edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe
Size

2.6MB
MD5

3905ee18c2f3156cfe49911d5a9ff6ad
SHA1

c067bb6a1d36ace10117da5517fae2d2b8fe52cf
SHA256

edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c
SHA512

72fe3647963db4ab9b3cb29ac1c522133e28f0e95c75bf2aec6c3bcfbda053438c4dfe7d9e4a2d5957c96146c6cda71d8b09c3827423b648322b74b503dc3faa
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSq:sxX7QnxrloE5dpUpAbV

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe

Executes dropped EXE 2 IoCs

pid	Process
2968	sysadob.exe
1992	adobloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvNB\\adobloc.exe"	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBTG\\optidevsys.exe"	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1164	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe
1164	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe
1164	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe
1164	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe
2968	sysadob.exe
2968	sysadob.exe
1992	adobloc.exe
1992	adobloc.exe
2968	sysadob.exe
2968	sysadob.exe
1992	adobloc.exe
1992	adobloc.exe
2968	sysadob.exe
2968	sysadob.exe
1992	adobloc.exe
1992	adobloc.exe
2968	sysadob.exe
2968	sysadob.exe
1992	adobloc.exe
1992	adobloc.exe
2968	sysadob.exe
2968	sysadob.exe
1992	adobloc.exe
1992	adobloc.exe
2968	sysadob.exe
2968	sysadob.exe
1992	adobloc.exe
1992	adobloc.exe
2968	sysadob.exe
2968	sysadob.exe
1992	adobloc.exe
1992	adobloc.exe
2968	sysadob.exe
2968	sysadob.exe
1992	adobloc.exe
1992	adobloc.exe
2968	sysadob.exe
2968	sysadob.exe
1992	adobloc.exe
1992	adobloc.exe
2968	sysadob.exe
2968	sysadob.exe
1992	adobloc.exe
1992	adobloc.exe
2968	sysadob.exe
2968	sysadob.exe
1992	adobloc.exe
1992	adobloc.exe
2968	sysadob.exe
2968	sysadob.exe
1992	adobloc.exe
1992	adobloc.exe
2968	sysadob.exe
2968	sysadob.exe
1992	adobloc.exe
1992	adobloc.exe
2968	sysadob.exe
2968	sysadob.exe
1992	adobloc.exe
1992	adobloc.exe
2968	sysadob.exe
2968	sysadob.exe
1992	adobloc.exe
1992	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 2968	1164	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe	86
PID 1164 wrote to memory of 2968	1164	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe	86
PID 1164 wrote to memory of 2968	1164	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe	86
PID 1164 wrote to memory of 1992	1164	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe	89
PID 1164 wrote to memory of 1992	1164	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe	89
PID 1164 wrote to memory of 1992	1164	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe	89

C:\Users\Admin\AppData\Local\Temp\edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe
"C:\Users\Admin\AppData\Local\Temp\edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2968
- C:\SysDrvNB\adobloc.exe
  C:\SysDrvNB\adobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBTG\optidevsys.exe

Filesize
2.6MB

MD5
15d50e533205f1d6c2818d5ec0b49c52

SHA1
c0c0de661e83c31a2748e0ae3d9e6b76655bd8e8

SHA256
e51f6fccd3ed41c7b8762b8a44d976d96d54d6227ef7cf5ac3988628777f47b0

SHA512
f356c72077d3ee1e85f491007dbd5d2fcfa1fd3e1527ce18e1f46571d4f153ff3afee79fabc3ea2d5cbb10133ec7a7a108dd75c51e68f7b45683191c8bce73f3

Download Submit
C:\KaVBTG\optidevsys.exe

Filesize
2.6MB

MD5
139d115b4df5902dac541cd126207cf3

SHA1
f7b410236f01e891501ad696cac1dfcbb069b7ce

SHA256
7e8d1cfd7da3590dfa6c347802b9796674a719c383a118f64b8f0ebb4503e520

SHA512
77c7c2cfb357eb0af41ef40da88c91f55afea67dc5e70c2087eefcdd6be51e481eb67b6d6b0493ffbc3842b597d8c2b0409277cf7c346959d67d208abff0e64a

Download Submit
C:\SysDrvNB\adobloc.exe

Filesize
2.6MB

MD5
2a8f992c07eb878aa82441e78f9a5c1d

SHA1
f9f9a19ab5d8cbb572b07b86228e9a3c965865e1

SHA256
97312e2d2261618cfede7ec64f14852a3f7c5eaabbe57c96383173f6fa87b05a

SHA512
e1030b316dfc2a46c4c0f360449c39f698bac8b1e2b677e1f4133eb8c1fff3fbd8a7a76aee5351566d8b4450ba8448be0381f125480f2f26c4596870a233f4ab

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
9449e0591af1d063dbd451de9604dacd

SHA1
62928019bfa93b2bc7e8c6af17799d95869e0b3f

SHA256
e6cdd4911202eacf387d0adfb79af1ffd07c6431d7e2217f04d63bbbaf27a6a9

SHA512
1a2dfe58c0496ceb39a39f99bf253c591a526a1c2e705cf9f7856b1631ce4e8ff47a71fa44c6c72ed68486fb8e04b16df50f897df861d71997edced1c387b045

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
c03e40d10fa30168b6697a8cc5230153

SHA1
2c978c87f07cd9fbb4a6425dedf64417ceb823ad

SHA256
cfaf77e1f9007aed12343dcc790a0dec8ce1cbb25cc43179c7db5704c3767515

SHA512
4c382ba4fa340871d5f24e1964213d35139f1eb70f7ff44569714a35208280043da75ab92c44e609e2a89ba6f27a83c20eebbeb5193b51ec82a91a5be55eccda

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
2.6MB

MD5
3b2500f13de509c1be35634e89af5608

SHA1
3606946e02d822753c419ea6ee10d93246d74c34

SHA256
5b95e03cd925223f4050e2bfbc200d9bb144e6a2236bcca3da9e282a0682cfe9

SHA512
daae9e294063ce8bf99cbfdaf1de1e92350d5d8244ca2c588594fc979c3aef19260fd390aec34e554fdee79232303b3e9797e5e77660e03cb2da4656112a10fc

Download Submit