6b6e925ef9c1740711034eee6ae66ca208d219b8fb8fb93b561070aec3e83a5b

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8daa92e55bf522c3ea32db9e7b85a50N.exe
Size

3.1MB
MD5

a8daa92e55bf522c3ea32db9e7b85a50
SHA1

472806c86ca4f06f8f8115a764cc149ba64cfc29
SHA256

6b6e925ef9c1740711034eee6ae66ca208d219b8fb8fb93b561070aec3e83a5b
SHA512

10092873245de0933ac696aa0d7072ee81eaf78787a2f19eb98d58f908f36c66e60d84cef6dd174d318a64f55b4543bd8b7d04eaf2278a2e618e5b6672043cd3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bSqz8b6LNXJqI20:sxX7QnxrloE5dpUp0bVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe	a8daa92e55bf522c3ea32db9e7b85a50N.exe

Executes dropped EXE 2 IoCs

pid	Process
4152	sysxopti.exe
4168	adobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocMZ\\adobloc.exe"	a8daa92e55bf522c3ea32db9e7b85a50N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBU6\\dobxsys.exe"	a8daa92e55bf522c3ea32db9e7b85a50N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8daa92e55bf522c3ea32db9e7b85a50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxopti.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1704	a8daa92e55bf522c3ea32db9e7b85a50N.exe
1704	a8daa92e55bf522c3ea32db9e7b85a50N.exe
1704	a8daa92e55bf522c3ea32db9e7b85a50N.exe
1704	a8daa92e55bf522c3ea32db9e7b85a50N.exe
4152	sysxopti.exe
4152	sysxopti.exe
4168	adobloc.exe
4168	adobloc.exe
4152	sysxopti.exe
4152	sysxopti.exe
4168	adobloc.exe
4168	adobloc.exe
4152	sysxopti.exe
4152	sysxopti.exe
4168	adobloc.exe
4168	adobloc.exe
4152	sysxopti.exe
4152	sysxopti.exe
4168	adobloc.exe
4168	adobloc.exe
4152	sysxopti.exe
4152	sysxopti.exe
4168	adobloc.exe
4168	adobloc.exe
4152	sysxopti.exe
4152	sysxopti.exe
4168	adobloc.exe
4168	adobloc.exe
4152	sysxopti.exe
4152	sysxopti.exe
4168	adobloc.exe
4168	adobloc.exe
4152	sysxopti.exe
4152	sysxopti.exe
4168	adobloc.exe
4168	adobloc.exe
4152	sysxopti.exe
4152	sysxopti.exe
4168	adobloc.exe
4168	adobloc.exe
4152	sysxopti.exe
4152	sysxopti.exe
4168	adobloc.exe
4168	adobloc.exe
4152	sysxopti.exe
4152	sysxopti.exe
4168	adobloc.exe
4168	adobloc.exe
4152	sysxopti.exe
4152	sysxopti.exe
4168	adobloc.exe
4168	adobloc.exe
4152	sysxopti.exe
4152	sysxopti.exe
4168	adobloc.exe
4168	adobloc.exe
4152	sysxopti.exe
4152	sysxopti.exe
4168	adobloc.exe
4168	adobloc.exe
4152	sysxopti.exe
4152	sysxopti.exe
4168	adobloc.exe
4168	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 4152	1704	a8daa92e55bf522c3ea32db9e7b85a50N.exe	87
PID 1704 wrote to memory of 4152	1704	a8daa92e55bf522c3ea32db9e7b85a50N.exe	87
PID 1704 wrote to memory of 4152	1704	a8daa92e55bf522c3ea32db9e7b85a50N.exe	87
PID 1704 wrote to memory of 4168	1704	a8daa92e55bf522c3ea32db9e7b85a50N.exe	88
PID 1704 wrote to memory of 4168	1704	a8daa92e55bf522c3ea32db9e7b85a50N.exe	88
PID 1704 wrote to memory of 4168	1704	a8daa92e55bf522c3ea32db9e7b85a50N.exe	88

C:\Users\Admin\AppData\Local\Temp\a8daa92e55bf522c3ea32db9e7b85a50N.exe
"C:\Users\Admin\AppData\Local\Temp\a8daa92e55bf522c3ea32db9e7b85a50N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4152
- C:\IntelprocMZ\adobloc.exe
  C:\IntelprocMZ\adobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocMZ\adobloc.exe

Filesize
3.1MB

MD5
171dd5c97225667c7f94b84cef97e0c7

SHA1
9c7e4d1c7cc9f2fdaf83fec0d15882c0fd77cf27

SHA256
3d87513a290ef52a6de6f76ef2c46b59c109da4cb34f58eeeb97881583cc8165

SHA512
5c4f1ef314a82ae77b525383f9eb7b3c2c8de3b23f6c97c61b8745d15a16e1e143b89ffdadd6ca397a2e211c3f89d742aee25df339ca31f2c33875ed9fa5ebfe

Download Submit
C:\KaVBU6\dobxsys.exe

Filesize
95KB

MD5
44f615afe3f1056a942c0d1d9ecf82e6

SHA1
01bbb4ef1d5c2be533de61a76c71ef91d534f5da

SHA256
beb0904d031d60a0ac1b6820f28596656f7a73e9858d2e9941245ea4508599d0

SHA512
a1b3fbe25cede25ea40936b988c329964146963583e7fa032087996c96630165481de4e68224f7a287fb3be1e5be24f178f2b4a8e12929f6953abf29265f2acd

Download Submit
C:\KaVBU6\dobxsys.exe

Filesize
3.1MB

MD5
0737a49d42fdfaa1f8bbc406a7c5a39e

SHA1
a03ee233bd8415fc914dbbe8265f818b0955cf53

SHA256
873d37ee2eac3bee1667aa3b8bb49ffd94579ee59899d1650f3f03324e450037

SHA512
57318fdc599b2a6455552a8507e04dd464fc33318fe18b4bee71212c85228b488eaa06485a244c409e7725c2f80080ba5e1e52dd110a9aeb6705d713e0fdf811

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
e5dafea2155ae91d8de8aff6608cc96b

SHA1
8cab31bb83b4655d3e7ca36ec2c53ca4c2555d8c

SHA256
816d941aa1da3f1836fe7042b2519dad2250dda1f506f5980d5b8fb5ed3a1c65

SHA512
5ecf2e80ee97f8fe58e3cf4cb76c274116da53275e0624c741c7c9e8b405002847fbbf1ff0e05cdab42072c9d4092900cd67db5195bfc7c67ae984f3ef87f661

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
eaae9842f6630a4318172d4c3617f9b1

SHA1
ae7f40df7d36e922f11f78dfa7228b32f1d2c2ec

SHA256
b4f6a3cd039f93f1caa10942d20928d0b35b3a08e76fa4b233590458c82867c4

SHA512
f111cc3551cc71751f6c5a053be942731f65ab18f78a4f054fd9be761aa0916b77e0eaa715a266f61583e7ec2fdd2660065ef5e818d5063eadf901c971e0178d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

Filesize
3.1MB

MD5
53e5c83e63b42871473aeca5a1f7675b

SHA1
00326190860052535b1451bcbb227d07ca9750c2

SHA256
4dc42f0eae819ddbab62dde668d080ef6ed9871a7f4e614c2b41e784d9f56f59

SHA512
25b58f6456acd7c5cc3cdaf6ec0d1e5c8587785868b612c6125d6186eaadc3a10ee3d87f4413a2fcb769770cd40b100ca62067a97513055e78db31da1cd97b00

Download Submit