77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe
Size

2.6MB
MD5

0375775bd6458bc3b45ee5d1897144b1
SHA1

d7cb4fbdbb3e20524646ae1e44a0f69e87a19780
SHA256

77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4
SHA512

31a297db3acc37ccd9e5b120576520d2575624c91fccd297f2cf5bc2bc635b9fac3b17f315a302d525890003d3519b261bc0e5da6c02d1c510a40ba5311e0fad
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bS:sxX7QnxrloE5dpUp0b

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe

Executes dropped EXE 2 IoCs

pid	Process
2544	sysadob.exe
548	devdobec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeLU\\devdobec.exe"	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidR4\\boddevsys.exe"	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1096	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe
1096	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe
1096	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe
1096	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe
2544	sysadob.exe
2544	sysadob.exe
548	devdobec.exe
548	devdobec.exe
2544	sysadob.exe
2544	sysadob.exe
548	devdobec.exe
548	devdobec.exe
2544	sysadob.exe
2544	sysadob.exe
548	devdobec.exe
548	devdobec.exe
2544	sysadob.exe
2544	sysadob.exe
548	devdobec.exe
548	devdobec.exe
2544	sysadob.exe
2544	sysadob.exe
548	devdobec.exe
548	devdobec.exe
2544	sysadob.exe
2544	sysadob.exe
548	devdobec.exe
548	devdobec.exe
2544	sysadob.exe
2544	sysadob.exe
548	devdobec.exe
548	devdobec.exe
2544	sysadob.exe
2544	sysadob.exe
548	devdobec.exe
548	devdobec.exe
2544	sysadob.exe
2544	sysadob.exe
548	devdobec.exe
548	devdobec.exe
2544	sysadob.exe
2544	sysadob.exe
548	devdobec.exe
548	devdobec.exe
2544	sysadob.exe
2544	sysadob.exe
548	devdobec.exe
548	devdobec.exe
2544	sysadob.exe
2544	sysadob.exe
548	devdobec.exe
548	devdobec.exe
2544	sysadob.exe
2544	sysadob.exe
548	devdobec.exe
548	devdobec.exe
2544	sysadob.exe
2544	sysadob.exe
548	devdobec.exe
548	devdobec.exe
2544	sysadob.exe
2544	sysadob.exe
548	devdobec.exe
548	devdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 2544	1096	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe	86
PID 1096 wrote to memory of 2544	1096	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe	86
PID 1096 wrote to memory of 2544	1096	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe	86
PID 1096 wrote to memory of 548	1096	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe	87
PID 1096 wrote to memory of 548	1096	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe	87
PID 1096 wrote to memory of 548	1096	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe	87

C:\Users\Admin\AppData\Local\Temp\77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe
"C:\Users\Admin\AppData\Local\Temp\77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2544
- C:\AdobeLU\devdobec.exe
  C:\AdobeLU\devdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeLU\devdobec.exe

Filesize
224KB

MD5
c095fd51f4563c08736ecca7f896c815

SHA1
d4d8a6ef43813a332070985bf5f869d5c5644e7b

SHA256
d4b09249d94f6371c70e9aa8846756a87f2e65321fbea9172107c8e1e59e3b81

SHA512
23c5641e6602b5d4842a7bb4eb9e0661afab19a9c427836d5410868e84fd3aa6a7db5d218f6dde83bdcd2f47f808e53459c9860997141f6c5b5255dfa3cdcf90

Download Submit
C:\AdobeLU\devdobec.exe

Filesize
2.6MB

MD5
0b4c92fe1d6bbe029b3d5c1ce767a42e

SHA1
89b28167e2fb2becb642f5765fcbc0b297327504

SHA256
e2f80ce117b214db4f96aed87ad4ffee3a38fb4eb7157fae04ce9957e7ac50eb

SHA512
4006e0ec41a049c1d7fa5e355b5cb8e79562a8369681456694a11be8d03dfe67c9f025437041c6ad242a73a6e81010ddc42765cdf7d12ef766af0264bf5d26d6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
5d5e99eef2ea10bba33b5c96e8d3d1e7

SHA1
58ac7501ab2ac56d3d01f5cdb8428e61661343a2

SHA256
1b998ab65666ddbcdf9e30d301aec1b6dd66a888c0b9f100d0a0ff64b37297a4

SHA512
6987b0b92460eea4016617417692f97353dd9f924d11d4903fba81b68e93dfc41a1c32f36738e43c7cfbde9895207a30553ebb98877326d79bf5c2b1127cedfb

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
8107b3b8b21a85ab801e0792640a5444

SHA1
d19d4fc40773bc0c7671b07f8ed0529b2bddbf34

SHA256
533a31e67c01ac7e858a8e39d562ffa7b5d9837acca971f17bb6b7bac8d57255

SHA512
c56d59476a53920704c3acad690dea039ffd368bfa2aea965fa50f17a7baaa4bca093492c977322b04f4b252cc2e2d9c7e9f7dfef4529a7b223d4ba1c4a77ebb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
2.6MB

MD5
17b74a5f34de1f6890df55bfda69df23

SHA1
0a3003dcc1c5f26c4e0cb25c03ecddac1b8ae7d9

SHA256
8e43cfec2ce02f1a5a0ccc8a96b3804919f3706a802fab339095058f8ae1ff49

SHA512
b522a4777be94ac72036f878fa791bc3eb742e6b3d71e1af4fe12714c18cdc423e24a80d5379f1ed09ff641ff141bbc78c357c6fce14017eba2983f0c65b46e3

Download Submit
C:\VidR4\boddevsys.exe

Filesize
2.6MB

MD5
ef7c70945d12d883753b3f3893111585

SHA1
597b2465350d2ba325e0609e81c5e633ff92c560

SHA256
138f62f505cba58e474d0dd2c22ed3e1c4f954f967c8228302659cb17b8b87d0

SHA512
ab5f864dcba74d464751cb7c1f126576bf5a3133f5a357471491efe3c026c931609375484c2c811965edbbead8d0b5efe26ebe886180713d2e68fc5e26651a4c

Download Submit
C:\VidR4\boddevsys.exe

Filesize
3KB

MD5
1277107cabcc016a5fd1f1042e36a2e3

SHA1
d7f8e8f7a16218d6bb1dce7bd03617500801eb78

SHA256
8e909b1d2c6f2b50ac77632d0c29bee78baafb5a1b3d23226e037507fc026273

SHA512
f129adcdeabd08d93ae5036fe57020e5d0eab6c1565a555dce876fa729326075b333ac31bc8a7973c21d03d17b08334e1acad9033a1e66962d79780e301afbf3

Download Submit