81ab6b6337b1797f2c40d56ce8ae30e14dcc6106c5f7f162cf95a1f44544034f

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 22:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

99463624ea37ccf6480be48fe8b43d90N.exe
Size

2.6MB
MD5

99463624ea37ccf6480be48fe8b43d90
SHA1

97e63d8e72b90bde1b2ad8f4684ee07bfaf302f4
SHA256

81ab6b6337b1797f2c40d56ce8ae30e14dcc6106c5f7f162cf95a1f44544034f
SHA512

dd987cf5fbc57000c0f73a2935af948faa87ac34ce39244f2afddb2583de96f821a1934546d0e276fb398d0f4ea1a9279e83f4e34442c866d67e8226acd2d033
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bS:sxX7QnxrloE5dpUpab

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	99463624ea37ccf6480be48fe8b43d90N.exe

Executes dropped EXE 2 IoCs

pid	Process
2728	sysdevbod.exe
2732	adobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2408	99463624ea37ccf6480be48fe8b43d90N.exe
2408	99463624ea37ccf6480be48fe8b43d90N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot7J\\adobec.exe"	99463624ea37ccf6480be48fe8b43d90N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBQ7\\optixloc.exe"	99463624ea37ccf6480be48fe8b43d90N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99463624ea37ccf6480be48fe8b43d90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2408	99463624ea37ccf6480be48fe8b43d90N.exe
2408	99463624ea37ccf6480be48fe8b43d90N.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe
2728	sysdevbod.exe
2732	adobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2728	2408	99463624ea37ccf6480be48fe8b43d90N.exe	30
PID 2408 wrote to memory of 2728	2408	99463624ea37ccf6480be48fe8b43d90N.exe	30
PID 2408 wrote to memory of 2728	2408	99463624ea37ccf6480be48fe8b43d90N.exe	30
PID 2408 wrote to memory of 2728	2408	99463624ea37ccf6480be48fe8b43d90N.exe	30
PID 2408 wrote to memory of 2732	2408	99463624ea37ccf6480be48fe8b43d90N.exe	31
PID 2408 wrote to memory of 2732	2408	99463624ea37ccf6480be48fe8b43d90N.exe	31
PID 2408 wrote to memory of 2732	2408	99463624ea37ccf6480be48fe8b43d90N.exe	31
PID 2408 wrote to memory of 2732	2408	99463624ea37ccf6480be48fe8b43d90N.exe	31

C:\Users\Admin\AppData\Local\Temp\99463624ea37ccf6480be48fe8b43d90N.exe
"C:\Users\Admin\AppData\Local\Temp\99463624ea37ccf6480be48fe8b43d90N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2728
- C:\UserDot7J\adobec.exe
  C:\UserDot7J\adobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBQ7\optixloc.exe

Filesize
2.6MB

MD5
4c28e784b5e1771efeecad16a103f693

SHA1
c29327d21675a808e2265676f17a4772bb8a76fe

SHA256
3173d62d8e791332ff8f90461c9caa96ce0f1c89f6a73782d380a72ce5577839

SHA512
3303ce434e48c916a83089cb97581d114a45aff12aef2fd03a46617448ed23c2b2178e656dea5c76e89d71662536cb1ac943f4ab792d0f5fcba862ac54fbf75e

Download Submit
C:\KaVBQ7\optixloc.exe

Filesize
2.6MB

MD5
52b0d1e7f7d1d8fb399aff27902170e3

SHA1
5b423c47f245473bf5fe367719982685664c346d

SHA256
94494b428f79f506f743d858ea673c812b0df1e7bced1bb5b32643c395dde981

SHA512
4b784a1ceb3cbd64fe8efe50c9d9745ed0ee6a64e728340ec6e0bdf0e9dfc4fc50931279634d76b79d3ee8f3f57f100dfd1e493cd897622ebef39d26effc0dc0

Download Submit
C:\UserDot7J\adobec.exe

Filesize
2.6MB

MD5
887c1c901005f1d67098a603fcffdd1c

SHA1
20db4192ff21b9c9b73ce35b936d2505cea04284

SHA256
4cd5cf07e3c7366f81ef16606bb0e2b98345a2e28d7825bc3fc9e74da3d396c8

SHA512
20797479a3b94f511041949e70828c4c415dfa5808d77292ac491dba7574ca8ebed478f28044431ee0349868f5a923fcbaeffb5538139c4d357a541fef65a564

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
203df7d55e729585ed6dc852cb2a3ec9

SHA1
89f1e38ab4442ffff82d72aa81096236eebebc75

SHA256
56fa483c7105364eff8bee2966554f0f7d0a5955dd6d3f8561ca44afc809243e

SHA512
4523352d42aacf0fcf03ce5b530ead227deb29648aedde8140b79fbd5177587fdcb0f42aadbd1cde92ad3ab204f25a344b291e8595f022c124cdf89593a177e2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
542fbf5de4c3a795719f6080b6c46d79

SHA1
5f8f40b17909facee946af7fb3e73c5a3f86ab19

SHA256
fbca24a73f819fbaaf0ccad2067a71f804fb0d36a0fe2ec52f3e2a4d5debc6fc

SHA512
dcc1535228ac7bb8edaa16d2fc121a69f2fec9a5256d7444bc7a6b4a5d54e4dbfb595fca5b38f0383ce56a82da6648e08a29b433e387b2769f998eff73fe960b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
d7f9a702a32e861c5631f58f54dafc1b

SHA1
d4c3a7ed27291c503099f3a019e83383d05a42cc

SHA256
568b8f354faa3d1675f62a302522f9b790e09494bf5648f88c35c0219658928f

SHA512
a1f1a66e616334c1663c671da00aeae70c6a6c962cfa00e24177eb111b22fab4f06b6fb973645cf741c0ef9213ff84ba4f5eb398990b16a82abf930454ad27eb

Download Submit