cd2270f14c1614c3c7c44e7cb6b0101b5fbe859ca432ec60858c85879305c695

Analysis

max time kernel
120s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd2270f14c1614c3c7c44e7cb6b0101b5fbe859ca432ec60858c85879305c695.exe
Size

2.6MB
MD5

c9f80197f3507d09e177ff32845328e1
SHA1

9e61ab9553bfc040bfa9ac02bb88d66a08558ea0
SHA256

cd2270f14c1614c3c7c44e7cb6b0101b5fbe859ca432ec60858c85879305c695
SHA512

fabb0b6e8e95fc1a6c534569c764957f4be1b89483b8e940d7d8ab748fcee606e91162f80cb659a907990aee58e6ae3bdcd20b2c0af6470551d87e4da6044d03
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSG:sxX7QnxrloE5dpUp5bP

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	cd2270f14c1614c3c7c44e7cb6b0101b5fbe859ca432ec60858c85879305c695.exe

Executes dropped EXE 2 IoCs

pid	Process
2716	sysabod.exe
532	xdobloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeLC\\xdobloc.exe"	cd2270f14c1614c3c7c44e7cb6b0101b5fbe859ca432ec60858c85879305c695.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintGP\\optidevsys.exe"	cd2270f14c1614c3c7c44e7cb6b0101b5fbe859ca432ec60858c85879305c695.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd2270f14c1614c3c7c44e7cb6b0101b5fbe859ca432ec60858c85879305c695.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3012	cd2270f14c1614c3c7c44e7cb6b0101b5fbe859ca432ec60858c85879305c695.exe
3012	cd2270f14c1614c3c7c44e7cb6b0101b5fbe859ca432ec60858c85879305c695.exe
3012	cd2270f14c1614c3c7c44e7cb6b0101b5fbe859ca432ec60858c85879305c695.exe
3012	cd2270f14c1614c3c7c44e7cb6b0101b5fbe859ca432ec60858c85879305c695.exe
2716	sysabod.exe
2716	sysabod.exe
532	xdobloc.exe
532	xdobloc.exe
2716	sysabod.exe
2716	sysabod.exe
532	xdobloc.exe
532	xdobloc.exe
2716	sysabod.exe
2716	sysabod.exe
532	xdobloc.exe
532	xdobloc.exe
2716	sysabod.exe
2716	sysabod.exe
532	xdobloc.exe
532	xdobloc.exe
2716	sysabod.exe
2716	sysabod.exe
532	xdobloc.exe
532	xdobloc.exe
2716	sysabod.exe
2716	sysabod.exe
532	xdobloc.exe
532	xdobloc.exe
2716	sysabod.exe
2716	sysabod.exe
532	xdobloc.exe
532	xdobloc.exe
2716	sysabod.exe
2716	sysabod.exe
532	xdobloc.exe
532	xdobloc.exe
2716	sysabod.exe
2716	sysabod.exe
532	xdobloc.exe
532	xdobloc.exe
2716	sysabod.exe
2716	sysabod.exe
532	xdobloc.exe
532	xdobloc.exe
2716	sysabod.exe
2716	sysabod.exe
532	xdobloc.exe
532	xdobloc.exe
2716	sysabod.exe
2716	sysabod.exe
532	xdobloc.exe
532	xdobloc.exe
2716	sysabod.exe
2716	sysabod.exe
532	xdobloc.exe
532	xdobloc.exe
2716	sysabod.exe
2716	sysabod.exe
532	xdobloc.exe
532	xdobloc.exe
2716	sysabod.exe
2716	sysabod.exe
532	xdobloc.exe
532	xdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2716	3012	cd2270f14c1614c3c7c44e7cb6b0101b5fbe859ca432ec60858c85879305c695.exe	86
PID 3012 wrote to memory of 2716	3012	cd2270f14c1614c3c7c44e7cb6b0101b5fbe859ca432ec60858c85879305c695.exe	86
PID 3012 wrote to memory of 2716	3012	cd2270f14c1614c3c7c44e7cb6b0101b5fbe859ca432ec60858c85879305c695.exe	86
PID 3012 wrote to memory of 532	3012	cd2270f14c1614c3c7c44e7cb6b0101b5fbe859ca432ec60858c85879305c695.exe	87
PID 3012 wrote to memory of 532	3012	cd2270f14c1614c3c7c44e7cb6b0101b5fbe859ca432ec60858c85879305c695.exe	87
PID 3012 wrote to memory of 532	3012	cd2270f14c1614c3c7c44e7cb6b0101b5fbe859ca432ec60858c85879305c695.exe	87

