de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 10:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe
Size

2.6MB
MD5

0367a98996624894fa2ded250c3c0350
SHA1

50c6b6d03a3f58387a37fd515ef558cf1071f886
SHA256

de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0
SHA512

e3f69bb4ceb96027c242cb42ab4f21c07fdd526d72f28d17b4d8d9a1c0646bead3216352961c46ac140b7aa83255f14750735744f2f3190e75791c97549b2d80
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bS:sxX7QnxrloE5dpUpHb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe

Executes dropped EXE 2 IoCs

pid	Process
3116	sysadob.exe
1348	abodloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotA5\\abodloc.exe"	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNP\\dobdevec.exe"	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4164	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe
4164	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe
4164	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe
4164	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe
3116	sysadob.exe
3116	sysadob.exe
1348	abodloc.exe
1348	abodloc.exe
3116	sysadob.exe
3116	sysadob.exe
1348	abodloc.exe
1348	abodloc.exe
3116	sysadob.exe
3116	sysadob.exe
1348	abodloc.exe
1348	abodloc.exe
3116	sysadob.exe
3116	sysadob.exe
1348	abodloc.exe
1348	abodloc.exe
3116	sysadob.exe
3116	sysadob.exe
1348	abodloc.exe
1348	abodloc.exe
3116	sysadob.exe
3116	sysadob.exe
1348	abodloc.exe
1348	abodloc.exe
3116	sysadob.exe
3116	sysadob.exe
1348	abodloc.exe
1348	abodloc.exe
3116	sysadob.exe
3116	sysadob.exe
1348	abodloc.exe
1348	abodloc.exe
3116	sysadob.exe
3116	sysadob.exe
1348	abodloc.exe
1348	abodloc.exe
3116	sysadob.exe
3116	sysadob.exe
1348	abodloc.exe
1348	abodloc.exe
3116	sysadob.exe
3116	sysadob.exe
1348	abodloc.exe
1348	abodloc.exe
3116	sysadob.exe
3116	sysadob.exe
1348	abodloc.exe
1348	abodloc.exe
3116	sysadob.exe
3116	sysadob.exe
1348	abodloc.exe
1348	abodloc.exe
3116	sysadob.exe
3116	sysadob.exe
1348	abodloc.exe
1348	abodloc.exe
3116	sysadob.exe
3116	sysadob.exe
1348	abodloc.exe
1348	abodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 3116	4164	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe	86
PID 4164 wrote to memory of 3116	4164	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe	86
PID 4164 wrote to memory of 3116	4164	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe	86
PID 4164 wrote to memory of 1348	4164	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe	87
PID 4164 wrote to memory of 1348	4164	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe	87
PID 4164 wrote to memory of 1348	4164	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe	87

C:\Users\Admin\AppData\Local\Temp\de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe
"C:\Users\Admin\AppData\Local\Temp\de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3116
- C:\UserDotA5\abodloc.exe
  C:\UserDotA5\abodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintNP\dobdevec.exe

Filesize
1.4MB

MD5
d54f3171bf99093c9af58817f1a79d90

SHA1
05b8f9b9c1e99b53f10ed508aba99e89145ae24f

SHA256
d659517d4a44ed464cb3151d0c53ae22751de8057165a160ba9c8e564d8c6d3c

SHA512
92a0160c9b77b11a6b9db4e61ce1cabae0655c4bf82494f968e1341eae29ee521579b7aa52ff593192714dd2fc05c8813af90b95141fa6e5672c2cc2742a8bf2

Download Submit
C:\MintNP\dobdevec.exe

Filesize
9KB

MD5
069c7d5ebc20ead441519fc2807acdfc

SHA1
94eb49acfddc6450c4810d85271299b49f964a2a

SHA256
af2d7152258913747132a41b113c445005357f268ca6a717b1a8a42c3ac7052f

SHA512
91dd10db98a2c08140dabc8a5cbe76768d1878b4cbf579f7f2c7fc0466e81b35f6a33d4dc31c97b393de15d2bb730f141974d3a6784c8f6a2748d67bc75433e9

Download Submit
C:\UserDotA5\abodloc.exe

Filesize
2.6MB

MD5
af9d8da1395299caef5921056ef0ac38

SHA1
2ff0b38b54487c0fdd8a219ddb1fbfc7cf46f90b

SHA256
0b9650d0ae24898606d7d43d72f7b24700181511d5e16be7d13d99250179285c

SHA512
898f5c3a0ffd1c49911c1a6eaea8de9b05113181cf4adf7b85c06959029c146a27e8febae5059fa8c94ff4adc08b00dfd3062cb97daaf70ea6efe018b3906cc2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
5326759f055b895ffdf03bd2a75dfab4

SHA1
ced19bae7de08ea76be3838723df7f6b416292e0

SHA256
fd479b8a3a52b6786c1a4991cbccea73fa9fdadc752600af67ca024dcb7c966d

SHA512
03b0471aea9f9635e5d31e4aa67c7f7e484bed2ee0c264fb3d05f04e287954daee4d231fc7faff489f9b57b3e1ca41eeb9a05e6f8cd4c9e471ee950198cd4924

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
60bc3236f8ed9dc816405c685eb65f73

SHA1
f24ac6b3e15e1bfe64450d76d9f7f97a322b5dbd

SHA256
8db5b12a4d529e19e1b4c420847564a0a2181ce4efdd6fcb31bbb6097930028e

SHA512
2d8e81986634161c14ece0f7a4dea23cf9781a1d139ee5e4b9f1db36dc1a90bbf54a103276a5bfb5e46facdbd9a8a0cf88a0f5f9bc92ac4334cce5d8d395bd7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
2.6MB

MD5
d183ab9cbbb55e6946830a0e3d782184

SHA1
38859d44e885cd208bb95c723883a426b1c81c3b

SHA256
404b967e3d439605bffa117e74240090640579e64dec3500fb799e082b92a897

SHA512
fe0a156944fa430ccfb26639b1c912758b02b4843d382787913dfd2afe1b299ae100400a7f226b5d35bd9f0c8622525603d90591d810606ae839ed4d65f55a8a

Download Submit