27907990cdfc8e7c632bbaa093114be12f0f878b0057d38457c7a71250512acc

Analysis

max time kernel
150s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27907990cdfc8e7c632bbaa093114be12f0f878b0057d38457c7a71250512acc.exe
Size

2.6MB
MD5

29d57c556626e3405389e6ed1d6a20f6
SHA1

14bfc271050d73f38be423b79f333239f834c6c2
SHA256

27907990cdfc8e7c632bbaa093114be12f0f878b0057d38457c7a71250512acc
SHA512

c17cb383b4228847d68cae80a0070144703bce2a0c04d4be079ee2a3f4dfb454c1d4fc07c03474f0d04245dfb907f537fae00ee1777ed8b9dd2e1756d35d3cd7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpWb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	27907990cdfc8e7c632bbaa093114be12f0f878b0057d38457c7a71250512acc.exe

Executes dropped EXE 2 IoCs

pid	Process
1984	locdevbod.exe
3432	adobloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvB6\\adobloc.exe"	27907990cdfc8e7c632bbaa093114be12f0f878b0057d38457c7a71250512acc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidR7\\optiasys.exe"	27907990cdfc8e7c632bbaa093114be12f0f878b0057d38457c7a71250512acc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27907990cdfc8e7c632bbaa093114be12f0f878b0057d38457c7a71250512acc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4300	27907990cdfc8e7c632bbaa093114be12f0f878b0057d38457c7a71250512acc.exe
4300	27907990cdfc8e7c632bbaa093114be12f0f878b0057d38457c7a71250512acc.exe
4300	27907990cdfc8e7c632bbaa093114be12f0f878b0057d38457c7a71250512acc.exe
4300	27907990cdfc8e7c632bbaa093114be12f0f878b0057d38457c7a71250512acc.exe
1984	locdevbod.exe
1984	locdevbod.exe
3432	adobloc.exe
3432	adobloc.exe
1984	locdevbod.exe
1984	locdevbod.exe
3432	adobloc.exe
3432	adobloc.exe
1984	locdevbod.exe
1984	locdevbod.exe
3432	adobloc.exe
3432	adobloc.exe
1984	locdevbod.exe
1984	locdevbod.exe
3432	adobloc.exe
3432	adobloc.exe
1984	locdevbod.exe
1984	locdevbod.exe
3432	adobloc.exe
3432	adobloc.exe
1984	locdevbod.exe
1984	locdevbod.exe
3432	adobloc.exe
3432	adobloc.exe
1984	locdevbod.exe
1984	locdevbod.exe
3432	adobloc.exe
3432	adobloc.exe
1984	locdevbod.exe
1984	locdevbod.exe
3432	adobloc.exe
3432	adobloc.exe
1984	locdevbod.exe
1984	locdevbod.exe
3432	adobloc.exe
3432	adobloc.exe
1984	locdevbod.exe
1984	locdevbod.exe
3432	adobloc.exe
3432	adobloc.exe
1984	locdevbod.exe
1984	locdevbod.exe
3432	adobloc.exe
3432	adobloc.exe
1984	locdevbod.exe
1984	locdevbod.exe
3432	adobloc.exe
3432	adobloc.exe
1984	locdevbod.exe
1984	locdevbod.exe
3432	adobloc.exe
3432	adobloc.exe
1984	locdevbod.exe
1984	locdevbod.exe
3432	adobloc.exe
3432	adobloc.exe
1984	locdevbod.exe
1984	locdevbod.exe
3432	adobloc.exe
3432	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 1984	4300	27907990cdfc8e7c632bbaa093114be12f0f878b0057d38457c7a71250512acc.exe	86
PID 4300 wrote to memory of 1984	4300	27907990cdfc8e7c632bbaa093114be12f0f878b0057d38457c7a71250512acc.exe	86
PID 4300 wrote to memory of 1984	4300	27907990cdfc8e7c632bbaa093114be12f0f878b0057d38457c7a71250512acc.exe	86
PID 4300 wrote to memory of 3432	4300	27907990cdfc8e7c632bbaa093114be12f0f878b0057d38457c7a71250512acc.exe	87
PID 4300 wrote to memory of 3432	4300	27907990cdfc8e7c632bbaa093114be12f0f878b0057d38457c7a71250512acc.exe	87
PID 4300 wrote to memory of 3432	4300	27907990cdfc8e7c632bbaa093114be12f0f878b0057d38457c7a71250512acc.exe	87

