59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1d

Analysis

max time kernel
119s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe
Size

2.6MB
MD5

914005ba9c41c73f44f7ae9e58ddd310
SHA1

abbd268a9e14d207502da3623540b3054a0de783
SHA256

59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1d
SHA512

3f023b245549dff6f932af3a39934e54045fafaf807d359dcda663f29c7a31c51a0f0986981fcf6175f2a64e12fb315605b05ec9d2012200357a7516fd95a8e3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUpyb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe

Executes dropped EXE 2 IoCs

pid	Process
4804	sysdevbod.exe
3132	adobloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc3Z\\adobloc.exe"	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax5Z\\optialoc.exe"	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2680	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe
2680	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe
2680	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe
2680	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe
4804	sysdevbod.exe
4804	sysdevbod.exe
3132	adobloc.exe
3132	adobloc.exe
4804	sysdevbod.exe
4804	sysdevbod.exe
3132	adobloc.exe
3132	adobloc.exe
4804	sysdevbod.exe
4804	sysdevbod.exe
3132	adobloc.exe
3132	adobloc.exe
4804	sysdevbod.exe
4804	sysdevbod.exe
3132	adobloc.exe
3132	adobloc.exe
4804	sysdevbod.exe
4804	sysdevbod.exe
3132	adobloc.exe
3132	adobloc.exe
4804	sysdevbod.exe
4804	sysdevbod.exe
3132	adobloc.exe
3132	adobloc.exe
4804	sysdevbod.exe
4804	sysdevbod.exe
3132	adobloc.exe
3132	adobloc.exe
4804	sysdevbod.exe
4804	sysdevbod.exe
3132	adobloc.exe
3132	adobloc.exe
4804	sysdevbod.exe
4804	sysdevbod.exe
3132	adobloc.exe
3132	adobloc.exe
4804	sysdevbod.exe
4804	sysdevbod.exe
3132	adobloc.exe
3132	adobloc.exe
4804	sysdevbod.exe
4804	sysdevbod.exe
3132	adobloc.exe
3132	adobloc.exe
4804	sysdevbod.exe
4804	sysdevbod.exe
3132	adobloc.exe
3132	adobloc.exe
4804	sysdevbod.exe
4804	sysdevbod.exe
3132	adobloc.exe
3132	adobloc.exe
4804	sysdevbod.exe
4804	sysdevbod.exe
3132	adobloc.exe
3132	adobloc.exe
4804	sysdevbod.exe
4804	sysdevbod.exe
3132	adobloc.exe
3132	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 4804	2680	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe	90
PID 2680 wrote to memory of 4804	2680	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe	90
PID 2680 wrote to memory of 4804	2680	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe	90
PID 2680 wrote to memory of 3132	2680	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe	93
PID 2680 wrote to memory of 3132	2680	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe	93
PID 2680 wrote to memory of 3132	2680	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe	93

C:\Users\Admin\AppData\Local\Temp\59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe
"C:\Users\Admin\AppData\Local\Temp\59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4804
- C:\Intelproc3Z\adobloc.exe
  C:\Intelproc3Z\adobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax5Z\optialoc.exe

Filesize
2.6MB

MD5
299ba93ab27b61ef7be5af3ed0502237

SHA1
0df31ff5ac6dc11b818f3876be4acbc3f1027e79

SHA256
f21fa8b2e9657cf2787142fcf4c6e9ffa40c33b3935379005a472bc7b53556b4

SHA512
a979039a1fe1df7bc46f50a5028ba2478005ef54117474b75d398a8af1da59cf919dbac29473dfd1c772fd668b539e1c772c0afd1b91737c08a4b577a10f24d1

Download Submit
C:\Galax5Z\optialoc.exe

Filesize
273KB

MD5
edac67541e17327676c69e7ce541e5e5

SHA1
7489b3893cd631df40fe2c6a3d8b8c059c4daff3

SHA256
f41af16280d71e1bdcb9e9bf942b2c0e87f1d6aef62b6e951820870edf1fc04c

SHA512
4764a19827f9be3d915eff21e3f27ccdafc1e507d1ef8b277b300aaaf7265fed9ec7724aa9b9f450d914b321f62414d2209fa89f3f62e38f9a0b74c5b07b3536

Download Submit
C:\Intelproc3Z\adobloc.exe

Filesize
2.6MB

MD5
2026c464c40dadd9c4107314e8bfe49b

SHA1
0a2de9f088579d0ae9707e23f10b04be4a134159

SHA256
7f6d37447d3ca031c4176d29d65a1d5e39bcc74d3f67af2907de905a5fab61a5

SHA512
5e244fa5fa6a24eb4216b7975a881a55a31c9403c653a073c09c8b68ca27c08c7fac02da606fe9c4425bcd4f249b62234875a4f4389fde690a70284b4f36b4ac

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
208B

MD5
49fcc91a22c22ec9bd0e6aa18cb5e901

SHA1
d4c682ed9492b7994484a80f1d059e9b03545d19

SHA256
78a402a64de58aeaf386f32ad51920f87ac4da027a43c9e79fcd937035af1e66

SHA512
b48f979ade0fb4906fe17de92398a88b0940c7e46622a294c945fd24919973e23f9199071b05f30ff612d6198502bab81ed10c26ea622e18e7e836d4ba1af61d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
176B

MD5
e50fa78a872aca8005c3454f707b3c03

SHA1
e242a9324fc1b98eab9a01a42161440c32e928e6

SHA256
dd5aa16ab63e23fcaa79e09b479724fe0fd6a81efbee075c8c6d89dddf746514

SHA512
89d0ccf7823e91fa6a4892c3e889ae2dc76f4e3da88b19f09234a1adb038ea4ade2795681af79184472f6484ee4a658623c6ac09b9452f6246b49f7cb40795b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
150a7d289933299d23279336fa9e2692

SHA1
ee2e0ff311aaee9845eda51d7286937892ed7c4e

SHA256
437c928acb588bf00844c4c2555e9d6ace7b07dd230511a703e0007a66268794

SHA512
50a3d7c1c185c2ab7d0b0c643939f596bb4131ce88d4245916d688add1a9b012f4ac4fbb2a066e797ef0bf082bbdbc8584ba5353c75f4ae749c39ab820f33ac4

Download Submit