95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420

Analysis

max time kernel
150s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe
Size

2.6MB
MD5

7bc9e1cb0a174fea59f5f782355b9ae8
SHA1

ff5fff09a26ae794d698938f3dd2d89625d5e990
SHA256

95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420
SHA512

e97cee50cfd69556d8cb57f7f3527f365920858f42fbcb862ad7167bc49a1c04fb459cb3ae2aa3d58fc1fa5d12842c3c8a884b28eb717a8a85f15681ed3d8997
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bS:sxX7QnxrloE5dpUpJb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe

Executes dropped EXE 2 IoCs

pid	Process
2224	sysdevbod.exe
2904	adobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2936	95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe
2936	95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBTT\\dobasys.exe"	95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesL1\\adobec.exe"	95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe
2936	95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe
2224	sysdevbod.exe
2904	adobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2224	2936	95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe	30
PID 2936 wrote to memory of 2224	2936	95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe	30
PID 2936 wrote to memory of 2224	2936	95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe	30
PID 2936 wrote to memory of 2224	2936	95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe	30
PID 2936 wrote to memory of 2904	2936	95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe	31
PID 2936 wrote to memory of 2904	2936	95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe	31
PID 2936 wrote to memory of 2904	2936	95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe	31
PID 2936 wrote to memory of 2904	2936	95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe	31

C:\Users\Admin\AppData\Local\Temp\95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe
"C:\Users\Admin\AppData\Local\Temp\95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2224
- C:\FilesL1\adobec.exe
  C:\FilesL1\adobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesL1\adobec.exe

Filesize
2.6MB

MD5
ff4cca42378d37433e11c82c6b8f5ccd

SHA1
cb834e545d3aab1e05c842f6ea212c6853dd2bfe

SHA256
6c5f86f083f8c604c4521d1a8e51e5ac0974e4a23c269f7c4ea3252178414c57

SHA512
ecf522876e3c73ec83802a64fed806a5e3e68a1a8134faa5b47557e897406510a558395e10abccb8a42dfe76a62bd0e90de13aded5b264e99ff3b63010618229

Download Submit
C:\KaVBTT\dobasys.exe

Filesize
2.6MB

MD5
d48c87fcc9b7fe3421c0cf033a11a35f

SHA1
9c5ad489cd10c7982bfc8d4f37bc9d65c365fdab

SHA256
863db50f2dd43eee6faf0e16e03583ae20475f975c0228ad968132ded7710c4a

SHA512
7230a4c9f7bb84f732fd45286e2f35bc24603f9f792f621cbe2aa9a40de0dfa7d808abc0be27c4c6b89cf6fc3d8dd37c6c2c161bc4ed82f69b6c6adbbcd21725

Download Submit
C:\KaVBTT\dobasys.exe

Filesize
2.6MB

MD5
cc5e152f0f5f01817152567ca4aa0ab1

SHA1
fe281e503c690586f03211f7e7d91e2de588cb74

SHA256
b54d01ac511d9152eed0ac1058718ee66581f02630e48d6bac444024e4a117f3

SHA512
7ed845f293894bfa2448caa9e2b322b7c52fac2d843060e6af8b591893afafc4779ac11a983f31386031ee9703ea966e445a600aadde61c5df964bbcbe61b38f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
5cc9099a558a119a47b7b12f44ce6fdd

SHA1
5cedf11e3f35b2c29728bbb4758e6227fbe2c0c0

SHA256
884d3805a5ec27f34620da156ea028d6d4c5c924db64a7fa80756006034e719e

SHA512
ab0a757b0a48a756fbc8035c352baf167c88bf91f000d017e75de3e42f426521ab69612bff6c46fbe11d71ce667aa8ac5713a389de8b734468e0758ded4e1962

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
9afc5581344aa26d936a1eee456154f9

SHA1
34ab0cc93c54c5999bb096caa47a5d3363e762e9

SHA256
2302af6a72f85f7a019981b9f8e332496d8654185446e3c5bfdcad790b7ecaff

SHA512
c8a1b0515271f84865d6d8e0c199a26d71b5f49d6e1238288ac7792355ed4203b2d512fd42af9a9553204ed150cf908d3238d430062937b5c11806d3a168bb9b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
7a99e336db79068816ea42b8062354a6

SHA1
03ed5b019e72964dea666383a5bd3e1906d0e806

SHA256
bddb8818ee87bd8c2169e66cafbd8926555c570270289a726e7f29ea11ff5e00

SHA512
6ae2c10e92c5740b3ff48d7f51acbc68dc272b1d2c598a4c82c4bac58693ac5056f1975eb2981adde118c09e489abb525e2fb7069a7348c1f8395b4863a0bf0b

Download Submit