C:\Users\Admin\AppData\Local\Temp\27907990cdfc8e7c632bbaa093114be12f0f878b0057d38457c7a71250512acc.exe
"C:\Users\Admin\AppData\Local\Temp\27907990cdfc8e7c632bbaa093114be12f0f878b0057d38457c7a71250512acc.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1984
- C:\SysDrvB6\adobloc.exe
  C:\SysDrvB6\adobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvB6\adobloc.exe

Filesize
2.1MB

MD5
9dcb7e1ba503e287e72ac055f8271810

SHA1
307babe4ae3a7e38c3371da863a54f04181623af

SHA256
573abdbbe6a7cfaa5beacb9f7ed67044ce5d9e6bb322ea5967b3942a0512c4ac

SHA512
407375defc5128efe7e729ccfe0ac386ae86321050c4b4c34c709a0c8a06f23f49955bc99fc085d5d48876dee602ff0907816120afe0535add6f08e30e9ea2bc

Download Submit
C:\SysDrvB6\adobloc.exe

Filesize
2.6MB

MD5
901759f6b70a3935361913b002d427d7

SHA1
07bff165533ec818a089d19375ba9a61078e6566

SHA256
a3c4c574f87f15b3d8d8f76a2f9820eb303a428ca7521f3f7ad0aa87bba09352

SHA512
5c61f02348cef87494d6a48a2a39d09200ac119141e1e9dc5522f2731958d10a1c63c1203863feced3ec866171d29b419351788c93143b557e5937437a4bf080

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
f174794fda2bb99c15cbbe766f64ac8c

SHA1
6b10897a24f10077c0ab441db32c0921a31bc312

SHA256
f5c820c7adfbda5f184f8b52b5f42e97ddfe51a4b91d3189a4bd60919dfa4af7

SHA512
0c751a4e00359a5992aac2e076cc749fad472c63ed5a7815c6b676f3616679e2aad9f12667d1ef323d8e83c85a987d0950dbfa1f043272eb795cd503337216ab

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
7e2e7b20e2326c5e461f9f605624a872

SHA1
3716868da5907e6332d6c87817206a3114744e3f

SHA256
eb1b32bf34450d09596857a3bfbea8896d013e7cc6e6687a67d58ec5a24f8234

SHA512
43b690091d90d48b07c6fceaac00aaf6774aed8362a41bdcd7504495e369870cbb0d1acd1f04a9fd121fb2952ae738e82eb74c393d66bbf1cc77f15be7fc95fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
2.6MB

MD5
a6c573df5ea2c907b50cbb9de9b06969

SHA1
82fd87807b4e6ba3294dd77303a5eb7a46bd3fde

SHA256
78ea019e25ae00a245b0230a009b2bd768413d4b7f8e6fd742d6b5e37ab3a91a

SHA512
02fcf35a2f8db4e546187bf6febe11678943608b0b50fd4e265f57cae9348faf63a5e5ee97dfca413c16cfeb5ccafd466d89026473c88a58f2e36340ecb4e24d

Download Submit
C:\VidR7\optiasys.exe

Filesize
138KB

MD5
bcf51ab488ee39d7f5542b8ca9a7b7a9

SHA1
ac51edf6b579708c2324095bf5d35919875d748c

SHA256
3a4eafb781a18ca2d0c8128c62b078effa53e95ad257db8927d7392975c0b9ba

SHA512
4a4d9a8e29a6a363ea4111ed487a931e00436000e8d6a2fffeab56a13f2d7bad1a6c2fab6714aecfa5573310e8a6170f2a69f47b5775fab95eafaaaee1b3e94c

Download Submit
C:\VidR7\optiasys.exe

Filesize
2.6MB

MD5
21e99ce1d759e7b672d6ccc0a15447e9

SHA1
216115d52a49f2080572b34e793493637e559bbb

SHA256
fb54c50123c186a2aed0d0c4c2337e33295da366c8978eee220280b82f557d2c

SHA512
423a9b7ee7d0f8c8790cacf79dacc7ee1996882b14ec6f64a78d79bac65bb7b0da0a065b7c955cade2aacf039ff7acf6aeea38770ed0ff7b9f0fc418f56cccea

Download Submit