a035d75c2a3413d374f2770b243b3ab387f54eed4485457a02f4fed50d938f65

Analysis

max time kernel
119s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a035d75c2a3413d374f2770b243b3ab387f54eed4485457a02f4fed50d938f65N.exe
Size

2.6MB
MD5

e715a138ae7609f6ee35709597e72e60
SHA1

a3d825ce13e916cdac383ace993cee5e5af57edf
SHA256

a035d75c2a3413d374f2770b243b3ab387f54eed4485457a02f4fed50d938f65
SHA512

4eca8a078b2e1b6469376e9d4575258312fa61ed44ed9c8847b38b9533e822180972ae0c892fe6d53e667f3906f07d3dbe0dfd670eeb31611af5da677e43a0c1
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUpqb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	a035d75c2a3413d374f2770b243b3ab387f54eed4485457a02f4fed50d938f65N.exe

Executes dropped EXE 2 IoCs

pid	Process
4232	sysxdob.exe
4668	adobloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotJC\\adobloc.exe"	a035d75c2a3413d374f2770b243b3ab387f54eed4485457a02f4fed50d938f65N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintDF\\optidevec.exe"	a035d75c2a3413d374f2770b243b3ab387f54eed4485457a02f4fed50d938f65N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a035d75c2a3413d374f2770b243b3ab387f54eed4485457a02f4fed50d938f65N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxdob.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4856	a035d75c2a3413d374f2770b243b3ab387f54eed4485457a02f4fed50d938f65N.exe
4856	a035d75c2a3413d374f2770b243b3ab387f54eed4485457a02f4fed50d938f65N.exe
4856	a035d75c2a3413d374f2770b243b3ab387f54eed4485457a02f4fed50d938f65N.exe
4856	a035d75c2a3413d374f2770b243b3ab387f54eed4485457a02f4fed50d938f65N.exe
4232	sysxdob.exe
4232	sysxdob.exe
4668	adobloc.exe
4668	adobloc.exe
4232	sysxdob.exe
4232	sysxdob.exe
4668	adobloc.exe
4668	adobloc.exe
4232	sysxdob.exe
4232	sysxdob.exe
4668	adobloc.exe
4668	adobloc.exe
4232	sysxdob.exe
4232	sysxdob.exe
4668	adobloc.exe
4668	adobloc.exe
4232	sysxdob.exe
4232	sysxdob.exe
4668	adobloc.exe
4668	adobloc.exe
4232	sysxdob.exe
4232	sysxdob.exe
4668	adobloc.exe
4668	adobloc.exe
4232	sysxdob.exe
4232	sysxdob.exe
4668	adobloc.exe
4668	adobloc.exe
4232	sysxdob.exe
4232	sysxdob.exe
4668	adobloc.exe
4668	adobloc.exe
4232	sysxdob.exe
4232	sysxdob.exe
4668	adobloc.exe
4668	adobloc.exe
4232	sysxdob.exe
4232	sysxdob.exe
4668	adobloc.exe
4668	adobloc.exe
4232	sysxdob.exe
4232	sysxdob.exe
4668	adobloc.exe
4668	adobloc.exe
4232	sysxdob.exe
4232	sysxdob.exe
4668	adobloc.exe
4668	adobloc.exe
4232	sysxdob.exe
4232	sysxdob.exe
4668	adobloc.exe
4668	adobloc.exe
4232	sysxdob.exe
4232	sysxdob.exe
4668	adobloc.exe
4668	adobloc.exe
4232	sysxdob.exe
4232	sysxdob.exe
4668	adobloc.exe
4668	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 4232	4856	a035d75c2a3413d374f2770b243b3ab387f54eed4485457a02f4fed50d938f65N.exe	82
PID 4856 wrote to memory of 4232	4856	a035d75c2a3413d374f2770b243b3ab387f54eed4485457a02f4fed50d938f65N.exe	82
PID 4856 wrote to memory of 4232	4856	a035d75c2a3413d374f2770b243b3ab387f54eed4485457a02f4fed50d938f65N.exe	82
PID 4856 wrote to memory of 4668	4856	a035d75c2a3413d374f2770b243b3ab387f54eed4485457a02f4fed50d938f65N.exe	83
PID 4856 wrote to memory of 4668	4856	a035d75c2a3413d374f2770b243b3ab387f54eed4485457a02f4fed50d938f65N.exe	83
PID 4856 wrote to memory of 4668	4856	a035d75c2a3413d374f2770b243b3ab387f54eed4485457a02f4fed50d938f65N.exe	83

