ee3b3c5fa46cb1a9b7be49998428642a0bfdfe8b14b3e737691db72c33a73578

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee3b3c5fa46cb1a9b7be49998428642a0bfdfe8b14b3e737691db72c33a73578.exe
Size

2.6MB
MD5

784375e4a6a928d31c7ee38b7ffd4ef2
SHA1

bc803118e78386178cbff09cbbd56ea6edd5d294
SHA256

ee3b3c5fa46cb1a9b7be49998428642a0bfdfe8b14b3e737691db72c33a73578
SHA512

b2cc3b3a8d8b463eccd94ec06bf79a38c239738df8b0bf3a357ae12d056ce12edc27a0b0ce6feab8f29f98580355b38040568d773ebfd5665482bb94445784da
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpib

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	ee3b3c5fa46cb1a9b7be49998428642a0bfdfe8b14b3e737691db72c33a73578.exe

Executes dropped EXE 2 IoCs

pid	Process
2800	locadob.exe
2808	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2656	ee3b3c5fa46cb1a9b7be49998428642a0bfdfe8b14b3e737691db72c33a73578.exe
2656	ee3b3c5fa46cb1a9b7be49998428642a0bfdfe8b14b3e737691db72c33a73578.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZX4\\dobxsys.exe"	ee3b3c5fa46cb1a9b7be49998428642a0bfdfe8b14b3e737691db72c33a73578.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files4R\\adobsys.exe"	ee3b3c5fa46cb1a9b7be49998428642a0bfdfe8b14b3e737691db72c33a73578.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee3b3c5fa46cb1a9b7be49998428642a0bfdfe8b14b3e737691db72c33a73578.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2656	ee3b3c5fa46cb1a9b7be49998428642a0bfdfe8b14b3e737691db72c33a73578.exe
2656	ee3b3c5fa46cb1a9b7be49998428642a0bfdfe8b14b3e737691db72c33a73578.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe
2800	locadob.exe
2808	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2800	2656	ee3b3c5fa46cb1a9b7be49998428642a0bfdfe8b14b3e737691db72c33a73578.exe	30
PID 2656 wrote to memory of 2800	2656	ee3b3c5fa46cb1a9b7be49998428642a0bfdfe8b14b3e737691db72c33a73578.exe	30
PID 2656 wrote to memory of 2800	2656	ee3b3c5fa46cb1a9b7be49998428642a0bfdfe8b14b3e737691db72c33a73578.exe	30
PID 2656 wrote to memory of 2800	2656	ee3b3c5fa46cb1a9b7be49998428642a0bfdfe8b14b3e737691db72c33a73578.exe	30
PID 2656 wrote to memory of 2808	2656	ee3b3c5fa46cb1a9b7be49998428642a0bfdfe8b14b3e737691db72c33a73578.exe	31
PID 2656 wrote to memory of 2808	2656	ee3b3c5fa46cb1a9b7be49998428642a0bfdfe8b14b3e737691db72c33a73578.exe	31
PID 2656 wrote to memory of 2808	2656	ee3b3c5fa46cb1a9b7be49998428642a0bfdfe8b14b3e737691db72c33a73578.exe	31
PID 2656 wrote to memory of 2808	2656	ee3b3c5fa46cb1a9b7be49998428642a0bfdfe8b14b3e737691db72c33a73578.exe	31

C:\Users\Admin\AppData\Local\Temp\ee3b3c5fa46cb1a9b7be49998428642a0bfdfe8b14b3e737691db72c33a73578.exe
"C:\Users\Admin\AppData\Local\Temp\ee3b3c5fa46cb1a9b7be49998428642a0bfdfe8b14b3e737691db72c33a73578.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2800
- C:\Files4R\adobsys.exe
  C:\Files4R\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files4R\adobsys.exe

Filesize
2.6MB

MD5
9fbe991981c18c1b3a71a030feca5bac

SHA1
5fb37c12d5c4a94040dbdfbc7970cb04c0b15ab0

SHA256
6588854420b06b1b559b3cc29fe272e1813e8e7ba73567bb2d740fc05edd7ddb

SHA512
212305cccf08bb56c9ca60a64b91e227b62c15039e3fdcb70117da8abd5a587c5a467da346f9b752ce4b37c5bc8752970744f50c2bf38aae7f501e4ebc737a09

Download Submit
C:\LabZX4\dobxsys.exe

Filesize
1.2MB

MD5
fbeb29b65786f177b616e3340a7a7137

SHA1
b48db1d7ed1df4760cd5afcf2f9f9fcbeb80fd96

SHA256
d8a1aa1125ab8ee76b5115d01fd1bb7069ac8e94b51635aff08355c90c9c2834

SHA512
9bdc37dd8ec80d837f11cf7641c70b8e9d602587eb66fb950709cd9721bb461bc6c2c4a7c56feba3d8485713385b624689f47226cba91d3b8c5d1da0d8449eb7

Download Submit
C:\LabZX4\dobxsys.exe

Filesize
2.6MB

MD5
491fbc0d849caeb999f307caca1f6b4e

SHA1
aeb829a7ade52decff716d4bf1d3ad22569c33d4

SHA256
34544a423686e7982f321398d300ebea73bcc40b00f8e63e66ace443e0845ab6

SHA512
8b457745745c81745eadfe84ad4d827fae3b778aeea8302dbdc128f0358d9274a4ea158141d816d12bdc8ac5ca168651aade6200867b4c7cb89140ef5dcd7478

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
993436d85e977ecd7c8267a85d409844

SHA1
9e5b9c4d247d69471f7b164e7d07cc4a10db528e

SHA256
80599b029c5e2b2032ff9b7a3e877e8fa67c52e2981bc2a458c9869777c23a08

SHA512
53e5dafb8b84626f07262f1e97b1a04f9f0aee0f8f9b9c3f0f9c7842e7a80d382b9236d584d1d3e9561a6578a8bee0b0920a6e669f53915a1010303b179d4b7a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
ed0927816a82d9804848c496ac6f8cee

SHA1
7ba475cf47e794e1e2e500745ebcf51346cb7599

SHA256
e5a23d581f089996b795af298a6b8a497e1d49e8cb0c9678b99d3612f2a1f2d2

SHA512
a3568bdbcec99ff5dc6116eaca7d2c6cd9296d6548a9f14c180d9a06162ba48299e684d764e383e1c06c48be5cbd4fc8d43a616a36400a00ddbfca50bd33e623

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
2.6MB

MD5
33cab12fc23ce9d97a7b8651ec862b2c

SHA1
9454b36aa9c5cfe596d1b644d967249d7e85e6cf

SHA256
cbb37372358cf3505547d87c35614e0890a442a4c607b5ece289e6ae90a2f1ef

SHA512
257aca8e41cf26f3f65b5a406e5b46be6e3b06d8fe1cdbbdc8fad6f37bacc658588d68eda86632eda7d268f32c65f250271bd5143816811e4f7b1b6e8e7c4719

Download Submit