cca47cd581e73883ed369432e24b3ed65126ee119c0a270b9a6b14642be5d4f7

Analysis

max time kernel
119s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 19:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

403613916f6088f2d9f8cac28c754ec0N.exe
Size

2.6MB
MD5

403613916f6088f2d9f8cac28c754ec0
SHA1

1b8831aa4c873a9b2737d19fa5d9e66e8e8dac54
SHA256

cca47cd581e73883ed369432e24b3ed65126ee119c0a270b9a6b14642be5d4f7
SHA512

8788527bea28a87695318462595df7c9ee1bf01f1a39fc9ee39da42c4a36d59d9b811485b1e33f02b66fe889659f0f3a66e6ca15ae6dbfbd566b67b0d8f41956
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bS:sxX7QnxrloE5dpUpBb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	403613916f6088f2d9f8cac28c754ec0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2516	sysaopti.exe
728	adobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvG4\\adobec.exe"	403613916f6088f2d9f8cac28c754ec0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxW0\\dobxsys.exe"	403613916f6088f2d9f8cac28c754ec0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	403613916f6088f2d9f8cac28c754ec0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1920	403613916f6088f2d9f8cac28c754ec0N.exe
1920	403613916f6088f2d9f8cac28c754ec0N.exe
1920	403613916f6088f2d9f8cac28c754ec0N.exe
1920	403613916f6088f2d9f8cac28c754ec0N.exe
2516	sysaopti.exe
2516	sysaopti.exe
728	adobec.exe
728	adobec.exe
2516	sysaopti.exe
2516	sysaopti.exe
728	adobec.exe
728	adobec.exe
2516	sysaopti.exe
2516	sysaopti.exe
728	adobec.exe
728	adobec.exe
2516	sysaopti.exe
2516	sysaopti.exe
728	adobec.exe
728	adobec.exe
2516	sysaopti.exe
2516	sysaopti.exe
728	adobec.exe
728	adobec.exe
2516	sysaopti.exe
2516	sysaopti.exe
728	adobec.exe
728	adobec.exe
2516	sysaopti.exe
2516	sysaopti.exe
728	adobec.exe
728	adobec.exe
2516	sysaopti.exe
2516	sysaopti.exe
728	adobec.exe
728	adobec.exe
2516	sysaopti.exe
2516	sysaopti.exe
728	adobec.exe
728	adobec.exe
2516	sysaopti.exe
2516	sysaopti.exe
728	adobec.exe
728	adobec.exe
2516	sysaopti.exe
2516	sysaopti.exe
728	adobec.exe
728	adobec.exe
2516	sysaopti.exe
2516	sysaopti.exe
728	adobec.exe
728	adobec.exe
2516	sysaopti.exe
2516	sysaopti.exe
728	adobec.exe
728	adobec.exe
2516	sysaopti.exe
2516	sysaopti.exe
728	adobec.exe
728	adobec.exe
2516	sysaopti.exe
2516	sysaopti.exe
728	adobec.exe
728	adobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2516	1920	403613916f6088f2d9f8cac28c754ec0N.exe	90
PID 1920 wrote to memory of 2516	1920	403613916f6088f2d9f8cac28c754ec0N.exe	90
PID 1920 wrote to memory of 2516	1920	403613916f6088f2d9f8cac28c754ec0N.exe	90
PID 1920 wrote to memory of 728	1920	403613916f6088f2d9f8cac28c754ec0N.exe	93
PID 1920 wrote to memory of 728	1920	403613916f6088f2d9f8cac28c754ec0N.exe	93
PID 1920 wrote to memory of 728	1920	403613916f6088f2d9f8cac28c754ec0N.exe	93

C:\Users\Admin\AppData\Local\Temp\403613916f6088f2d9f8cac28c754ec0N.exe
"C:\Users\Admin\AppData\Local\Temp\403613916f6088f2d9f8cac28c754ec0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2516
- C:\SysDrvG4\adobec.exe
  C:\SysDrvG4\adobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxW0\dobxsys.exe

Filesize
2.6MB

MD5
f93b2e86f724f4437fccd8a08890986d

SHA1
cd8ccd9c1c5763908ad5a4d464c0947b238a0a17

SHA256
0f6e6693f617cf2783b2df70f357c0589d463f1d045c0cbe8480aa5344ed1a36

SHA512
49c35b01c8d36b2f6939a03b4a7d53a9a2c7e27c5c27050297bc318e0013034b044c85fb296f9518321e97ca71bb6d261d5e995565071179a3f62cd55b167b9c

Download Submit
C:\GalaxW0\dobxsys.exe

Filesize
307KB

MD5
102f7bac70123a2f9e364873c6f6d110

SHA1
d5ba16dea2ba86959e249e431f52605bce42343d

SHA256
33d5cbd219c0364619b6b06a1f36cb0208bde7d7b23375556541cc94b31bd930

SHA512
a9a5ff416391fad5e49daef33e6fe169c94617f41bc3916201ec7979d3be5078abce8f11a8b2dfb80633ca12e790a952861621a6ddb491f2c76bf795089b3e39

Download Submit
C:\SysDrvG4\adobec.exe

Filesize
911KB

MD5
906e58473a807d5cc2c8a85c786eaf0d

SHA1
44a0b2993bd664fdda7957fb1eed5c517525f7da

SHA256
c4cf019dbbfd37ffb8529e9d65d6352a1526521e41c40a8522879a1620d535d9

SHA512
25bc72b728424beacdb8dbcbd136349ccfba3330d2ad043310051598da8928952958c9a1d9c65775758490b162eb25c34ab53203a0a0941442c14e52bb09e00e

Download Submit
C:\SysDrvG4\adobec.exe

Filesize
2.6MB

MD5
3006d33b8a3d6759678e7b3be51e7869

SHA1
f4a564d7f6232b553cd72d3251c9561c6e28e527

SHA256
0781977a2647b2b8f48e226e8e990fdbfc2de15031ce1750f672434b5df6811b

SHA512
8804fdd4487cb2021507b44ce08a82dbbaf948d775d5915dccd3cb90d37b6fd6f5399bf6d51443cd9f01562f0cb9b5f7e42158072f9aa318f1a84e1f543e1baf

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
8c97311643e3798fcefcc511abc2e2a4

SHA1
9d2b6c5354a8cc3b5798d12d910175c024123c37

SHA256
35e0f10e7b3898f28dca51632602464f86126218b4c0f5d25c706f874348f01d

SHA512
fc1e4d009ca8ac5658190eb786522fbdf29cfdcdf853862c8253d24247c1351988c3552ef3cf59ef52ae3c6013f8053b833616ddb000cc5a6ebdb5ea2058e510

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
6067aded0d4387242fd1937eff21cf95

SHA1
065f5130acec396165aea28f1e8cfd21707daa02

SHA256
46c699ec51360261fca81f269b7d8c9bbd18303feae9d56dc48c5a37f2be92e4

SHA512
caab92e797c8603cd2ac0c1ae86458e98eef3ccb7a2a1b799e7815f6cd25530bd171f137c8f761104e564546a73129f7c56482296f5add0b45d4516a21b07cac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
2.6MB

MD5
edc595d349d2724ceb1d74c3ae262104

SHA1
d2fcefff879cc3efe07c7a9e4334ae90ec578a04

SHA256
77f0a56b518b0408bffb3cc8a03bb0fcd4092e74bfa9d65df53d058f16391246

SHA512
27732cebaef375c3a5837e74a9cf1502f30f24cd01c8511253825f12555123cff5ee45d4035553879fc84759c8aa535ae49611dd2619d95009813c8600a88295

Download Submit