C:\Users\Admin\AppData\Local\Temp\a035d75c2a3413d374f2770b243b3ab387f54eed4485457a02f4fed50d938f65N.exe
"C:\Users\Admin\AppData\Local\Temp\a035d75c2a3413d374f2770b243b3ab387f54eed4485457a02f4fed50d938f65N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4232
- C:\UserDotJC\adobloc.exe
  C:\UserDotJC\adobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintDF\optidevec.exe

Filesize
2.6MB

MD5
2a21da0369160d9892cf2c4ed01145ce

SHA1
322de0cd2f4f3f4ced91d2f486baecf1c98fd94a

SHA256
88311aec783cd3d4219e357f56327bc78afe6c61d501376fb0abcce5a202e6e8

SHA512
78a0bc04aa97ba1cc712a530ca12da86ae5d94db95cadff222f184212e5a6b99ef91fd214bd6d654ec731333f0f667b4cbbe53de9c1a040e1742f82092bf39f2

Download Submit
C:\MintDF\optidevec.exe

Filesize
525KB

MD5
ed46134a3eddb91a59612a9689173f41

SHA1
4aa8be4d8cec4bbd925d09a6aa79ccfee838a4a5

SHA256
82650e43144044b6d10305d4344f371d0221dbf296ccdc8b4f1e9d10b4342bdd

SHA512
4fa0c6346fcc7787c24ddf9731587b41bcfe055b1a582a6819182b6834723b49398db90c1d27b730494ae881069230abaacd05f4b26b1788b5a646be7a1921e8

Download Submit
C:\UserDotJC\adobloc.exe

Filesize
2.6MB

MD5
3b2917533fe17ded2220aaad1471075f

SHA1
9f168aeba1ae7142f6c6384f411a2c629f01b4ab

SHA256
be19d3ccc7b489ec5acc84f0f18de998501c9e12c4f8189f29df470aad664e8c

SHA512
17315524f414e914e1165dffb439180eaeb88e3799f6d74cd59a196f7fb58d0629c5825c3c72dc2724b5be0b98f0211a142217d80aec823640962b45f8b3f18b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
52b0dfa580f59a48a365fc2c2e1a1e93

SHA1
4fcfb8fa134d53c96a7e8c1c1ea1afd23965f293

SHA256
14f3baa07895b73b0fc8a7951b483b4ff0cafd9375604e0c11ba0f3e926eb39b

SHA512
87b209e60749812820a8ff39a1cbf435b8333b0c06da67c0709cbffcadfd71bb2f5e1c9966a9f55284c5b8e5df4b2311f7b45b7b0f30fea5cc617444b4756e90

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
d3fe42b58e91ff53a2741caa21c7aa43

SHA1
a6a022fd4b0b724b1a8ca72815db8f8b627a754b

SHA256
2e4e30c4914cbbcbb674a30ee50663acf25b539c83da6ead02055783c2410189

SHA512
b86255cab4416985a31e4df680bb138552facc8dcc79de38c9d73cd931c19c40040e9293bd8b0723dccb981528d3677e378ea29c6d711144018637d97be210a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.6MB

MD5
db1bbe636e811998fd5e8a74e574ac51

SHA1
43a1c9ea1b88ac7121949633821d3207856bbdc8

SHA256
7df0322119b8d107e95a7e4eceaed82fea5a16322444db97c3e3e68ea5c89ae3

SHA512
c8e9798d9d2b047b013109889d80abad00ecaea14fdfdcb71d7bc1f5048c996f324b1ec212f2f1dd492628ea6443abab0c48388f35406d5409681e1b2853d8df

Download Submit