f50c0aceadb62dd054031f69a3f934a14f947b524f3612b618d4d2e91072db7a

Analysis

max time kernel
119s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f50c0aceadb62dd054031f69a3f934a14f947b524f3612b618d4d2e91072db7aN.exe
Size

2.6MB
MD5

7ecb2767349278c2191f9c3d4158d3f0
SHA1

30ee0476c8a0ccf92ec13a9f27e413065dca52af
SHA256

f50c0aceadb62dd054031f69a3f934a14f947b524f3612b618d4d2e91072db7a
SHA512

d1b278dc944ad8b045ff0141eab38d15a7a3a081d3ef54931014154b6dfef5e218ee8d61ac01e2885702534e1e4db4f498aaad456e6809c02ba58def4b88b57a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bS:sxX7QnxrloE5dpUpsb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	f50c0aceadb62dd054031f69a3f934a14f947b524f3612b618d4d2e91072db7aN.exe

Executes dropped EXE 2 IoCs

pid	Process
2824	locdevbod.exe
2996	adobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2536	f50c0aceadb62dd054031f69a3f934a14f947b524f3612b618d4d2e91072db7aN.exe
2536	f50c0aceadb62dd054031f69a3f934a14f947b524f3612b618d4d2e91072db7aN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvD1\\adobloc.exe"	f50c0aceadb62dd054031f69a3f934a14f947b524f3612b618d4d2e91072db7aN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax8U\\optidevec.exe"	f50c0aceadb62dd054031f69a3f934a14f947b524f3612b618d4d2e91072db7aN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f50c0aceadb62dd054031f69a3f934a14f947b524f3612b618d4d2e91072db7aN.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2536	f50c0aceadb62dd054031f69a3f934a14f947b524f3612b618d4d2e91072db7aN.exe
2536	f50c0aceadb62dd054031f69a3f934a14f947b524f3612b618d4d2e91072db7aN.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe
2824	locdevbod.exe
2996	adobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2824	2536	f50c0aceadb62dd054031f69a3f934a14f947b524f3612b618d4d2e91072db7aN.exe	29
PID 2536 wrote to memory of 2824	2536	f50c0aceadb62dd054031f69a3f934a14f947b524f3612b618d4d2e91072db7aN.exe	29
PID 2536 wrote to memory of 2824	2536	f50c0aceadb62dd054031f69a3f934a14f947b524f3612b618d4d2e91072db7aN.exe	29
PID 2536 wrote to memory of 2824	2536	f50c0aceadb62dd054031f69a3f934a14f947b524f3612b618d4d2e91072db7aN.exe	29
PID 2536 wrote to memory of 2996	2536	f50c0aceadb62dd054031f69a3f934a14f947b524f3612b618d4d2e91072db7aN.exe	30
PID 2536 wrote to memory of 2996	2536	f50c0aceadb62dd054031f69a3f934a14f947b524f3612b618d4d2e91072db7aN.exe	30
PID 2536 wrote to memory of 2996	2536	f50c0aceadb62dd054031f69a3f934a14f947b524f3612b618d4d2e91072db7aN.exe	30
PID 2536 wrote to memory of 2996	2536	f50c0aceadb62dd054031f69a3f934a14f947b524f3612b618d4d2e91072db7aN.exe	30

C:\Users\Admin\AppData\Local\Temp\f50c0aceadb62dd054031f69a3f934a14f947b524f3612b618d4d2e91072db7aN.exe
"C:\Users\Admin\AppData\Local\Temp\f50c0aceadb62dd054031f69a3f934a14f947b524f3612b618d4d2e91072db7aN.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2824
- C:\SysDrvD1\adobloc.exe
  C:\SysDrvD1\adobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax8U\optidevec.exe

Filesize
2.6MB

MD5
a4423be8e0b9ff947b0b2e1bcaad3256

SHA1
387fc4c63535c5ceeba2270bc0db20ca9b4b6674

SHA256
0f97f1f847802775843d3ba3d1a45341352790bc67fca5e960ac344dfd2915d2

SHA512
66379b0f3fbd91c2d14edfd91c01152370c66b7243911df46c40a9bff9502eca7dcd9c8f64432e7de90091e1c153bb2a87756c3c2440ff5dcf9208f8753ad1c4

Download Submit
C:\Galax8U\optidevec.exe

Filesize
2.6MB

MD5
73625317553a02e32294168ae270af3f

SHA1
0ea1eba7ace57717b2cbef60a37fe2784dd781dc

SHA256
4f71be62d7961ad2135352cd5263a300170eb70edd63013e0d26f9ae92fd4352

SHA512
f7d8d8df56484ab28763468b9e389cee2827ec82c9ad6c7c37936e6ebf2e6fa64bd2a423431f502db435f55282d5cf3b44aad43e55723fe44a0af87790f54224

Download Submit
C:\SysDrvD1\adobloc.exe

Filesize
2.6MB

MD5
f0e82a6dbd29588428be01b7d8ecf495

SHA1
000d70ac92934e7e143cd65a5e6cc2e6709071c1

SHA256
84ebdb2d96b9d902d5553d3fbb193fd18e1233925a1d0bd18d43e3f9f7ccd8a5

SHA512
874797b36ccd55f9584e38d4bcccec55f9603154ae20811b7c1c43aa13236e003df6ab3492778f2e773bdd6d83c482cf67cc28b647d360cf34dec42756a95af5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
a3b8918a4f940e0e9dc0962db41b2ec1

SHA1
1899d46ec2d5f8f91e7caa05ad2cdfc41a555788

SHA256
a3fda9c1f0016ecdc6e03e2873e308384358e96c38aec2ed7a5eddd073189646

SHA512
795984c31d691307a864313f4368ccccfec033a34ea8d1365af85dd49144ebb37287adb0f27ed622b3919cd6ff113fba720bd3f9ed534fcf2bb11c7e9d72a4d1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
e262a2b35edfb3e662a9d20ef8f330c6

SHA1
6327728c457546c8aabf9b09cc1136bab1ee9a5e

SHA256
4e9c8d8cc55605be27eaf7f6c0257347a9791d4286755150ae8ba668d0f3196b

SHA512
419c956d0fcbbe9a9eec785c90c8a5598583ac4e77b12c3a48f8732d90cd3a7ed4c8ec919c46de85afffce5e2fd950b3128fc4c18a40fe9e0d9e4b55c0468057

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
2.6MB

MD5
6b5fe7ffa689e578fda366f5c72c4674

SHA1
241a2ecc504319e273413b39b72a0b9c86ce7535

SHA256
ad26551cf32dd66463260a5dfc2e43f36c5a03039ddedce332e7b9d78e85525e

SHA512
d6b0d4af33a82dac89e84e6d530aa0fa41e5653491c4af452b3c6b82c074fbb34fd849bb6cbedfdde6cf358068069bf7cdb08296531c789b3018308ccaba69ed

Download Submit