af6da1b303e3d1ee733048e90f9d1b1108deb7b8edc16db94a4e57a1192a715f

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 11:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3c653653d317a608e42e5fd15f348980N.exe
Size

3.0MB
MD5

3c653653d317a608e42e5fd15f348980
SHA1

3bda0268bb2791d2bda8ee7062ad7ae489622024
SHA256

af6da1b303e3d1ee733048e90f9d1b1108deb7b8edc16db94a4e57a1192a715f
SHA512

eb33dca51875d727a2f49b91aadffbffe54320f96911ec662266537ab086be1d7f43cd0c9c24b540b8bf9b71414acde2c4cdfc6b0ed9853f4e05c00025225489
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8b6LNX:sxX7QnxrloE5dpUprbVz8eLF

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	3c653653d317a608e42e5fd15f348980N.exe

Executes dropped EXE 2 IoCs

pid	Process
2804	sysdevopti.exe
2700	adobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2192	3c653653d317a608e42e5fd15f348980N.exe
2192	3c653653d317a608e42e5fd15f348980N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files34\\adobloc.exe"	3c653653d317a608e42e5fd15f348980N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBXH\\optidevloc.exe"	3c653653d317a608e42e5fd15f348980N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c653653d317a608e42e5fd15f348980N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevopti.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2192	3c653653d317a608e42e5fd15f348980N.exe
2192	3c653653d317a608e42e5fd15f348980N.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe
2804	sysdevopti.exe
2700	adobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2804	2192	3c653653d317a608e42e5fd15f348980N.exe	30
PID 2192 wrote to memory of 2804	2192	3c653653d317a608e42e5fd15f348980N.exe	30
PID 2192 wrote to memory of 2804	2192	3c653653d317a608e42e5fd15f348980N.exe	30
PID 2192 wrote to memory of 2804	2192	3c653653d317a608e42e5fd15f348980N.exe	30
PID 2192 wrote to memory of 2700	2192	3c653653d317a608e42e5fd15f348980N.exe	31
PID 2192 wrote to memory of 2700	2192	3c653653d317a608e42e5fd15f348980N.exe	31
PID 2192 wrote to memory of 2700	2192	3c653653d317a608e42e5fd15f348980N.exe	31
PID 2192 wrote to memory of 2700	2192	3c653653d317a608e42e5fd15f348980N.exe	31

C:\Users\Admin\AppData\Local\Temp\3c653653d317a608e42e5fd15f348980N.exe
"C:\Users\Admin\AppData\Local\Temp\3c653653d317a608e42e5fd15f348980N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2804
- C:\Files34\adobloc.exe
  C:\Files34\adobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files34\adobloc.exe

Filesize
6KB

MD5
b646265f07f9f16a9eedf6d5027f9e3c

SHA1
a47300f0e83643f499e1b7c1be83a375a1293ac7

SHA256
d9d3e8602e7f445e99a6594bba9d12ffef0a099ea168321e788dbde80f1fe025

SHA512
403b6c7a5606ac30e67478febf3210fc1d0e88e15fcc0544f80a00e2249b9fcf6ec71a25f5e36eaa2528ba1ab9c016dc5269cd1fe3a9758317b2abf1d8553f67

Download Submit
C:\Files34\adobloc.exe

Filesize
3.0MB

MD5
e67aac9296c8618150661abb3475a032

SHA1
4c05fa955ab0dbf02205216124bf083489afd212

SHA256
f164167bcb0ce2ca32b756bd547f6d62a5dc8d3c3bf2176fad80f9a80fa82e89

SHA512
05b07375699f24e7ed6ff5d24bdba57095856d73674886996201039bf92bddc21237d00cb3bfc4c42358c6e4a4e8c0640cf54fe2744cf4f9c71ec5c0ab6b0541

Download Submit
C:\KaVBXH\optidevloc.exe

Filesize
3.0MB

MD5
50f6b00a5b26a1bbf0b0e5795387d281

SHA1
7cb108db04c0336d1ded81145ffee8c94e40296b

SHA256
42ba05418ec7bbef197d8c3e8888106872986e4294a395da1297f45a9b5ef2d4

SHA512
0722bc0b4bbea33aea1fa1d067dce0dc58fb51807467b043d85ef153e01a2cd2a5d270e8bddaa2c4525269b851f5826bfb2e0db1b39e079871d54902bf0171dd

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
f3e12012ff253964cd4ecccf36f5c35d

SHA1
2227a05e8df3ae1d45021702fa76669b9f6e4ae0

SHA256
10253e0748237629394048bdad6a0ebb3e01d023f784e0e3333c745c8e762e46

SHA512
41103db322bed6a5036bcb8e4c9c245d537941478f8b942867f3b250044f5d82682b81a27ef3a04a267c15559a3504d38744c233467708368ee8f962752880c3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
09115fd45f9ff3bdfa394e47fb438711

SHA1
41a6372db7cd85eab4fecc9ddac24cfdbeb46bfd

SHA256
89d5b22d378faec233299171ed51a06b21a7b9d51ec2a3a9585484a53a4ff895

SHA512
d43bf6587e3fdeecf7b732c9a5d71abf26d26c68526c619593b29e07522198ae3b9d00e421183515249f42aedfa56df4951cec0435841492dabd9361d7a9910b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
3.0MB

MD5
0a4580ca0994a7db3a8206724612b17d

SHA1
0ddbda25d80329a59caa639406c09c21ad3e93c2

SHA256
142a55f38a60d12c29508b9dbb5384e1d2fef9872a58ebd4e2abf15f4c326793

SHA512
2f24fe10543041cbf1913adf64bb31d23bb636f5edee1cbc1cbed50dcbf4bd182cf531abf899ce1cdab162c9b6b9ee780cdb3bc0dd51800f4828501bf051106f

Download Submit