7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bf

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe
Size

2.6MB
MD5

fd9fa869215da69b80d1d897040b2dd0
SHA1

2d945392b274a46299a104fe3ebcf468a66ff1e3
SHA256

7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bf
SHA512

849a94563a48cf72be032984159659afbeafa03228d792112c2953f6d6fbee862548eaedbaaa2dde984c430b51b231b79a17c09ef449b0428eb2108105542966
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUpjb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe

Executes dropped EXE 2 IoCs

pid	Process
2172	locdevbod.exe
588	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1724	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe
1724	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotX8\\adobsys.exe"	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidA3\\dobdevsys.exe"	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1724	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe
1724	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe
2172	locdevbod.exe
588	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2172	1724	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe	30
PID 1724 wrote to memory of 2172	1724	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe	30
PID 1724 wrote to memory of 2172	1724	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe	30
PID 1724 wrote to memory of 2172	1724	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe	30
PID 1724 wrote to memory of 588	1724	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe	31
PID 1724 wrote to memory of 588	1724	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe	31
PID 1724 wrote to memory of 588	1724	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe	31
PID 1724 wrote to memory of 588	1724	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe	31

C:\Users\Admin\AppData\Local\Temp\7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe
"C:\Users\Admin\AppData\Local\Temp\7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2172
- C:\UserDotX8\adobsys.exe
  C:\UserDotX8\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotX8\adobsys.exe

Filesize
56KB

MD5
82e14fb95f2c55dcc9912192bafc133e

SHA1
51e6226a197f8b94211dacec0a80f27379a35e11

SHA256
ec494a934b51f9f4f1fb0cbdf34f32a6c06de9f500b6188a599b84881caca66f

SHA512
3d990d43775c8658d1a0e34c84a2ca59d168e2d35d221faa17764126a300ffb254212620230d71e730e02a122458f329f533b1376e98fff89e68880c1f1c5fe4

Download Submit
C:\UserDotX8\adobsys.exe

Filesize
2.6MB

MD5
dd8d49c02fba487b6a334945c30c3ff6

SHA1
e84a06712c3c6cf1c8754e42227c8eab98741c81

SHA256
2afa62e08833ddb0ffaa75cdc0fe47dd8eb1ada5abd056d5358bb534eecca126

SHA512
1f3be6b577690c43eb8c47747e6c5912881f7db49881c2b36ec1dad834f0c4d4aeeb63a967617d19bb1f881ca24a8fed567b069a2d4a27b6dc8837ddf1b07ecf

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
538c8225982f95a0cfdb26d0930d3911

SHA1
4c524e8bc0948be554765043e4fcd3351c58f750

SHA256
b625eca300b47e7fb9b728305f7e8772c5a9bad4f8167d1fb62846dd41ceadd6

SHA512
182d8e0a142f1c28084ae963b2f04ba47454b4a286eca856800dd0ee7be4dfe05057832ec483646f95be4af71b6bf45614c30d8281d679bcd0b58981f3648fac

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
e9e29e6fa1253d3fc575d8e42d3051b6

SHA1
b86bc375c2ecc31db2e17d0cc36b7c0fa363599b

SHA256
8c0f156e316b800aff5373be17fd6b7a47b3b4c6e54a369677d8a5a335755662

SHA512
e147f706cbbaf968c4ec58a968a25ac21721c67e7e43c7d0cd7197d76ba2b191e225c9740ac0c2172523e75f0e287d7c3143ef5a66224e3326ceaaef3c086576

Download Submit
C:\VidA3\dobdevsys.exe

Filesize
23KB

MD5
859ebb87091eda45d4aaf0ea5e233084

SHA1
7db3583f649e3ca4a64208de312be8edeef804e4

SHA256
e5879114b6d73753c6e36f5dd28769d598180e7749714c60c98d3de4a491bbe9

SHA512
c09308ad9e9cabad916973148c7d104d499eb492568eaf5574fd9b68dee97beb2fade58e85b0be82d4c0ae18f05f7658c7b9a79adabd2c57472b2579cb7cb9c9

Download Submit
C:\VidA3\dobdevsys.exe

Filesize
1.2MB

MD5
2232388f2c67d9fdd603938da15c0361

SHA1
79bbc68822c4c4753cecbb0b4480bf9bd95c923a

SHA256
e82fe247a58c52b8707d10d3dcc7910e2711bb1009f951cb1ee44e782c63b94e

SHA512
d3e7793824f3a06bf0e833961ed5f27f9914dd8102ae10cb5c8b0e58633fc328e02e1c531b614e7b74cb927a543a7fb1fc25c519d635c0d7a505cedfacb6adc8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
2.6MB

MD5
b8a0bdb36ac58a38571f1dc1970b7c84

SHA1
3c87dd0a047b870c9b6ae20e8067c425f675f6da

SHA256
bd3c7fca60f4fbcd4ab67353085b89b89d19b382a23d66a3216507758ec5d5ac

SHA512
a94fd576c9329b6647489e98ba4d01c6f6ac425d5eecd27ea0e9ee45dd6e6b2f78eab637f9cad4fbc0abb4942705ab22f9e2b48a5f0971ff732a4d422e670138

Download Submit