Analysis

  • max time kernel
    120s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/08/2024, 08:43

General

  • Target

    1454ad825bd6c8f015b5b9aca1632310N.exe

  • Size

    2.6MB

  • MD5

    1454ad825bd6c8f015b5b9aca1632310

  • SHA1

    73715608800c2b1373ef1f4b3be103cfbc91b474

  • SHA256

    2491109e62f7dde2f006c7bf60827198115c20d6ffccd51a3a1e23d673fba259

  • SHA512

    ded941641fd3bced14ee6bf52a1a91da1803c3383c15841e8d88b1214043197051fc9f4101102bedca33dc8672c602325a0b2f89386d63fe4904b737d1e49a06

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bS:sxX7QnxrloE5dpUpsb

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1454ad825bd6c8f015b5b9aca1632310N.exe
    "C:\Users\Admin\AppData\Local\Temp\1454ad825bd6c8f015b5b9aca1632310N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4904
    • C:\IntelprocFA\xoptiec.exe
      C:\IntelprocFA\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3300

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocFA\xoptiec.exe

    Filesize

    303KB

    MD5

    215c25d26ffd06c0b37405fca16dd463

    SHA1

    1488b2ac4efdcb3cec596d664a5b372b93e6701c

    SHA256

    1cea2d5d6ca3b64f57b4ed74ebf4802ad0f4f53329ddf61be4a3fde6f1b9ce67

    SHA512

    82213663d545e3a1a6087a4a94cd5bdeb25c323d298b9aa6d228b5f34721237573c79da23add48c11584a7aa232913c388cdb37d1811a3f83fd3aaabe45100e2

  • C:\IntelprocFA\xoptiec.exe

    Filesize

    2.6MB

    MD5

    247905a9b0628414b1b590f2ef4c0776

    SHA1

    597f6c75ca1786c55fb78e287db2717b13bf10b0

    SHA256

    afd65e98969853e46eb71f484a65ba1e630842452d04f5c709a62641c62ef9f3

    SHA512

    f6fe6794459c1c8c03e9befdd95b13af7170c94940bd1cf7231dee7e01094433f0637c36ffb17d880dd8e5d69e1dea6a6e7c1aa72e5c964b61d36fe388268cef

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    a1283dd5c3ee4e5614ccb8223b079a79

    SHA1

    0c68c39da326d4167d302b47c712e23af6c80061

    SHA256

    139459f50f57dcf2359650d568682f800d68887a0b55dcf602f97e87721f11c8

    SHA512

    f5a5689a6d0f7bd55c307bdb53053edb0b8032733b5b995b1d6f5930c739995e000c8cd228d1d5a41f90bf6f75e0466921764e47fd77eb45c591e643565cd615

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    ffc58ac99b6a39ba2e8e7925317647a6

    SHA1

    7b7a3fcacf9c02e4f5cda88797d3fa1b6a1fe1fc

    SHA256

    f84234f8c8f3a748a47f7c7e370dc4d89fcd3be86c609b45645bfc82f28111d7

    SHA512

    304bd5d827063b2997e71f8e2251cff28e8996fd7448bb28b42c228aa7e05305db37e5c16fe6dd234a43ebb49e70179660b267d87442bbadc860d728de94994d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

    Filesize

    2.6MB

    MD5

    883fc423a0ae2e694f973ace798a9076

    SHA1

    a5e4756605948c4b9ac45f616c4778be5e7f4024

    SHA256

    840e697c90b33d430c2861cc1847e2212a415c22730c70cb0089ed48968a62e2

    SHA512

    c6d1066ad5365d615d3519b4a8167ad55edd26589ac730ee282e5d2c8a454da548ccbcf962fc1fdca332b4ca0c20e53def451c2b0c4dc7fd04544bd1866cad44

  • C:\VidAJ\bodxec.exe

    Filesize

    2.6MB

    MD5

    584b5529b7215f296556284518817be5

    SHA1

    3a71a7da8a683c4787f158c258589cad814e9718

    SHA256

    fb6500485ddc4bd45caebab384ad28748e867c5ee9e8ae48a7d5ab65bcb7feda

    SHA512

    3eed7f363e73367289353fcd8afa8c6d2aae17b238a42a3f5ef14374888622b515f6ebd94c7b980339446914a71c1f4416c608b6ced32f3a943000e680be00f4

  • C:\VidAJ\bodxec.exe

    Filesize

    2.6MB

    MD5

    4d79d663909d42d95db9fecbbeafa477

    SHA1

    71f7b23e7405aa1c5483d490f26d50f3a8af7607

    SHA256

    79ce00d364fa673b97bf4a4e47a2e92b2335ee31c3e076b8eaaf2070b564a8a9

    SHA512

    9681c566559fdf83adfe44feb423cba414462cf4fef139e2fe3e7d345523ce562fa448df44ac6427764ae8d947c54c68c44344dfc83ba06cfba4f063cf351714