773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe
Size

2.6MB
MD5

b53073527df4d7478f36adc5224fba20
SHA1

93d72e92facc83a99cfb53ca4bcf4d2e8920f0f0
SHA256

773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9
SHA512

381318224b5183b5368a8a3f365b18265f3db892846397969535fdaf6be5d00abb33f9b5fc785d344662b22cbd264ba47cb3ca08d6881a790e32aaa49311ae78
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bS:sxX7QnxrloE5dpUpIb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe

Executes dropped EXE 2 IoCs

pid	Process
4552	sysadob.exe
396	xbodec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeD3\\xbodec.exe"	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB8Z\\optidevloc.exe"	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4384	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe
4384	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe
4384	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe
4384	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe
4552	sysadob.exe
4552	sysadob.exe
396	xbodec.exe
396	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
396	xbodec.exe
396	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
396	xbodec.exe
396	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
396	xbodec.exe
396	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
396	xbodec.exe
396	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
396	xbodec.exe
396	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
396	xbodec.exe
396	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
396	xbodec.exe
396	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
396	xbodec.exe
396	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
396	xbodec.exe
396	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
396	xbodec.exe
396	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
396	xbodec.exe
396	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
396	xbodec.exe
396	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
396	xbodec.exe
396	xbodec.exe
4552	sysadob.exe
4552	sysadob.exe
396	xbodec.exe
396	xbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 4552	4384	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe	87
PID 4384 wrote to memory of 4552	4384	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe	87
PID 4384 wrote to memory of 4552	4384	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe	87
PID 4384 wrote to memory of 396	4384	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe	88
PID 4384 wrote to memory of 396	4384	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe	88
PID 4384 wrote to memory of 396	4384	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe	88

C:\Users\Admin\AppData\Local\Temp\773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe
"C:\Users\Admin\AppData\Local\Temp\773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4552
- C:\AdobeD3\xbodec.exe
  C:\AdobeD3\xbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeD3\xbodec.exe

Filesize
2.6MB

MD5
f1f5595725d5ab8ae50d1e0717818c2f

SHA1
abcc3fa37de874969e2ff1d0c8db0a1b813c6198

SHA256
4119e0b7c9867c648d2733790f60cfdba69348d22900462b3fda285a73d1304f

SHA512
4f563fe6ed63f3ed4e060f6098952df08ef8cb48400c7e441d54e4c7daf7a9f90c05ef299bad1d78286b86813cee1eb65057e2dd82bbdf9d8a8add3132cc5142

Download Submit
C:\KaVB8Z\optidevloc.exe

Filesize
2.6MB

MD5
0adb6218155904d01b5bb57e4b4f9bee

SHA1
cd066d5743f483a861401ba3a3391f8a52c7a9cb

SHA256
a21f6315971411b338cbf2e82bd3c2103285edad7ea632668230834757fef586

SHA512
810278cc8a8db9eb883d77c095ef51395575d4d1511cee2f5e275da76c4b588e546b150c6c3978d141026ccfa0440479d962b3cf2bad7cf0d1db31f081bc5adc

Download Submit
C:\KaVB8Z\optidevloc.exe

Filesize
2.6MB

MD5
352ce19e32b669b8addb8b3866b415d6

SHA1
9245be930687bb49df62413c42681678ef4c8ee8

SHA256
cab1ca1ffbc100e2c969e07096741283edf02504d28dcf5f0f8d47ff5f989eb2

SHA512
0d8dde084cbfff64edd33a341049872736ab8f53fd69229e2164574e1ff7854635071a8d0150f4057731a4a82f2ba0362f8bf15157efa724dc638e3ccb8c116a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
cf06e28f7c677f4a36095ff1da6d84a1

SHA1
9bf2975cbe2920260b4125055f23f8358e714244

SHA256
cab0182a23741fdbacb22effd7483364a303b4cecec9cb85f329308b6a0cadcf

SHA512
dba9f65d01d667b9784ec0e06781fac6c501df4f7d1a66871add662c4e5ee7db91a2fbfce81077cd21f0c73f83715c387357a5b0d7fbab8cdf2f4ea61e30a3c8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
7d6da27ce56fc87c525b8550181d81cf

SHA1
a1162c0c108f73f77258cacdc1eb9de6a46eca97

SHA256
951e5a44dad248f9c5233d195f2b33330189094c787bba061a9a371e464e6983

SHA512
7d6ab910b32f4428d19ebe5d57e86385cb42d7dd18cd0adef9031cd4369d267eacd746acea91f1087af7aebb22df7386edb3392542043ba21cb95dd0ad4daaf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
2.6MB

MD5
3a436e56ef8030c819bac80001fcaf3c

SHA1
9a57bef20271824b8500d89f26014cdfc06cf63e

SHA256
45376c8e5b69d589937a3fb66d7bb5fb70268e5782240d805e2a4e859cae2606

SHA512
42cc9a703f5003a30b19487661322f87cc54be29b96b67a2bda96480175165dc232728ed08b56efa5ec343a0d0966847798738dacbb55b3cfed3046eca5ff7f8

Download Submit