4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551ca

General

Target

4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe
Size

2.6MB
MD5

3fb6b2cec6f02b0d7bd987047df69780
SHA1

afd93d71620862d36bb59a0aaf94c26cec7b953d
SHA256

4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551ca
SHA512

4979967dc5146b8c7a9d9920b308ac4178d603f9060150d663a8c947920de3dc3ceeb24b77a11ed8fb59357f18c909fd5fb42f5e52ec4d91cfabd0d971afb4f2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpkb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe

Executes dropped EXE 2 IoCs

Processes:

sysdevopti.exeadobloc.exe

pid process

3432 sysdevopti.exe
1436 adobloc.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
3432	sysdevopti.exe
1436	adobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvUS\\adobloc.exe"	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint3O\\dobaloc.exe"	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exesysdevopti.exeadobloc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exesysdevopti.exeadobloc.exe

pid	process
2176	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe
2176	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe
2176	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe
2176	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe
3432	sysdevopti.exe
3432	sysdevopti.exe
1436	adobloc.exe
1436	adobloc.exe
3432	sysdevopti.exe
3432	sysdevopti.exe
1436	adobloc.exe
1436	adobloc.exe
3432	sysdevopti.exe
3432	sysdevopti.exe
1436	adobloc.exe
1436	adobloc.exe
3432	sysdevopti.exe
3432	sysdevopti.exe
1436	adobloc.exe
1436	adobloc.exe
3432	sysdevopti.exe
3432	sysdevopti.exe
1436	adobloc.exe
1436	adobloc.exe
3432	sysdevopti.exe
3432	sysdevopti.exe
1436	adobloc.exe
1436	adobloc.exe
3432	sysdevopti.exe
3432	sysdevopti.exe
1436	adobloc.exe
1436	adobloc.exe
3432	sysdevopti.exe
3432	sysdevopti.exe
1436	adobloc.exe
1436	adobloc.exe
3432	sysdevopti.exe
3432	sysdevopti.exe
1436	adobloc.exe
1436	adobloc.exe
3432	sysdevopti.exe
3432	sysdevopti.exe
1436	adobloc.exe
1436	adobloc.exe
3432	sysdevopti.exe
3432	sysdevopti.exe
1436	adobloc.exe
1436	adobloc.exe
3432	sysdevopti.exe
3432	sysdevopti.exe
1436	adobloc.exe
1436	adobloc.exe
3432	sysdevopti.exe
3432	sysdevopti.exe
1436	adobloc.exe
1436	adobloc.exe
3432	sysdevopti.exe
3432	sysdevopti.exe
1436	adobloc.exe
1436	adobloc.exe
3432	sysdevopti.exe
3432	sysdevopti.exe
1436	adobloc.exe
1436	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe

description	pid	process	target process
PID 2176 wrote to memory of 3432	2176	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe	sysdevopti.exe
PID 2176 wrote to memory of 3432	2176	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe	sysdevopti.exe
PID 2176 wrote to memory of 3432	2176	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe	sysdevopti.exe
PID 2176 wrote to memory of 1436	2176	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe	adobloc.exe
PID 2176 wrote to memory of 1436	2176	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe	adobloc.exe
PID 2176 wrote to memory of 1436	2176	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe	adobloc.exe

C:\Users\Admin\AppData\Local\Temp\4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe
"C:\Users\Admin\AppData\Local\Temp\4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3432
- C:\SysDrvUS\adobloc.exe
  C:\SysDrvUS\adobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint3O\dobaloc.exe

Filesize
2.6MB

MD5
7dd4d302f6b83af200ea5d755dcf3b21

SHA1
0bc21832e728b2359784fcc3b2be92be851caf5a

SHA256
9406f7a9ba9c289249dfe1b1b7a2af932fa66c49c9febe8216e43b28fb9d1a69

SHA512
fd84970677de6a00f71d2176a9270e871a693846479c206859dea180935fbba85006547df89771b81c96922a809e2e700fb30835ea11417bb12ff6ba5151b881

Download Submit
C:\Mint3O\dobaloc.exe

Filesize
581KB

MD5
43b841e9869c659037934eac3a3a59fb

SHA1
b386fd85b90b700bfd4d0140a9bd61b7ec114125

SHA256
020c37dad792b070447ba849fb28939d66b975503edd8b0fac03b478f45c471d

SHA512
02c96a143382187049ca758e3ae2a205dc624ed512e802f0f8d4e394060db9a4761f718c3ec091d951ce828096e1e6c9db2aaf41bc1eecf25f646413786d0567

Download Submit
C:\SysDrvUS\adobloc.exe

Filesize
2.6MB

MD5
ee9bc729b1e50bd47417303f948f920d

SHA1
494a4f472a1d2acef17bd471de7e2f564b741814

SHA256
d327a953adfeda7ba528604548b6589cbaf9f2bc11d735fbc464a9d84a2a2f58

SHA512
396d2667f9cc53e12479994547c0038e5c830fe3b069f45874fa7cabd1181d396550379e639c73f067473be1c52dbd076197b1e292bfe27143a75acd3ad454bd

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
422b25f47efab423615db7ad016e2c7c

SHA1
3f29a9fc192a1f9d82eccbff0f853f6459482877

SHA256
b570292331de687d7f638e71aa2c61ec1cc121448dce4100d09ba0cf787e15c6

SHA512
cb502c52dec2e26faed2b91e08aaf68f885c577502a5f261e324fbec9d69a7efabbe4a4d01b8090d7c28429a39acc428e7317df09286f996f1626654bda28945

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
feb535f55ce5c65a5c424547164f9fb1

SHA1
b4f141e34534a6bbf7093391c7ab9eaca5df1a93

SHA256
a2a9be8cd6a38d61b9dc73290a8be34eb85ead56843841cf75bca44d5c83fd04

SHA512
10e399d33bae128118eb73fba0e11360d20c6cc7dc16cc83667c09dd053e9e5beae330cc7fb6219a58a7c4e5627a41812f9ebffc48a2f452605eade7f2df61ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
2.6MB

MD5
9c5d77f507b02e2383b95fc8f654b8d0

SHA1
ecba4f4e0cc6a5193f333d0fddfa085dfd20d778

SHA256
5ee733a1eb31a3093ffbbc846b7d2d16231f19dd027d7c602045ad305dcfefc5

SHA512
114cbd9c2de5bd976e6122becf5fec52011399cb78e7aa842faf1716bcdeefe677aeb1248f1cacaf4d9c2a27c9c66bcac1d0051512eb6f9970cf58ba7c8baffa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads