f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe
Size

2.6MB
MD5

a37a4fe8457103d4e56baa5f929ca4b9
SHA1

ffa5598357454bb21adf25042afd2e245735df63
SHA256

f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46
SHA512

3911485d0cd63a27562e84e97af79a146076f70e0da33fabc7715e117949ed561736746715b0cfa21b2ce9b906d1bf628fe49db8a498a0acad62fde56a050c91
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUpDb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe

Executes dropped EXE 2 IoCs

pid	Process
2780	locadob.exe
2736	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2656	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe
2656	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files4R\\adobsys.exe"	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZX4\\dobxsys.exe"	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2656	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe
2656	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe
2780	locadob.exe
2736	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2780	2656	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe	30
PID 2656 wrote to memory of 2780	2656	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe	30
PID 2656 wrote to memory of 2780	2656	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe	30
PID 2656 wrote to memory of 2780	2656	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe	30
PID 2656 wrote to memory of 2736	2656	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe	31
PID 2656 wrote to memory of 2736	2656	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe	31
PID 2656 wrote to memory of 2736	2656	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe	31
PID 2656 wrote to memory of 2736	2656	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe	31

C:\Users\Admin\AppData\Local\Temp\f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe
"C:\Users\Admin\AppData\Local\Temp\f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2780
- C:\Files4R\adobsys.exe
  C:\Files4R\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files4R\adobsys.exe

Filesize
2.6MB

MD5
f2c227cf4af2fd7c1860f4eae5771557

SHA1
9111f10720f194e988d44347a4ba7375811dc302

SHA256
1a23c7528ce7c7e99bc8862d7f552896090af28932f666f4aca17394591f6b04

SHA512
497a29acbd48ef53588efe3b22a42dbafda226b6d05de3ffadf24d90c53d301053327947af16923e36076354cbd9d5e388154c59f821ed42ff72cfbd758a6863

Download Submit
C:\LabZX4\dobxsys.exe

Filesize
2.6MB

MD5
7d46813d18a70eddd802c6a0a95f10a8

SHA1
577aad5ce7ab4e4506c25ca6504f95e1852acd23

SHA256
5cf459b018aac339e8aa364f7cfb851014f6a3c35bd769ab66a15edbd39ea01f

SHA512
fd402a9586a35e4b309c950d4b88de476c682a526d88c93ded84d5a1d24aa83fdaf1fc9e755bedb5ddb18092c2fae6b82200123115bf735d6bce65121aadfadd

Download Submit
C:\LabZX4\dobxsys.exe

Filesize
2.6MB

MD5
d80581fc90a8b3bef3111ef1e92bb92c

SHA1
43562cd3f10e575be5b919013ebb458a6e58afe0

SHA256
e9dc7d419efc7b77cf92029f0300e22666b426334778c509a82908a497ce1253

SHA512
ea00da04f1ae4af9812b4298bb9986e477a947b4c898109ca41b3563cf77c962fcb6640df3f0796bd7a09d55c456f6a4b02434c082382aea911f73604c27b7c2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
993436d85e977ecd7c8267a85d409844

SHA1
9e5b9c4d247d69471f7b164e7d07cc4a10db528e

SHA256
80599b029c5e2b2032ff9b7a3e877e8fa67c52e2981bc2a458c9869777c23a08

SHA512
53e5dafb8b84626f07262f1e97b1a04f9f0aee0f8f9b9c3f0f9c7842e7a80d382b9236d584d1d3e9561a6578a8bee0b0920a6e669f53915a1010303b179d4b7a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
ed0927816a82d9804848c496ac6f8cee

SHA1
7ba475cf47e794e1e2e500745ebcf51346cb7599

SHA256
e5a23d581f089996b795af298a6b8a497e1d49e8cb0c9678b99d3612f2a1f2d2

SHA512
a3568bdbcec99ff5dc6116eaca7d2c6cd9296d6548a9f14c180d9a06162ba48299e684d764e383e1c06c48be5cbd4fc8d43a616a36400a00ddbfca50bd33e623

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
2.6MB

MD5
d19e20db15cc2c3a8bfc337b20e7613c

SHA1
ec7cfa18454cfc6ed5e51c60a8bb60c3cbdcf338

SHA256
08462d04ef20e5fe96d26799d33bfa143aa9200d7c9b75e8f42f7847be5a85c1

SHA512
96977052258d987d64850fe231d3e33eec22ca5dda76c5b8f9a8054d87b2f0f1dfcf683342977a80305fe6437081b5fc314f2b3fe4d83371679ec5cb8f591bca

Download Submit