Analysis
-
max time kernel
150s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 01:40
Static task
static1
Behavioral task
behavioral1
Sample
b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe
Resource
win10v2004-20240508-en
General
-
Target
b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe
-
Size
3.8MB
-
MD5
7119474195def2bc277329642d74f37e
-
SHA1
8c9aed1f5b9183af9021ab64641a792000ec3f71
-
SHA256
b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c
-
SHA512
20bbf648aaba9e02a573feef5e539e98820ae7ea517f5d9360f9ac1107bdd6881c834cac2b4059c77c4454fa753b51180fb90409411c4dcc4eb23d302c9536f2
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp/bVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe -
Executes dropped EXE 2 IoCs
Processes:
sysadob.exexoptiloc.exepid Process 2784 sysadob.exe 1840 xoptiloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotJU\\xoptiloc.exe" b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintW9\\bodaloc.exe" b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exesysadob.exexoptiloc.exepid Process 2240 b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe 2240 b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe 2240 b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe 2240 b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe 2784 sysadob.exe 2784 sysadob.exe 1840 xoptiloc.exe 1840 xoptiloc.exe 2784 sysadob.exe 2784 sysadob.exe 1840 xoptiloc.exe 1840 xoptiloc.exe 2784 sysadob.exe 2784 sysadob.exe 1840 xoptiloc.exe 1840 xoptiloc.exe 2784 sysadob.exe 2784 sysadob.exe 1840 xoptiloc.exe 1840 xoptiloc.exe 2784 sysadob.exe 2784 sysadob.exe 1840 xoptiloc.exe 1840 xoptiloc.exe 2784 sysadob.exe 2784 sysadob.exe 1840 xoptiloc.exe 1840 xoptiloc.exe 2784 sysadob.exe 2784 sysadob.exe 1840 xoptiloc.exe 1840 xoptiloc.exe 2784 sysadob.exe 2784 sysadob.exe 1840 xoptiloc.exe 1840 xoptiloc.exe 2784 sysadob.exe 2784 sysadob.exe 1840 xoptiloc.exe 1840 xoptiloc.exe 2784 sysadob.exe 2784 sysadob.exe 1840 xoptiloc.exe 1840 xoptiloc.exe 2784 sysadob.exe 2784 sysadob.exe 1840 xoptiloc.exe 1840 xoptiloc.exe 2784 sysadob.exe 2784 sysadob.exe 1840 xoptiloc.exe 1840 xoptiloc.exe 2784 sysadob.exe 2784 sysadob.exe 1840 xoptiloc.exe 1840 xoptiloc.exe 2784 sysadob.exe 2784 sysadob.exe 1840 xoptiloc.exe 1840 xoptiloc.exe 2784 sysadob.exe 2784 sysadob.exe 1840 xoptiloc.exe 1840 xoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exedescription pid Process procid_target PID 2240 wrote to memory of 2784 2240 b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe 93 PID 2240 wrote to memory of 2784 2240 b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe 93 PID 2240 wrote to memory of 2784 2240 b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe 93 PID 2240 wrote to memory of 1840 2240 b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe 95 PID 2240 wrote to memory of 1840 2240 b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe 95 PID 2240 wrote to memory of 1840 2240 b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe"C:\Users\Admin\AppData\Local\Temp\b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2784
-
-
C:\UserDotJU\xoptiloc.exeC:\UserDotJU\xoptiloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1840
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.8MB
MD5900328aba977742ff8979a480c976e1c
SHA16fce4494a007f4cf785463f9b16db49906c718c0
SHA256c099000a867b40de60302dab0c1509439c2d73788d41b2f9c9ed870292a955c6
SHA512d5c14f1104ad4d12747430cecd19745e63fa885ba3e7c59fdcae0f731d5e3f247465d448c70a31e061ed416b1f117d2dc09a66aeb025a0e37ab70a8a3a7b32c6
-
Filesize
3.8MB
MD5cb27200c9346b5193c3133ea3b4c4894
SHA16aacb4723733ccca36fd90ea7ee68785dbb2da47
SHA25620e1b7e844c1a51d0a3c41b95be721834be011330f5da8152a7cbe2454edc1b2
SHA5122ee840857c7fbc5ce4992692c7435770dbe083be24a5a000a1c5dd8685647a2c20ae5e5a030b955b15e9ddfc3dbbaadf11c4908d397cfad997c5b73b8734c89f
-
Filesize
3.8MB
MD532afced78b14af7cdf52a84d87e53130
SHA120a4e5b24a54023b039ef01fb1fd23aba0d6c0be
SHA256426c0127251d2eb68475c9cedecf8b2165806723ba3441dd30da9ea1da9ae091
SHA512a36dfae207fad157d45948162fef6218c5305841dba97ff91bfa5316c4a7a450c6781b8c5f38271c4214536708f9e7b9d74d67fcb281e75f527b0aae7d2195b2
-
Filesize
203B
MD5593361f96bec857f1779812bc11ef966
SHA18249d6a1f4f4ae36bec433086df80992564bdcb5
SHA2565a5ed51b32c58293a73307033fba5091b46f273e056f7857b5ddb8ab3556ec8e
SHA5122ac57965afd1189862db29c9990aa99ac3584acde6b145806a9e295d694aa5ea353b6a95fc0045288c5ae9da9c405ea2d038fc63ac37e29b9d8bcdd67cbdda09
-
Filesize
171B
MD5829d79fd000ac76bbcd24287ecc59698
SHA192c310424bcc924cf86ee9cf68a70b30ccc70ec5
SHA256dfefdc6e9c9b16c327755dec15d06909021f1ac71f022f4e439eb4ca93a25946
SHA512f7802ea43f1f14e8e8e9fe3015b0960224897204a10adc421790da032ecd8594ac5d83db1567bf3a1f63efc7f2d1cdcaa80de8704b889d753911ac15cf17db29
-
Filesize
3.8MB
MD56dd5c949df6af8bfc92edb5ad27b24d2
SHA1076e2659e11f886147e2247504d4df39ea828d14
SHA2561b4843c289cc5c72092881c90f3c9c24b0454331ea00893b078a0a2a75d9746b
SHA5128c09c7640726a609615df18533e350852b038d067cd8bc23171ff0ec70b2f1653fa59d651b7536f93374d7d34affcabd9d0c5bb44fd792dcddd960a2e015b69b