0564ac7ab38056dc7aeb2c6cf3bf165b9913ae080bdd2e7b7996f7c7f3fa3d6f

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0564ac7ab38056dc7aeb2c6cf3bf165b9913ae080bdd2e7b7996f7c7f3fa3d6fN.exe
Size

2.6MB
MD5

949f3697505f33ac2dc66c7a5f0a6e20
SHA1

41231ee231438562f5612c27f011b7e5c0d6229e
SHA256

0564ac7ab38056dc7aeb2c6cf3bf165b9913ae080bdd2e7b7996f7c7f3fa3d6f
SHA512

d8fa61a7c09f6b4a2228a34af44934755e4666762f0a3bc5fa79ad464a44912c275c06ea776a413bd35a3783fa902d1f878d212964210d1660265def70b16b63
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bS:sxX7QnxrloE5dpUp5b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	0564ac7ab38056dc7aeb2c6cf3bf165b9913ae080bdd2e7b7996f7c7f3fa3d6fN.exe

Executes dropped EXE 2 IoCs

pid	Process
2204	sysaopti.exe
2872	adobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2124	0564ac7ab38056dc7aeb2c6cf3bf165b9913ae080bdd2e7b7996f7c7f3fa3d6fN.exe
2124	0564ac7ab38056dc7aeb2c6cf3bf165b9913ae080bdd2e7b7996f7c7f3fa3d6fN.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBH2\\bodxec.exe"	0564ac7ab38056dc7aeb2c6cf3bf165b9913ae080bdd2e7b7996f7c7f3fa3d6fN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvFH\\adobec.exe"	0564ac7ab38056dc7aeb2c6cf3bf165b9913ae080bdd2e7b7996f7c7f3fa3d6fN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0564ac7ab38056dc7aeb2c6cf3bf165b9913ae080bdd2e7b7996f7c7f3fa3d6fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2124	0564ac7ab38056dc7aeb2c6cf3bf165b9913ae080bdd2e7b7996f7c7f3fa3d6fN.exe
2124	0564ac7ab38056dc7aeb2c6cf3bf165b9913ae080bdd2e7b7996f7c7f3fa3d6fN.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe
2204	sysaopti.exe
2872	adobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2204	2124	0564ac7ab38056dc7aeb2c6cf3bf165b9913ae080bdd2e7b7996f7c7f3fa3d6fN.exe	29
PID 2124 wrote to memory of 2204	2124	0564ac7ab38056dc7aeb2c6cf3bf165b9913ae080bdd2e7b7996f7c7f3fa3d6fN.exe	29
PID 2124 wrote to memory of 2204	2124	0564ac7ab38056dc7aeb2c6cf3bf165b9913ae080bdd2e7b7996f7c7f3fa3d6fN.exe	29
PID 2124 wrote to memory of 2204	2124	0564ac7ab38056dc7aeb2c6cf3bf165b9913ae080bdd2e7b7996f7c7f3fa3d6fN.exe	29
PID 2124 wrote to memory of 2872	2124	0564ac7ab38056dc7aeb2c6cf3bf165b9913ae080bdd2e7b7996f7c7f3fa3d6fN.exe	30
PID 2124 wrote to memory of 2872	2124	0564ac7ab38056dc7aeb2c6cf3bf165b9913ae080bdd2e7b7996f7c7f3fa3d6fN.exe	30
PID 2124 wrote to memory of 2872	2124	0564ac7ab38056dc7aeb2c6cf3bf165b9913ae080bdd2e7b7996f7c7f3fa3d6fN.exe	30
PID 2124 wrote to memory of 2872	2124	0564ac7ab38056dc7aeb2c6cf3bf165b9913ae080bdd2e7b7996f7c7f3fa3d6fN.exe	30

C:\Users\Admin\AppData\Local\Temp\0564ac7ab38056dc7aeb2c6cf3bf165b9913ae080bdd2e7b7996f7c7f3fa3d6fN.exe
"C:\Users\Admin\AppData\Local\Temp\0564ac7ab38056dc7aeb2c6cf3bf165b9913ae080bdd2e7b7996f7c7f3fa3d6fN.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2204
- C:\SysDrvFH\adobec.exe
  C:\SysDrvFH\adobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBH2\bodxec.exe

Filesize
2.6MB

MD5
392a094f5e2766bf5b98eab1b14487b7

SHA1
75fe35af27c699e6734de46e7e70604ff80dfd72

SHA256
0817a080b0ff43a0eb8759078aefa0365a32b909331ae8af2475a7703b15f232

SHA512
76b3c2deedda98450d7426ab13649961503aadffbbd0bf7b32aafb3c14298be5c171e347c877a09774a58c388aa93079511c3fd6b5e5eb0d13e93de636f0fb66

Download Submit
C:\KaVBH2\bodxec.exe

Filesize
2.6MB

MD5
c121a556142b20436613caa0dc759971

SHA1
12ae8974bfda44d4c4cc9371c9808585f8c6c435

SHA256
32f2280d498d43822c6214458c101233fa15773a9150effb36efd28516c6b87e

SHA512
75e76d65fb3bb70108a1de35ea4194577a5726d47adc5334adbb66643417addde05d0b824e5d128c4266fb5ec7e28ff03f2bac38df6d7a6591fa8caed6606d45

Download Submit
C:\SysDrvFH\adobec.exe

Filesize
2.6MB

MD5
ef123f6ca03d3aa869f41f341f118fa9

SHA1
814cf451e8bb11a17e5179f10d9d3177eca93bb3

SHA256
45d68121542f7643161c9faf88f755792f0401d8c901325f7ebf97cb5c0c0123

SHA512
38156cdd9f9fdf4c2eb012d9924728a594a75cb0abe123dae1cd514ee2001c0c192b64a194874e8a3eb2bb1da662ebcfdeff1a94af6d049f7de58babffb140a2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
7d69846e71a0c5cdf548ff6a3cbe89bd

SHA1
ea2491c167c63e19f95a980f2c31f2ff8b571f4e

SHA256
adaa3a0d0a95a56bbb487d0811eee9682b22f3452ec3ff0b03a6f6405ba65d64

SHA512
1cd489a307bd8bd0c3e1b3bb0ca9f0aba0ee88a4cc6bdf36e93da7081d1418b36bad38dbe405e5db36c5bc18bdc71874c3640e6669c72a34c4e3d04dc4b2d1f1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
57761747e03cbe0ccbf83cba29e84353

SHA1
597357ecb4557487da5ffa3d71574a7b20a445b0

SHA256
9df98738fed490e7735dabb412d1c5956f50ae3d283a24bff2b166b90f63e644

SHA512
83d5de4d4c88bf4fea273217879d84629247f0581b68069a83c9b4db961c920c930a597e88757ce9c402e98ef064ab9f61c2edfe9b7ec904a5344aca10ac7a1c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
2.6MB

MD5
cf554f74d0603d5e0e6c8f1b1a91d8d7

SHA1
650fb33fac71d7a4e5fe6a27d63771185cfbb693

SHA256
3539685275f3bf670c282a94892af27bd7c59f9f7a394d60f018633855750f90

SHA512
ec14a3ac60b270ee07694e32e717194bc6f8bd7451a442ef8d0f42415d3c4ae1bd7045477e8af1023d11f06be6f0ac81dc17f9907471aa5e939dd9d1e7ca7968

Download Submit