ad2bf82f154ccf539fc63bb289f75ae8558766ef20af1977009ac0966d44219b

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad2bf82f154ccf539fc63bb289f75ae8558766ef20af1977009ac0966d44219b.exe
Size

2.8MB
MD5

3def9385313d88b83009a0eb8dbb7077
SHA1

d366c1a0529f2bbd75bed2ef196a4de00a1cc143
SHA256

ad2bf82f154ccf539fc63bb289f75ae8558766ef20af1977009ac0966d44219b
SHA512

171ea810ec30836214011f1d8e3df3a298e304f178f7252c5662f047526fef99b003cebf8d45e86e0650cc34da81b39ffb970edd89e8494c7155d043eea08704
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSqz8X:sxX7QnxrloE5dpUppbVz8X

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	ad2bf82f154ccf539fc63bb289f75ae8558766ef20af1977009ac0966d44219b.exe

Executes dropped EXE 2 IoCs

pid	Process
2156	locxbod.exe
1496	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2532	ad2bf82f154ccf539fc63bb289f75ae8558766ef20af1977009ac0966d44219b.exe
2532	ad2bf82f154ccf539fc63bb289f75ae8558766ef20af1977009ac0966d44219b.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvU9\\adobsys.exe"	ad2bf82f154ccf539fc63bb289f75ae8558766ef20af1977009ac0966d44219b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax13\\optidevec.exe"	ad2bf82f154ccf539fc63bb289f75ae8558766ef20af1977009ac0966d44219b.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad2bf82f154ccf539fc63bb289f75ae8558766ef20af1977009ac0966d44219b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2532	ad2bf82f154ccf539fc63bb289f75ae8558766ef20af1977009ac0966d44219b.exe
2532	ad2bf82f154ccf539fc63bb289f75ae8558766ef20af1977009ac0966d44219b.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe
2156	locxbod.exe
1496	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2156	2532	ad2bf82f154ccf539fc63bb289f75ae8558766ef20af1977009ac0966d44219b.exe	30
PID 2532 wrote to memory of 2156	2532	ad2bf82f154ccf539fc63bb289f75ae8558766ef20af1977009ac0966d44219b.exe	30
PID 2532 wrote to memory of 2156	2532	ad2bf82f154ccf539fc63bb289f75ae8558766ef20af1977009ac0966d44219b.exe	30
PID 2532 wrote to memory of 2156	2532	ad2bf82f154ccf539fc63bb289f75ae8558766ef20af1977009ac0966d44219b.exe	30
PID 2532 wrote to memory of 1496	2532	ad2bf82f154ccf539fc63bb289f75ae8558766ef20af1977009ac0966d44219b.exe	31
PID 2532 wrote to memory of 1496	2532	ad2bf82f154ccf539fc63bb289f75ae8558766ef20af1977009ac0966d44219b.exe	31
PID 2532 wrote to memory of 1496	2532	ad2bf82f154ccf539fc63bb289f75ae8558766ef20af1977009ac0966d44219b.exe	31
PID 2532 wrote to memory of 1496	2532	ad2bf82f154ccf539fc63bb289f75ae8558766ef20af1977009ac0966d44219b.exe	31

C:\Users\Admin\AppData\Local\Temp\ad2bf82f154ccf539fc63bb289f75ae8558766ef20af1977009ac0966d44219b.exe
"C:\Users\Admin\AppData\Local\Temp\ad2bf82f154ccf539fc63bb289f75ae8558766ef20af1977009ac0966d44219b.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2156
- C:\SysDrvU9\adobsys.exe
  C:\SysDrvU9\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax13\optidevec.exe

Filesize
2.8MB

MD5
64d34105457ea46775aed96c6f9e443a

SHA1
37145af66e8376cbf692c9e0fe6394304830e4d7

SHA256
eafbf05d9857034ca3831ba0c04a3a3ed9b92118f016198bad2f0031540a71cb

SHA512
cd8fb1496cb52c4ff3202b06b4e6c1c19903eb9edbe9ab87647a715d18810984680866b52660e673fe1a87c703a3dd565fe8d5c7076287ee16452da5dfb9b3b8

Download Submit
C:\Galax13\optidevec.exe

Filesize
2.8MB

MD5
060d261cfeb4b6bafb76707736d85b40

SHA1
374ea83439041ea6f3d57f988675d2b691e17421

SHA256
cb098b134b5fb063b4a2a1b1f5257059123ec39e0a1669a1b9fa6513ce8fec0a

SHA512
2b15f010831b6ffafb0dc508a5f2cf8046c8397ea59efd80cfa96f8b9db0547e43bebd79230c61a92604d9fd76436beb2d7fd03962c67fef46bea443f0b3a291

Download Submit
C:\SysDrvU9\adobsys.exe

Filesize
2.8MB

MD5
bda6200dbfe14fe0c4197a972b865e43

SHA1
38f1466455e3b89f1ae116ffabb8301522d0a1df

SHA256
2424542d4af6326f8dde4422d7360c4c665ad1b0c8585414bf1e15c49522c689

SHA512
acc7b2e39f21ab3f16697092d3353ad8231875d95e60e58a867f109d153b4fad21e9c5dffc3ea85248e8311aca8e91d467a5ad6d46313ab29a6c818dd59276f9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
798ad520a07d989d4a7252247475d274

SHA1
c48d9e23aa60f5d6f9753eee359b7b8e7badbdb8

SHA256
b4c4b8a2eb64588636452d1f5778b7ac0f365b3f94df820933be49b2aa8fdb78

SHA512
0e0f5e3578337806283433d30dc7131677ac907a1ebca4cac7cc6032ba100e70bb86fc6a8d61fd409d88f27097b613fdac281bafa6e4e87534a4a730569adbc7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
07b7b7580f75773baf81e4e4ef1e65bb

SHA1
6fc73651ff244dad0dbc174cc7b064ff424e1e05

SHA256
ab40fb16a3ee84a132724dd77e0daab43aabc11301999d2e001745429f85bdc1

SHA512
a9150d2de9eab5f07c428fa4beb302349d3bd80ea4ee69a3b8130d5c2b8d05a60733769eab9d48de27f04ec5efbbb712b0ea9c05a5fdeee0d69ee95fdc5108ee

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.8MB

MD5
1cb11815dcf6d1fa34bc0562e5c4af3f

SHA1
c3bb9ed63b5f554e864bc2d7d6c56942f48454f3

SHA256
b081ffd9f4a864f5fe2580089e9eb45ed04d249967805ab5af361afffae73bac

SHA512
14643873bedadcb2f8362fcced2e3f4ec7f3db17a7f1833d0fad507e074d956c86ea8cc608687855b4dc999e86397ccaa4cbd77f039c0a570bf4a909279a4721

Download Submit