Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 22:58
Static task
static1
Behavioral task
behavioral1
Sample
8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe
Resource
win10v2004-20241007-en
General
-
Target
8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe
-
Size
2.6MB
-
MD5
a8c23cf01ddca118253b54c8bd9c7c40
-
SHA1
46d3a880fde7512b73bc768ebcfcc0e37b023fa6
-
SHA256
8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823f
-
SHA512
c1bace1db34362cc10b193f659bf57e9227cf0cc43b7da676c00af05ad94653ea527acdc6bc99c7282f61ef6c1d53c43b71a16bf72a1a1100e9ff8e92fd4c5d4
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bS:sxX7QnxrloE5dpUpzb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe -
Executes dropped EXE 2 IoCs
pid Process 2036 sysdevdob.exe 2864 adobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe3Z\\adobloc.exe" 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidT8\\dobaloc.exe" 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 780 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe 780 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe 780 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe 780 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe 2036 sysdevdob.exe 2036 sysdevdob.exe 2864 adobloc.exe 2864 adobloc.exe 2036 sysdevdob.exe 2036 sysdevdob.exe 2864 adobloc.exe 2864 adobloc.exe 2036 sysdevdob.exe 2036 sysdevdob.exe 2864 adobloc.exe 2864 adobloc.exe 2036 sysdevdob.exe 2036 sysdevdob.exe 2864 adobloc.exe 2864 adobloc.exe 2036 sysdevdob.exe 2036 sysdevdob.exe 2864 adobloc.exe 2864 adobloc.exe 2036 sysdevdob.exe 2036 sysdevdob.exe 2864 adobloc.exe 2864 adobloc.exe 2036 sysdevdob.exe 2036 sysdevdob.exe 2864 adobloc.exe 2864 adobloc.exe 2036 sysdevdob.exe 2036 sysdevdob.exe 2864 adobloc.exe 2864 adobloc.exe 2036 sysdevdob.exe 2036 sysdevdob.exe 2864 adobloc.exe 2864 adobloc.exe 2036 sysdevdob.exe 2036 sysdevdob.exe 2864 adobloc.exe 2864 adobloc.exe 2036 sysdevdob.exe 2036 sysdevdob.exe 2864 adobloc.exe 2864 adobloc.exe 2036 sysdevdob.exe 2036 sysdevdob.exe 2864 adobloc.exe 2864 adobloc.exe 2036 sysdevdob.exe 2036 sysdevdob.exe 2864 adobloc.exe 2864 adobloc.exe 2036 sysdevdob.exe 2036 sysdevdob.exe 2864 adobloc.exe 2864 adobloc.exe 2036 sysdevdob.exe 2036 sysdevdob.exe 2864 adobloc.exe 2864 adobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 780 wrote to memory of 2036 780 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe 86 PID 780 wrote to memory of 2036 780 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe 86 PID 780 wrote to memory of 2036 780 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe 86 PID 780 wrote to memory of 2864 780 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe 87 PID 780 wrote to memory of 2864 780 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe 87 PID 780 wrote to memory of 2864 780 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe"C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2036
-
-
C:\Adobe3Z\adobloc.exeC:\Adobe3Z\adobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5838e707fb5e4f816b0c784b9c7cc3de6
SHA1c9b80d395abfac45e636abda99b1676456e01cf9
SHA256b9cc4189c484e7eb3127c48b8ff3481c97d414012d31b31737003294dd6b5b14
SHA51240091a6ed33d4e80faefd1d0c2f5114f1914b02c43fa3e92d31d67696f83c5bef23a19d8f01b2f8fa1009c893e770777f37187a112a17769887aadd077dd95ee
-
Filesize
201B
MD5d8dcd725e2f78b02fef756a5c0d6482e
SHA1d8125c0e9f8b53c7e7094fe11e382c5f0c662842
SHA256a4e60670029a919e38fe240f5722209b1687596f3a42a9697af7869f60fadf7f
SHA51228ff1d5117437a62a89c096219f2de508a410cde0537267815281459ca5af4cd63740dae0c8e3972102231a39090e882fbcbf16a52d3d25bfda95e3bc7ea445a
-
Filesize
169B
MD558fb11b5f050ef11db6049686b32450d
SHA15098a26155acf7baf54ba3a188704c93c6c59570
SHA256bdfe63dba1e0b3dfe8c024d07524c52265f33a2fdf13ed29d63df33e197cd71c
SHA51285ae1aac819580fc4de5806cc9c9cd6b15906a911935bb3a493de0b6cda0963792a49e3e704b10683be7a8a200ba5d7241e288996f09f0534ce5206063926882
-
Filesize
2.6MB
MD586c4f01180028704f1c5a9470f356552
SHA1a523edf7789463e509a58e35b700a2375fc3f425
SHA2565dfbdc4843a991ab1ede3bd4bc23cffaba8becc0d9bf6f6e4e6a8a80db437fb3
SHA51208d303e20c76246635a343cf9df17de01b1b4c5219b02c636b30b934db7658168b4f390fdb8f732f10900fcf26a802fc5f8e3598ffd06e97251e80d21d216c69
-
Filesize
2.6MB
MD5f67875ba4796683f4cee41b943da23b8
SHA1ea01d0133be069525c05cba3435f9d687d3d4f36
SHA2569f10d28da9d7e5f7005e9ea0b67262c0601e12c0de44f54086765593be2b4953
SHA512aeffc3ec1902ff17ab47622e88c27e554d0c410f1828c2d64b18e442853828e153d4b6f4512a1bef63a709e5f2461d212a1105ddb89e65b1e7aadc82e7855d2c
-
Filesize
2.6MB
MD5a48326df3e9f03af4efba04847a1aea4
SHA1641f6ff2c62029a37c2423f95507af9119ff957c
SHA256dbb8d656d3e9c5d826466eba74e72c6b62ff271896618a0c2d40a7d2ceca8c3f
SHA512e7dbeb38ba60f41db7ae27a20398c1b40d45053240559da891f6573743fd9d163ea76b5d12e5c1c4a11e456e793cce38eb25ec08c975cd233a3c4b2a905f6b55