9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe
Size

2.6MB
MD5

0e9bb61baea41784bed2bfb475523a55
SHA1

4b4900aa8ba0611b31cc8d97cea7f1da410f7eaf
SHA256

9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f
SHA512

09edec55c4b20defdcbf7fa8d9b3cf0439876b522240097968d05e84ba52ce3549afa3dbc605fba89a185cfb3f571453dbf8ffbcc37b6c51f6556af35fa7779d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bS:sxX7QnxrloE5dpUpUb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe

Executes dropped EXE 2 IoCs

pid	Process
4020	sysdevbod.exe
3904	adobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files9E\\adobloc.exe"	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBO3\\optidevloc.exe"	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3424	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe
3424	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe
3424	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe
3424	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe
4020	sysdevbod.exe
4020	sysdevbod.exe
3904	adobloc.exe
3904	adobloc.exe
4020	sysdevbod.exe
4020	sysdevbod.exe
3904	adobloc.exe
3904	adobloc.exe
4020	sysdevbod.exe
4020	sysdevbod.exe
3904	adobloc.exe
3904	adobloc.exe
4020	sysdevbod.exe
4020	sysdevbod.exe
3904	adobloc.exe
3904	adobloc.exe
4020	sysdevbod.exe
4020	sysdevbod.exe
3904	adobloc.exe
3904	adobloc.exe
4020	sysdevbod.exe
4020	sysdevbod.exe
3904	adobloc.exe
3904	adobloc.exe
4020	sysdevbod.exe
4020	sysdevbod.exe
3904	adobloc.exe
3904	adobloc.exe
4020	sysdevbod.exe
4020	sysdevbod.exe
3904	adobloc.exe
3904	adobloc.exe
4020	sysdevbod.exe
4020	sysdevbod.exe
3904	adobloc.exe
3904	adobloc.exe
4020	sysdevbod.exe
4020	sysdevbod.exe
3904	adobloc.exe
3904	adobloc.exe
4020	sysdevbod.exe
4020	sysdevbod.exe
3904	adobloc.exe
3904	adobloc.exe
4020	sysdevbod.exe
4020	sysdevbod.exe
3904	adobloc.exe
3904	adobloc.exe
4020	sysdevbod.exe
4020	sysdevbod.exe
3904	adobloc.exe
3904	adobloc.exe
4020	sysdevbod.exe
4020	sysdevbod.exe
3904	adobloc.exe
3904	adobloc.exe
4020	sysdevbod.exe
4020	sysdevbod.exe
3904	adobloc.exe
3904	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 4020	3424	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe	88
PID 3424 wrote to memory of 4020	3424	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe	88
PID 3424 wrote to memory of 4020	3424	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe	88
PID 3424 wrote to memory of 3904	3424	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe	89
PID 3424 wrote to memory of 3904	3424	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe	89
PID 3424 wrote to memory of 3904	3424	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe	89

C:\Users\Admin\AppData\Local\Temp\9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe
"C:\Users\Admin\AppData\Local\Temp\9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4020
- C:\Files9E\adobloc.exe
  C:\Files9E\adobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files9E\adobloc.exe

Filesize
146KB

MD5
8e4200612caff3df522da7999f4e69a7

SHA1
ee028b9a3c0036aed73e32db8cef974d75b68ba3

SHA256
dc377d868fc92b17def0570417cb110d4438dbddc39ec3e7b459913ced95d531

SHA512
7d91de6eaf6cc451f9be2a0885622f2d57aa39bc9d51643e50c57dfd390568b36e8ca1bd976b594849e92c48441f1c5f195fce5c6113d2d7682f87ad39e8193a

Download Submit
C:\Files9E\adobloc.exe

Filesize
2.6MB

MD5
0aceb395f551c824b1123af11bce2034

SHA1
f4106f3da77754cdefd02d0f40e79f1259ecb470

SHA256
fbd9e0b9245bc6d0238d82560ff5117adc7bc3fe2b2d6bbaa763f1fae6182d3f

SHA512
d02248630a4742cd395fa92d0fbfe62cd04b97ec76de2f625d5d86c483095eef94b78c7c34dca03841493ca17424df89b619ead13c9cbedbedf1ccaf9727e2a9

Download Submit
C:\KaVBO3\optidevloc.exe

Filesize
2.6MB

MD5
2c37361a355b9ba93f246226232b0f63

SHA1
524bbc122bbab0a113af61a853ad270f9166a769

SHA256
85459badf1a8664e1fafbe48571df919b0222bab1cb01bb1657422a3ec5f7ba7

SHA512
b14796232c7225d75a282b2d6e5dd878201d84e660aa959a84d3ce4728b8dbfbab417844c2be235fea588be03446cad5e11f4066d1a4c25e7b021e83d47f5b76

Download Submit
C:\KaVBO3\optidevloc.exe

Filesize
2.6MB

MD5
c0e19568bd5a2e516b9c12c0abbca064

SHA1
53df0d3c8a77a2a2bd74b09203b6e2cbf51a8363

SHA256
2b433b340cf97d4edc75a69243caf17031a7e95e2aca64754f01af9a10cae33d

SHA512
373efc121416e1d1d72c864c3ba547b2cd65c073804a0d2e28c4faa7e8567f654dee53cdd1e3af31b89b6d989b32f8effb842e99306cae651895f86c9f4eace6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
6f3f7bfc28ebe639b027dbf8b22636e5

SHA1
4a7968083f50544420909bcb39d9befc11ad9cc0

SHA256
7f59d5b204a7eccb89e632e5fc421af61456a738b53cf49edcc12d630846e2a5

SHA512
c97934a3adf56dfabeead3c365f9557365b7a98e7f72db059364830a5412e59e5c4eef21c6e18678d69b15e499b2dfeea07bf584adfffe519250f57444ab72b9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
4f1e43b77e63a437fcc13bd12d887773

SHA1
a9009aa866c5a460ea7a8d4e2fe1891c3377621a

SHA256
174c588ce6dd6f31cb2d600b42be8b800ed0ffab5aa9cc75cf1cb045853a1983

SHA512
c04ef91c9b6fab3590765ef41872287a192d009ebfdb10a377301aa937af38b1446dd19e66adf8ee941264ed8385fa16b60bcbd2ef2b70ac58410c2dd5b59587

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
b75be0ce66f49a70b45f4ca10e5de0f2

SHA1
62367a3d72b6de4dad16fbd439d65802e5529abb

SHA256
0f8229b152edf16d7007322862832378d842cc4909069702406b10fc6dea3f38

SHA512
1ea60e1217a59d7625e5bc928e07c73424073ef6954d19a17ae2689016ac6becd3fee016776ac84288c350b84f8df71e63c4425ea50e8fb251122aa4cf0890d3

Download Submit