Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 00:16
Static task
static1
Behavioral task
behavioral1
Sample
921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe
Resource
win10v2004-20240508-en
General
-
Target
921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe
-
Size
3.6MB
-
MD5
946e96ca62b871e3e14e970df293a6d1
-
SHA1
677c41095bb811335f9c32d2817b9f3939ee37ea
-
SHA256
921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d
-
SHA512
3a1fcb107c961178251074d3eaaf65ff0b7b809b0ed012bca9b8c28e56aa166c3d258b8b613ef9a871fa83c4edd0f0012a71771e88ff4fea971e7726d3f95f03
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpZbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe -
Executes dropped EXE 2 IoCs
Processes:
sysxbod.exeabodloc.exepid process 2836 sysxbod.exe 2624 abodloc.exe -
Loads dropped DLL 2 IoCs
Processes:
921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exepid process 1712 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe 1712 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeTN\\abodloc.exe" 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZN9\\optidevec.exe" 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exesysxbod.exeabodloc.exepid process 1712 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe 1712 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe 2624 abodloc.exe 2836 sysxbod.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exedescription pid process target process PID 1712 wrote to memory of 2836 1712 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe sysxbod.exe PID 1712 wrote to memory of 2836 1712 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe sysxbod.exe PID 1712 wrote to memory of 2836 1712 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe sysxbod.exe PID 1712 wrote to memory of 2836 1712 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe sysxbod.exe PID 1712 wrote to memory of 2624 1712 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe abodloc.exe PID 1712 wrote to memory of 2624 1712 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe abodloc.exe PID 1712 wrote to memory of 2624 1712 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe abodloc.exe PID 1712 wrote to memory of 2624 1712 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe abodloc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe"C:\Users\Admin\AppData\Local\Temp\921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2836 -
C:\AdobeTN\abodloc.exeC:\AdobeTN\abodloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD58ac3266f49c64040c712c10fc234c62f
SHA17e8e28c6cc34379dc2340090a3cae4aa5cb3b017
SHA25658963c6000ddf5f43015834126faeeddc22046492ad23ab5dba6f201da9f7d65
SHA512d6abcbb842d9d1f686729b3b49c99b4b3195b3237a50bd265ffc881d66c92c120b42200a4e13070cfed1f2cc5905949742678a05ec0797401495eb2e4e10f38e
-
Filesize
1.8MB
MD5a11f76255b9ca6234bfd6aa66474643d
SHA1e3cc3fe2e8e1a624e3288e828320a33d91a8d733
SHA2562a97025511d98dd7e5dd0d7449ac38752616c9d970792c41fea246edadffc1d6
SHA5125b3ad563c733fb5554189481e067a3fcec5460f763afe6445d5eb45bde640f5543a6c59de55edeb77e6711b5792e8c3ee8001ab9a7d7f8f8fcdcc56932530c56
-
Filesize
3.6MB
MD557b7a8c2696bdf520d0f67ec94999e80
SHA123193cc5ecafb03d3105652c63d52ee8471d22a9
SHA25622db315a118f6a5505dfcc74d0dbfee8c6d1ccce5e4ba303feb64583d8d282f8
SHA51282eabe55726f3c2e31738392a10fda92aef9d6c0b8d019b508e199126d6f576951fd031ce7e1a1019ce18724265f381faa0403a6c3880177472e7df20998fdbe
-
Filesize
170B
MD50a6940abb8c4b928ae79930eaa0e920c
SHA11051245de4f6778b6dfd598fbc79d42c76c99366
SHA256cdb565e608853f589933073e9803e1aed1a464f8ab2523fbd9118edcc935c388
SHA512f1f2920d5c3c6d3ef36472603bb58795464deecfac141f3ebd82d5c6f7d66d76aa07bbe833795a1e8f8fd8e8ba90b3c8dc26a97fff284c7a8abe251f91365115
-
Filesize
202B
MD5684aa04252a9a110fe80d069dc598804
SHA16be7db7e9e7bc03f9dc84508cd8b3b756626a0e1
SHA2561166674a2b3e1d233e73481a797faa9f62ff8fe6ec825e34586ca527c9edfb09
SHA512a739ddbcd21ab94f5d9018c8bed2de84febd0f4885558cec6dbcc694ca892f84a5b8ddcbbabdf76bb2166e8c6328da014896bc0bfe8b1c32260ecb41aef56cf0
-
Filesize
3.6MB
MD5629d20ca24d7ce9efbc01469e7aac3be
SHA11369227bc1e0b951dbd2e11fed2be193f1ccd9ee
SHA25624d0f43a381c1eaa0dc2a821738982753a3882cfddd4b58935a014a8a62b2d84
SHA512254f7328b8a47de90fc80aadceb79b4fe7f814906fb93b62e72b84bb6617742d29d3a7ff70eaa2af04c2831f6c9c7418eae3a2458f3edc9b962a6cbaa13ce9fd