18d9e6e4776e3b8b5a2eca7143cbc31e344387419f7d336ffbdba2c6f71346be

Analysis

max time kernel
120s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9916257fef89c7a9962da8536cd868b0N.exe
Size

2.6MB
MD5

9916257fef89c7a9962da8536cd868b0
SHA1

0ba8ef9222931e78525baeba5622aa42fd3a86f8
SHA256

18d9e6e4776e3b8b5a2eca7143cbc31e344387419f7d336ffbdba2c6f71346be
SHA512

8d2cde92bfa66665c2c930c3aef640b8f5350a80e4a3a62b41896a74d72479971bddeed6fb46167e3df7273e0e1f3da8769e108aa7fb471f213564b89f94cb19
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bS:sxX7QnxrloE5dpUpUb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	9916257fef89c7a9962da8536cd868b0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2720	sysdevopti.exe
1448	xdobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe5W\\xdobloc.exe"	9916257fef89c7a9962da8536cd868b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB58\\dobasys.exe"	9916257fef89c7a9962da8536cd868b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9916257fef89c7a9962da8536cd868b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1728	9916257fef89c7a9962da8536cd868b0N.exe
1728	9916257fef89c7a9962da8536cd868b0N.exe
1728	9916257fef89c7a9962da8536cd868b0N.exe
1728	9916257fef89c7a9962da8536cd868b0N.exe
2720	sysdevopti.exe
2720	sysdevopti.exe
1448	xdobloc.exe
1448	xdobloc.exe
2720	sysdevopti.exe
2720	sysdevopti.exe
1448	xdobloc.exe
1448	xdobloc.exe
2720	sysdevopti.exe
2720	sysdevopti.exe
1448	xdobloc.exe
1448	xdobloc.exe
2720	sysdevopti.exe
2720	sysdevopti.exe
1448	xdobloc.exe
1448	xdobloc.exe
2720	sysdevopti.exe
2720	sysdevopti.exe
1448	xdobloc.exe
1448	xdobloc.exe
2720	sysdevopti.exe
2720	sysdevopti.exe
1448	xdobloc.exe
1448	xdobloc.exe
2720	sysdevopti.exe
2720	sysdevopti.exe
1448	xdobloc.exe
1448	xdobloc.exe
2720	sysdevopti.exe
2720	sysdevopti.exe
1448	xdobloc.exe
1448	xdobloc.exe
2720	sysdevopti.exe
2720	sysdevopti.exe
1448	xdobloc.exe
1448	xdobloc.exe
2720	sysdevopti.exe
2720	sysdevopti.exe
1448	xdobloc.exe
1448	xdobloc.exe
2720	sysdevopti.exe
2720	sysdevopti.exe
1448	xdobloc.exe
1448	xdobloc.exe
2720	sysdevopti.exe
2720	sysdevopti.exe
1448	xdobloc.exe
1448	xdobloc.exe
2720	sysdevopti.exe
2720	sysdevopti.exe
1448	xdobloc.exe
1448	xdobloc.exe
2720	sysdevopti.exe
2720	sysdevopti.exe
1448	xdobloc.exe
1448	xdobloc.exe
2720	sysdevopti.exe
2720	sysdevopti.exe
1448	xdobloc.exe
1448	xdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2720	1728	9916257fef89c7a9962da8536cd868b0N.exe	86
PID 1728 wrote to memory of 2720	1728	9916257fef89c7a9962da8536cd868b0N.exe	86
PID 1728 wrote to memory of 2720	1728	9916257fef89c7a9962da8536cd868b0N.exe	86
PID 1728 wrote to memory of 1448	1728	9916257fef89c7a9962da8536cd868b0N.exe	87
PID 1728 wrote to memory of 1448	1728	9916257fef89c7a9962da8536cd868b0N.exe	87
PID 1728 wrote to memory of 1448	1728	9916257fef89c7a9962da8536cd868b0N.exe	87

