1c038320a600ab6050f491ec728a001d86e7ca1d0594ba252651cfb9baf5e0aa

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c038320a600ab6050f491ec728a001d86e7ca1d0594ba252651cfb9baf5e0aa.exe
Size

2.6MB
MD5

83d78da539fa8f040ecef3a80c8fe5b3
SHA1

e1d6f12477524a14099ee0c1cdfc2d1ee5b0dcc4
SHA256

1c038320a600ab6050f491ec728a001d86e7ca1d0594ba252651cfb9baf5e0aa
SHA512

1d35ea309d8416b92081d370b4f7ff9712d788d8ce7dbe77385c10aa0213ef10145c243e5adee53fd79b3ffca696ba0a28597cb64c39ccb1c25145fb8d97e5be
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBtB/bSq/:sxX7QnxrloE5dpUpGbV/

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	1c038320a600ab6050f491ec728a001d86e7ca1d0594ba252651cfb9baf5e0aa.exe

Executes dropped EXE 2 IoCs

pid	Process
2172	sysdevbod.exe
2908	adobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1128	1c038320a600ab6050f491ec728a001d86e7ca1d0594ba252651cfb9baf5e0aa.exe
1128	1c038320a600ab6050f491ec728a001d86e7ca1d0594ba252651cfb9baf5e0aa.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesZ7\\adobloc.exe"	1c038320a600ab6050f491ec728a001d86e7ca1d0594ba252651cfb9baf5e0aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidSP\\optixloc.exe"	1c038320a600ab6050f491ec728a001d86e7ca1d0594ba252651cfb9baf5e0aa.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c038320a600ab6050f491ec728a001d86e7ca1d0594ba252651cfb9baf5e0aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1128	1c038320a600ab6050f491ec728a001d86e7ca1d0594ba252651cfb9baf5e0aa.exe
1128	1c038320a600ab6050f491ec728a001d86e7ca1d0594ba252651cfb9baf5e0aa.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe
2172	sysdevbod.exe
2908	adobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 2172	1128	1c038320a600ab6050f491ec728a001d86e7ca1d0594ba252651cfb9baf5e0aa.exe	30
PID 1128 wrote to memory of 2172	1128	1c038320a600ab6050f491ec728a001d86e7ca1d0594ba252651cfb9baf5e0aa.exe	30
PID 1128 wrote to memory of 2172	1128	1c038320a600ab6050f491ec728a001d86e7ca1d0594ba252651cfb9baf5e0aa.exe	30
PID 1128 wrote to memory of 2172	1128	1c038320a600ab6050f491ec728a001d86e7ca1d0594ba252651cfb9baf5e0aa.exe	30
PID 1128 wrote to memory of 2908	1128	1c038320a600ab6050f491ec728a001d86e7ca1d0594ba252651cfb9baf5e0aa.exe	31
PID 1128 wrote to memory of 2908	1128	1c038320a600ab6050f491ec728a001d86e7ca1d0594ba252651cfb9baf5e0aa.exe	31
PID 1128 wrote to memory of 2908	1128	1c038320a600ab6050f491ec728a001d86e7ca1d0594ba252651cfb9baf5e0aa.exe	31
PID 1128 wrote to memory of 2908	1128	1c038320a600ab6050f491ec728a001d86e7ca1d0594ba252651cfb9baf5e0aa.exe	31

C:\Users\Admin\AppData\Local\Temp\1c038320a600ab6050f491ec728a001d86e7ca1d0594ba252651cfb9baf5e0aa.exe
"C:\Users\Admin\AppData\Local\Temp\1c038320a600ab6050f491ec728a001d86e7ca1d0594ba252651cfb9baf5e0aa.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2172
- C:\FilesZ7\adobloc.exe
  C:\FilesZ7\adobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesZ7\adobloc.exe

Filesize
2.6MB

MD5
31b70b77caadabdbebaf9f5721c009b7

SHA1
3af33cb56bc73f18d4880350a2b5f6f52fdb2490

SHA256
1f1ec0689a162e4e8934fdb8b9816e236ab9dc8c4abaf27fa1e77122fb9090cf

SHA512
3e342b4345af5f9f50eb84014080893d05f9b43b7d9801a8075c7f4383dc34fb5270682753a8a1a7a6bbb990115bdc079eff0ec492ace85892c9740ae563823d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
c4ad7782cc82358f4feeabc1894ed067

SHA1
ca64cd27378f7e5ba9a6e517d570b5842226df23

SHA256
d0c958dee8bca0e5eae85edf5f5f0c62ca36dcc9c4677c381d1542337171fb6d

SHA512
c0baf2c73e5a28a7f46ac2054f70e51c3bf6672e64eff10c13e4ac799a5adf69bbe7fff23e30a7751645fc3bf3968a4ff91f52ce0718d714f090ac9de7b1da3d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
fa8f9e3b9690acb650ab522a8dd9d71a

SHA1
239997da01760b76103355bd828265a1dc7e3e88

SHA256
425aa457c9ff016213c70e331abbcf83a2cc14d3b4d0a11fb89615fc7abb8a97

SHA512
143307e067b75aa25f089920ed547e56ac2b7e3ba009838dfbba36ab96c2521511b1cac60e5d825f21d892089dd7d5cf7fd35cec852bd54b5d1994f3c0729cc0

Download Submit
C:\VidSP\optixloc.exe

Filesize
2.6MB

MD5
4d931283afd7228b1ba8bbcb350d20aa

SHA1
93737ecb1f7844ff469d32823a7ccb0f95278da6

SHA256
d9d27115eef9439f0ec86290ae9b957cc68687e3dfe2924f14d2f9f62aa909d0

SHA512
e5b942c516baa511a9315bb9d26e3cab10c8cefe91bea8718fd6d2e94816d336e04da5402437069882222cab0c87453de91124f61271d6f7c502279d2e2e8f8a

Download Submit
C:\VidSP\optixloc.exe

Filesize
2.6MB

MD5
54fc4c2d0dfa3c7c66fc039fa6dc4ddb

SHA1
df5295e7eb079bb6e18363a466fa6dff39b4131c

SHA256
14e19c92603e6f38f2a08fd9bafe3fd5317b417bb60dca4c726071304c83a95a

SHA512
45364b9203d14612b433c841ec37c6ac19aaac9a3231d8045ad648c084e8b7d5b2d72493f5ee79c2ee2aef046ac86a56258c49ef4b30910a42e1b62cdb125594

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
7d63ddfc1aa1e6ea55d6e160a5804caf

SHA1
b7136289f5f3c8451bbe22d7115c77ffca15e64b

SHA256
4409c4c9d0fc284416c847bb7b105de782bf7b6d698d434a31b494049a69c0e0

SHA512
42bad2d1922a0fffaeea4cc32aac4645b2660891d53b032142c593745a3adc0a6590bd8a2524b5ad31814f780d9196ba0c0ece43529fa24fcb728cabefbb8256

Download Submit