C:\Users\Admin\AppData\Local\Temp\cd2270f14c1614c3c7c44e7cb6b0101b5fbe859ca432ec60858c85879305c695.exe
"C:\Users\Admin\AppData\Local\Temp\cd2270f14c1614c3c7c44e7cb6b0101b5fbe859ca432ec60858c85879305c695.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2716
- C:\AdobeLC\xdobloc.exe
  C:\AdobeLC\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeLC\xdobloc.exe

Filesize
2.6MB

MD5
c543aac7dadfd5239cf74952db9e514f

SHA1
9e59d587be8b4836b028b629ba8a4214c330977e

SHA256
cbb0332be71674104efb37f75842c4183ab859193321bf68d634a90dcc688168

SHA512
33caf55e9427a67e4728e2c395136d5b45091dab57d024f746c289d79e844a847796debf789ff55ab18f877aa272e94cc6a3dbc787ea68a89ef8c4b3cece8f0c

Download Submit
C:\MintGP\optidevsys.exe

Filesize
2.6MB

MD5
7707a2817c0009fea62a681b16b17817

SHA1
77e119fedf724887963e7cdfbece92aaabe1ef75

SHA256
c464f733dc2227d70fcd2b7f883aaa35eb2aa9fc8e6b6c09aaa8e79abe9f957b

SHA512
88aa7155a1ed323d85ab0cd22a35aa2b3f1f97f0d1c6f3b66b7823a7d29a2c624c3f25e8fb33f6a109487e2bad317716541ad597eb7e607a8065b89c9d913aef

Download Submit
C:\MintGP\optidevsys.exe

Filesize
115KB

MD5
699a30fb8d0997bfba24c069833f9d3a

SHA1
62527172207761f6653f3b570413eb6322afa913

SHA256
ae27244b4347e1db8477b91053b5d85ffa1c3d7f4f8011c605db503bbe6e0f12

SHA512
3264499bccb65139b9867923a9c22109a99a0aae1323966f245b8f9884dc90db881200ba2558b93594735f019dd12d7a512283577166e8b8bbcc1665ecab725d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
83645dbf630cec6e33d172fac7d34ffe

SHA1
ca774fd6275fafb4dc9e54126ca9b341e2500524

SHA256
463816bbad8ae4dd5be1b2064fc0e22f9a9da15f8d374108b3924c3bb72dc1db

SHA512
88b8d7bdcd4cb182ebaeb6c7a02adb3c21c817509fb9c1e837167f9ef7f79c1c8633350d2808f7e8d9bebeee18195cf613ecc9c4e1a922c9f6d565b3b12d1c42

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
c4b83a5530f7a7413d3cc0fac59bca71

SHA1
eb08ec924d6fa3dd0b953509cb7f42e727b0fa42

SHA256
13fbbba9eb09a8522796a82524a9adadbe2d9f848a04d98eab5144437dc319c7

SHA512
d99d7e1fc006d30c4bdded763a6efb6691498a82d4c0aa082f8cb8a99178d07e4e3d20f7907b6e45562b855343fc654cae8a922b8518c5d66242a9b8d696ba89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
2.6MB

MD5
ff9a0828b59d88e76b28ec89457f471a

SHA1
d23551605b2d9c82547157af75512682e147c6dd

SHA256
b2eebbd590509b585126a9c71794863e3bcc54dccf77f58bcc0e21e6ef706afc

SHA512
4acf4470ec19d764c14d182e77ce0f363485b9962d63fc4c8cd8954bed9fc5c8240e7e772d16139828f603b2ad19a274b957deec153a785ee3c51a8061c12c1f

Download Submit