69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe
Size

2.6MB
MD5

2a1d3cf6c550582b05d052897e4cc18d
SHA1

4bcd069c7a1cef1004255493398ec261ccceb671
SHA256

69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b
SHA512

4def24e7dd2557d2e699cf53ef865a039e7b5166f4d0f87d85ee9dd78625e883615b8b6481b982f8506f32210e3faf4b696a5c42de4060dac14e7da8e6a5f6b4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBoB/bS:sxX7QnxrloE5dpUpDb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe

Executes dropped EXE 2 IoCs

pid	Process
492	sysxdob.exe
2804	adobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2308	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe
2308	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxX4\\boddevec.exe"	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe1I\\adobloc.exe"	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxdob.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2308	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe
2308	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe
492	sysxdob.exe
2804	adobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 492	2308	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe	31
PID 2308 wrote to memory of 492	2308	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe	31
PID 2308 wrote to memory of 492	2308	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe	31
PID 2308 wrote to memory of 492	2308	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe	31
PID 2308 wrote to memory of 2804	2308	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe	32
PID 2308 wrote to memory of 2804	2308	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe	32
PID 2308 wrote to memory of 2804	2308	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe	32
PID 2308 wrote to memory of 2804	2308	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe	32

C:\Users\Admin\AppData\Local\Temp\69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe
"C:\Users\Admin\AppData\Local\Temp\69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:492
- C:\Adobe1I\adobloc.exe
  C:\Adobe1I\adobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe1I\adobloc.exe

Filesize
424KB

MD5
b422d5aeddd4074f058d47bccff3c1e8

SHA1
599d69cebcf13928c7f25cf2f95023e35129e200

SHA256
781c3199de67ed938b3d55b19feeb3789c2e49c1c0a60f90ddbc3f1ec3a71bb2

SHA512
ad695cadb7b267e27b737089dabbe0135bb1b7f477d29182bccf3e9a6285d452ac156ddaeed37aa716d53082471d184b407f140fdf90aa9625fb0688e24f7f0f

Download Submit
C:\GalaxX4\boddevec.exe

Filesize
12KB

MD5
0d80c026ff7217667d1758553c9b1b94

SHA1
14d1f220d41220a37e1c0a894bbcc390e238adac

SHA256
3e19dbc8a98353863030300221ed12d9467946007da720ddec917a2b170c54b8

SHA512
5668dc066d36fdac6fc594b3bd11041af417aa62285919777cfb3602fe018599d010c464467465c525804c7e0b501ae6ee2fc1bec049267f5e18bb39d0aae82a

Download Submit
C:\GalaxX4\boddevec.exe

Filesize
2.6MB

MD5
176be6ba273dca0fc53834b4244b8b45

SHA1
f7ceac107ab51574d4b259a0497545dcd7664dbe

SHA256
019a3f878ebc68ac62ee610632e1932a6f8a3ccd691609b97fc0377b49e141d7

SHA512
5afd7e1f480475fb858e983ebc9e309f4a161dcd9a69e28dca58a8308447416cbf024edc6036236018451d08c0f2b428d25c625793aa39e117a96baf97ceed17

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
85e39321c47d7405f7efbb1eb1fe96d8

SHA1
d5ab705c5ed9f7c080f300ad3a143a2a05dc0dd6

SHA256
0a0de5433fe2fbab278830783e189310bdff7211305330396422a6fa5194c24f

SHA512
ddd9c87c296f520f652a18bc225507a6c9c6d6e7a9019c2a5840ff9c958a992362bdd3f23e48ec11b254e694f619001f71aadaf62fe1f82bb207b2c09e5d29eb

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
a4ad12ebe5ed13752c79b9a8de878f68

SHA1
2546f6b4c3fa9e532dd4a2b75f8a77859ce00dcc

SHA256
df7d3e438566cf022ba4ba3c72ba8ec7a8010a6ca6989232c6d986c226e41d37

SHA512
90916aa06daf0a0d57e26a0cd2445aece43c768e46aff00a7791d29489bc1c5b54b30d2930ad3e52cc6a4f0337fe973094d42bb50549aa95b1214ba0c0fa7139

Download Submit
\Adobe1I\adobloc.exe

Filesize
2.6MB

MD5
6a57785206986d0db8ec9b81166bfc2b

SHA1
5ec93657c7f9c5d2edfbc90b105253df02465d38

SHA256
0222d8695bb8c4c3a94464027ed569c31c8655663955deb1043b21eee105ad70

SHA512
e0d0af6fc4025e302d46263eb60ddda46a063a3af59e09afa95fc631f964d11c5817bdb2479a047c96b035979ade1ca5db5a6d2345659589e861ceb376d123b0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.6MB

MD5
51f378c2d0183119b11f1e1c6e714b7d

SHA1
601864ea7637ef6ca174f20a0c59875f7f60f01d

SHA256
d73d14dada8e76405f0a1009fb5b9c7682d5f007e5e8ba46f80b540070f65099

SHA512
31a83dbd26e31f7e9ef450cbd7f1b7d70ec17965dad14b00e968fc126ece7e773aae6e1a7beab320388113c2341ea53427ae231b001d5683156ff6e977e64790

Download Submit