Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/06/2024, 20:29
Static task
static1
Behavioral task
behavioral1
Sample
2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe
Resource
win10v2004-20240426-en
General
-
Target
2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe
-
Size
3.0MB
-
MD5
4727d9b040ee0aa624713fe75d534379
-
SHA1
037d1af38ad859a82ce3e0a09a31db3822d063e4
-
SHA256
2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f
-
SHA512
e73b2a67e39a39f15edd8662fb46dbd3b8ed1d710a398b86f1576038c4a8e266c16c37661c15dff480cfe2079c1431a4624f3096c6db16ed5297e09b8eb92f13
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSqz8b6LNX:sxX7QnxrloE5dpUpnbVz8eLF
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe -
Executes dropped EXE 2 IoCs
pid Process 2172 sysdevopti.exe 3068 xdobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2352 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe 2352 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesHE\\xdobsys.exe" 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZSD\\dobxsys.exe" 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2352 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe 2352 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe 2172 sysdevopti.exe 3068 xdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2352 wrote to memory of 2172 2352 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe 28 PID 2352 wrote to memory of 2172 2352 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe 28 PID 2352 wrote to memory of 2172 2352 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe 28 PID 2352 wrote to memory of 2172 2352 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe 28 PID 2352 wrote to memory of 3068 2352 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe 29 PID 2352 wrote to memory of 3068 2352 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe 29 PID 2352 wrote to memory of 3068 2352 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe 29 PID 2352 wrote to memory of 3068 2352 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe"C:\Users\Admin\AppData\Local\Temp\2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2172
-
-
C:\FilesHE\xdobsys.exeC:\FilesHE\xdobsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3068
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD53cf2aa331d966bbc7e900a4aa0da4eb5
SHA16060ff46a29f94679c9debc34ba57c1ffb347f8e
SHA256c4eafbe13ffded41e79dc520f215d130a610b1315d055f9d9695c08cb2a01344
SHA512a994f99e3e879769a681263828cc20061448aec55f44774f94090b0c633644addf83f1c5737dfa3e39b2b00b542e82332d71b218064c388803d354ce799b0c10
-
Filesize
3.0MB
MD53ab20eb04bf117d293b2b173b46cf421
SHA113a279dd3a6f32f3748559331aad834ea5833d29
SHA256c7cd79839d9d579fad658ed96ef2ed26c8ead00bdb5c12a0fa1568500e283c99
SHA512a234a14e4fa93d8e22d21f967213edd4ab658e0dc58041ac8221bbbc47e621c1a8714916598f1a160b565b12644c3b94dc4a775a53d30a4b1280c8504785ce4a
-
Filesize
171B
MD50e0023155685f24775b075491b8a142c
SHA10c504c627013fdbb406bb9b3900cd580aa7282f4
SHA256884f606c8d089a07250b090097eaa195d77ae286a8a28192cc2edb85e7338dd1
SHA512860740fb9d0d61f4690f77fbadf15b880000a6ab721c6ea07d6533cb2003c6bc5501deb4ddfa41b92a7a281b9b4651a401db6905226e65e7544f6dc69e2ff845
-
Filesize
203B
MD5c73491ecb6955ef78e3649e30046eee7
SHA1abd61f8cec8deba33164bd7250e21f2b11d2b991
SHA256c95fe04a2d15fd3b6620f720a2c51cb3a4114372c933921dcedf3915c8f94dc6
SHA512b2056c7c8a37c9d9aafe0767fe7cd0def0ec7a1164ea60a5c11dcf8b3fba40251e71374353d8638f00c404b97ab989108b3b87c629a1355f2b820e5945ee7980
-
Filesize
3.0MB
MD525636731376fccc8b8992e8215b9c823
SHA1e12812761938ebe1ba7db6f3b3f138f969df92f7
SHA25674c9de95453d374e0701e07c6a396ce4f89174d1046c90104fa51e9181721b44
SHA5122f5095cc121fb1b71d9102bdb177443f4067ec7d9b9de865387c388e87db1b6efbbf362302567142389bf9c530b7856366f4d176698b7c8ea05f971216de415d