C:\Users\Admin\AppData\Local\Temp\9916257fef89c7a9962da8536cd868b0N.exe
"C:\Users\Admin\AppData\Local\Temp\9916257fef89c7a9962da8536cd868b0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2720
- C:\Adobe5W\xdobloc.exe
  C:\Adobe5W\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe5W\xdobloc.exe

Filesize
406KB

MD5
ef2e9a01be0d51b8fef1c4baef3ee50f

SHA1
647db3313af437a841595c4b255680c376f23a8a

SHA256
f09da1b6abed7e554d64b226468e1236fef2872f1b4e584ab340dd28a22937b6

SHA512
a27a3f6ce71f20b9950a79d3fc0dfa7fcd6b8ea1fd280769ecf96644262dbd62232f1aba6f9b6da25894de5d4c1762d24381a8f3470b27a3b0bd8607e6ec0202

Download Submit
C:\Adobe5W\xdobloc.exe

Filesize
2.6MB

MD5
fb57951337dcf5911154103d0e4fdce9

SHA1
24eb4970597e27249dc8649670aa58e4ee1069e1

SHA256
3fd86ea41e5f3d3ebc41bfb5b214770a1e2630ecab571044dbe46b20e463942d

SHA512
ca131c41bddf68b263a8365db266ba3d115cdbca2e03e4320a36d9fc1abc3ea36f5552638c0e825b3fb70e6d3e85dfa6e819b6e054cc6eeab2339c6c5cd3e5e9

Download Submit
C:\KaVB58\dobasys.exe

Filesize
2.6MB

MD5
f91faf8f55f79acae55ca1a822ffa569

SHA1
3723ed73d6298d0a5311a1a4cf37ecb4953043c1

SHA256
41bfd218027518b91ecc0b521e9cc0c05cccc13cff8defd1903ce7c209baa344

SHA512
9e732978b56954fed0b461feb37864da93810adf1454363a67fdb1da51db30786acf2f28f45291cdc8256253187fbd7916dac49b4f38cc42da4339a2f6669472

Download Submit
C:\KaVB58\dobasys.exe

Filesize
5KB

MD5
c346de548654eab088b033eeb72e5ab8

SHA1
61d5e6da50d6f7b00217db8a4faeabab00794f6b

SHA256
1521865ffa35423f24e6bdb83604d41a34fc1c35747152e884821e8d8880940c

SHA512
71996885c5bf78369a6b117b33876a4ff88a61e474d45695d776216dbf0c5c67b726e0167ec40d11578f9ff9e4f05d4d09be5b84116cab7e67d7e09c4188b2df

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
978eb045213a3517222778dbc4f78e5f

SHA1
01d4547cb18843ca66558258dd12741a59fdc5f0

SHA256
3ce3eef60de4acf52a43fc9167a064b934bbf312f3c5391263ac8bacf481480c

SHA512
3302c0b50d98b6bb1e9d911ad1e1da7207168c8bc6fd1024a06bfd8d40f02c66a4ab4aff470442f3784c05ac407a53ffd176ba8ebef1cf656238820f8950514a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
7b64f2dc3f50b5406bfcc09a61dcbd67

SHA1
92aa6150862581a9f24a1bf422342a8b167bcb87

SHA256
495c9173d57a6dee17341e1c17c90e520e6e39c8b2b75a88d1c08cb1c4251372

SHA512
74978273ebb507c4b3cf47111e395d7e8686bec5c45908a6dd541b6605efd985ba15e776d56d43ce7fc16c1f103ff05c6d21233c2881f007ac43c1ef80bc90e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
2.6MB

MD5
a84d3efceb65f4a90177d2346db86431

SHA1
bc7a6ca8cbc77aa904248e1181b3a8671bc5f8a9

SHA256
9be82a659ac37712c050377566ad9453da17c085f83174fa22705a49ca0a1251

SHA512
331ed51de6ba161b56c1668fd3a926106caf2b2cfec1007f9ca5d55e0375ebef8219a8143b5a27f1113cf472efafcad01017fddcfadba4409a3298b4e792d366

Download Submit