8a078c4e3318f77aee76f9039233c6b655b1608cb8942642d2e034b2f4aec0377467c02141e8f4d7594d3327efc16651789af0

Download Submit
C:\SysDrvUS\adobloc.exe

Filesize
2.6MB

MD5
4211f367af53be9be4f63d78724d9215

SHA1
63539e63e6690d6e47fad6ec3add0410c151381d

SHA256
6cf7372f78038efb9baeb491d7d36e556313ef216bfc5f73dac64770c5b62ef8

SHA512
7617df70af713bdd135ea11ca5a95adee202837cf0fce13c185a2a754bfa4b7430db3a175cc74990c824f0b72d6f4c98bc6250705ddf97e2f1f86110ad89a550

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
422b25f47efab423615db7ad016e2c7c

SHA1
3f29a9fc192a1f9d82eccbff0f853f6459482877

SHA256
b570292331de687d7f638e71aa2c61ec1cc121448dce4100d09ba0cf787e15c6

SHA512
cb502c52dec2e26faed2b91e08aaf68f885c577502a5f261e324fbec9d69a7efabbe4a4d01b8090d7c28429a39acc428e7317df09286f996f1626654bda28945

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
feb535f55ce5c65a5c424547164f9fb1

SHA1
b4f141e34534a6bbf7093391c7ab9eaca5df1a93

SHA256
a2a9be8cd6a38d61b9dc73290a8be34eb85ead56843841cf75bca44d5c83fd04

SHA512
10e399d33bae128118eb73fba0e11360d20c6cc7dc16cc83667c09dd053e9e5beae330cc7fb6219a58a7c4e5627a41812f9ebffc48a2f452605eade7f2df61ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
2.6MB

MD5
2363e7ae620388e1b5fb6fe4e0f911e9

SHA1
78aaa02aadbb0fffeacfb07cde012bc12fb907df

SHA256
7c1d33f24ae3ebb6c34f510f63fbe74186592bca58524f91e788de20f8cb8a3e

SHA512
9fdc630a52d28c2f23eaa5db02c72985d972a0df0e754768f2a4c9abed2e3420548bfb255c68c3a844fe9d6c0fbe5fe572f6fc111620c2d0162f73be4e365ae0

Download Submit