10902a80967a842db275c634e08252acea526cb8cf175a1a4a1393030d54a118

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10902a80967a842db275c634e08252acea526cb8cf175a1a4a1393030d54a118.exe
Size

2.6MB
MD5

da233ca9db751628025cda54fa72efa3
SHA1

e7e4dbb5696b6c9139d1d7a3edac12ff6b4c715d
SHA256

10902a80967a842db275c634e08252acea526cb8cf175a1a4a1393030d54a118
SHA512

fe84ed01cf07fa83c7be8a328d06690c0e1dbe33fc3dfded3a8386534abbd5b9bc79055e7d82cb6592a70390c032d2fdb5a1b08990254afddcb2ff3fde90c332
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSm:sxX7QnxrloE5dpUpUbH

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	10902a80967a842db275c634e08252acea526cb8cf175a1a4a1393030d54a118.exe

Executes dropped EXE 2 IoCs

pid	Process
2684	locdevdob.exe
1852	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1716	10902a80967a842db275c634e08252acea526cb8cf175a1a4a1393030d54a118.exe
1716	10902a80967a842db275c634e08252acea526cb8cf175a1a4a1393030d54a118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZJ\\adobsys.exe"	10902a80967a842db275c634e08252acea526cb8cf175a1a4a1393030d54a118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFL\\dobaec.exe"	10902a80967a842db275c634e08252acea526cb8cf175a1a4a1393030d54a118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10902a80967a842db275c634e08252acea526cb8cf175a1a4a1393030d54a118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1716	10902a80967a842db275c634e08252acea526cb8cf175a1a4a1393030d54a118.exe
1716	10902a80967a842db275c634e08252acea526cb8cf175a1a4a1393030d54a118.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe
2684	locdevdob.exe
1852	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2684	1716	10902a80967a842db275c634e08252acea526cb8cf175a1a4a1393030d54a118.exe	30
PID 1716 wrote to memory of 2684	1716	10902a80967a842db275c634e08252acea526cb8cf175a1a4a1393030d54a118.exe	30
PID 1716 wrote to memory of 2684	1716	10902a80967a842db275c634e08252acea526cb8cf175a1a4a1393030d54a118.exe	30
PID 1716 wrote to memory of 2684	1716	10902a80967a842db275c634e08252acea526cb8cf175a1a4a1393030d54a118.exe	30
PID 1716 wrote to memory of 1852	1716	10902a80967a842db275c634e08252acea526cb8cf175a1a4a1393030d54a118.exe	31
PID 1716 wrote to memory of 1852	1716	10902a80967a842db275c634e08252acea526cb8cf175a1a4a1393030d54a118.exe	31
PID 1716 wrote to memory of 1852	1716	10902a80967a842db275c634e08252acea526cb8cf175a1a4a1393030d54a118.exe	31
PID 1716 wrote to memory of 1852	1716	10902a80967a842db275c634e08252acea526cb8cf175a1a4a1393030d54a118.exe	31

C:\Users\Admin\AppData\Local\Temp\10902a80967a842db275c634e08252acea526cb8cf175a1a4a1393030d54a118.exe
"C:\Users\Admin\AppData\Local\Temp\10902a80967a842db275c634e08252acea526cb8cf175a1a4a1393030d54a118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2684
- C:\SysDrvZJ\adobsys.exe
  C:\SysDrvZJ\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintFL\dobaec.exe

Filesize
2.6MB

MD5
42e9d8e5c69a15bbf5f4074b61aa7a84

SHA1
b57cf1b050b7c9aab4ef803c879db7950b5a362e

SHA256
e9a420d6bb5e88857398a21fa00c6dc3bdf4caba4774caba96fa36a8294adecc

SHA512
d82af46f72c67487ef9f7168ae0cd457881d5598f4a19a33dc5bb35c90bb39c0db38d3f6d70cebf4e67d0711a29233f68dec3c41e8f9a2f1e65baeb69fe2932e

Download Submit
C:\MintFL\dobaec.exe

Filesize
2.6MB

MD5
5e1917eafa03504b82aa6862a828c02c

SHA1
09e7a83f0b94637171a8fe5807a350fbf0720391

SHA256
ead49cfeda1ac126fc3731ac73b4d78499e15a851a750df05d6408f159e34376

SHA512
006fa5d43ad734613b4a376590e2240ccfa604e0e5763e0212e5116198e90e9588c4a7824baa843e110504ed6b0048ee9b8c9a6ff2f32424795187734bb84daf

Download Submit
C:\SysDrvZJ\adobsys.exe

Filesize
2.6MB

MD5
4e8cb0d5eb98591308b91fde1a6ef46c

SHA1
82d6e6082dd52ba87c5437eee0b59bef3425d640

SHA256
33a37bc422f47661e843a0b83c11e73849e3b9a9f9865bba179af1f343a262fa

SHA512
863ca50b089679f6cf12c3795d6897ff8e9cf17bf282d77a69892b4ba891210c5db22bca40b356c206007c47186ef742e6a5d7b05912878bfc1520ad45f0ad1c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
62a223ee839d6d0e997dc7c52c53558f

SHA1
a3b49a795654e5539667cedeccf5027f40278aa5

SHA256
0a8d2068964e92e890728a448a9d787b985132bd3f34f30df492c17c28512170

SHA512
8ce519ed17992208759100e9d7b7237723a8b27a38ecde0da47d522032bbec5e805a761b3f925208f373762893ec97ce386296cafe73fc4f001ff6f2c07be14b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
68ec35f4dd43d7f13222177a1693117a

SHA1
34a9b4ca9a62d4dd54c1c3024dca23c5a56fb8d2

SHA256
bda605b239a64efd736ee1b397988aa543842b73377016ded74492fc46503fa8

SHA512
e8d31c82132e7bbbd26c8156f90398dc0ad3efbad8e7b3db13e8711c66ef222d9a3fd5ea7d93a8553808f419bf40d28edcf84c722a58508d48697a999b765597

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
2.6MB

MD5
c433d40d63cb4f72588241bdae5c4195

SHA1
be062f51130f779c664fb2b624cb679406d9feaf

SHA256
056e31f211ff9a070187c007eb4685d86cd776e0403339b4402d7239ad0f5a2c

SHA512
4e34d658876a5c21fe03010a1748fdcd7c45239c6d21512fc83c049c5b6e9c652df80f2013128da89c9a421cc08a1f911948de7bde5b64984b243f97299b3005

Download Submit