Analysis
-
max time kernel
120s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26/08/2024, 08:43
Static task
static1
Behavioral task
behavioral1
Sample
1454ad825bd6c8f015b5b9aca1632310N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
1454ad825bd6c8f015b5b9aca1632310N.exe
Resource
win10v2004-20240802-en
General
-
Target
1454ad825bd6c8f015b5b9aca1632310N.exe
-
Size
2.6MB
-
MD5
1454ad825bd6c8f015b5b9aca1632310
-
SHA1
73715608800c2b1373ef1f4b3be103cfbc91b474
-
SHA256
2491109e62f7dde2f006c7bf60827198115c20d6ffccd51a3a1e23d673fba259
-
SHA512
ded941641fd3bced14ee6bf52a1a91da1803c3383c15841e8d88b1214043197051fc9f4101102bedca33dc8672c602325a0b2f89386d63fe4904b737d1e49a06
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bS:sxX7QnxrloE5dpUpsb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe 1454ad825bd6c8f015b5b9aca1632310N.exe -
Executes dropped EXE 2 IoCs
pid Process 4904 sysadob.exe 3300 xoptiec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocFA\\xoptiec.exe" 1454ad825bd6c8f015b5b9aca1632310N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidAJ\\bodxec.exe" 1454ad825bd6c8f015b5b9aca1632310N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1454ad825bd6c8f015b5b9aca1632310N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3412 1454ad825bd6c8f015b5b9aca1632310N.exe 3412 1454ad825bd6c8f015b5b9aca1632310N.exe 3412 1454ad825bd6c8f015b5b9aca1632310N.exe 3412 1454ad825bd6c8f015b5b9aca1632310N.exe 4904 sysadob.exe 4904 sysadob.exe 3300 xoptiec.exe 3300 xoptiec.exe 4904 sysadob.exe 4904 sysadob.exe 3300 xoptiec.exe 3300 xoptiec.exe 4904 sysadob.exe 4904 sysadob.exe 3300 xoptiec.exe 3300 xoptiec.exe 4904 sysadob.exe 4904 sysadob.exe 3300 xoptiec.exe 3300 xoptiec.exe 4904 sysadob.exe 4904 sysadob.exe 3300 xoptiec.exe 3300 xoptiec.exe 4904 sysadob.exe 4904 sysadob.exe 3300 xoptiec.exe 3300 xoptiec.exe 4904 sysadob.exe 4904 sysadob.exe 3300 xoptiec.exe 3300 xoptiec.exe 4904 sysadob.exe 4904 sysadob.exe 3300 xoptiec.exe 3300 xoptiec.exe 4904 sysadob.exe 4904 sysadob.exe 3300 xoptiec.exe 3300 xoptiec.exe 4904 sysadob.exe 4904 sysadob.exe 3300 xoptiec.exe 3300 xoptiec.exe 4904 sysadob.exe 4904 sysadob.exe 3300 xoptiec.exe 3300 xoptiec.exe 4904 sysadob.exe 4904 sysadob.exe 3300 xoptiec.exe 3300 xoptiec.exe 4904 sysadob.exe 4904 sysadob.exe 3300 xoptiec.exe 3300 xoptiec.exe 4904 sysadob.exe 4904 sysadob.exe 3300 xoptiec.exe 3300 xoptiec.exe 4904 sysadob.exe 4904 sysadob.exe 3300 xoptiec.exe 3300 xoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3412 wrote to memory of 4904 3412 1454ad825bd6c8f015b5b9aca1632310N.exe 87 PID 3412 wrote to memory of 4904 3412 1454ad825bd6c8f015b5b9aca1632310N.exe 87 PID 3412 wrote to memory of 4904 3412 1454ad825bd6c8f015b5b9aca1632310N.exe 87 PID 3412 wrote to memory of 3300 3412 1454ad825bd6c8f015b5b9aca1632310N.exe 88 PID 3412 wrote to memory of 3300 3412 1454ad825bd6c8f015b5b9aca1632310N.exe 88 PID 3412 wrote to memory of 3300 3412 1454ad825bd6c8f015b5b9aca1632310N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\1454ad825bd6c8f015b5b9aca1632310N.exe"C:\Users\Admin\AppData\Local\Temp\1454ad825bd6c8f015b5b9aca1632310N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4904
-
-
C:\IntelprocFA\xoptiec.exeC:\IntelprocFA\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3300
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
303KB
MD5215c25d26ffd06c0b37405fca16dd463
SHA11488b2ac4efdcb3cec596d664a5b372b93e6701c
SHA2561cea2d5d6ca3b64f57b4ed74ebf4802ad0f4f53329ddf61be4a3fde6f1b9ce67
SHA51282213663d545e3a1a6087a4a94cd5bdeb25c323d298b9aa6d228b5f34721237573c79da23add48c11584a7aa232913c388cdb37d1811a3f83fd3aaabe45100e2
-
Filesize
2.6MB
MD5247905a9b0628414b1b590f2ef4c0776
SHA1597f6c75ca1786c55fb78e287db2717b13bf10b0
SHA256afd65e98969853e46eb71f484a65ba1e630842452d04f5c709a62641c62ef9f3
SHA512f6fe6794459c1c8c03e9befdd95b13af7170c94940bd1cf7231dee7e01094433f0637c36ffb17d880dd8e5d69e1dea6a6e7c1aa72e5c964b61d36fe388268cef
-
Filesize
202B
MD5a1283dd5c3ee4e5614ccb8223b079a79
SHA10c68c39da326d4167d302b47c712e23af6c80061
SHA256139459f50f57dcf2359650d568682f800d68887a0b55dcf602f97e87721f11c8
SHA512f5a5689a6d0f7bd55c307bdb53053edb0b8032733b5b995b1d6f5930c739995e000c8cd228d1d5a41f90bf6f75e0466921764e47fd77eb45c591e643565cd615
-
Filesize
170B
MD5ffc58ac99b6a39ba2e8e7925317647a6
SHA17b7a3fcacf9c02e4f5cda88797d3fa1b6a1fe1fc
SHA256f84234f8c8f3a748a47f7c7e370dc4d89fcd3be86c609b45645bfc82f28111d7
SHA512304bd5d827063b2997e71f8e2251cff28e8996fd7448bb28b42c228aa7e05305db37e5c16fe6dd234a43ebb49e70179660b267d87442bbadc860d728de94994d
-
Filesize
2.6MB
MD5883fc423a0ae2e694f973ace798a9076
SHA1a5e4756605948c4b9ac45f616c4778be5e7f4024
SHA256840e697c90b33d430c2861cc1847e2212a415c22730c70cb0089ed48968a62e2
SHA512c6d1066ad5365d615d3519b4a8167ad55edd26589ac730ee282e5d2c8a454da548ccbcf962fc1fdca332b4ca0c20e53def451c2b0c4dc7fd04544bd1866cad44
-
Filesize
2.6MB
MD5584b5529b7215f296556284518817be5
SHA13a71a7da8a683c4787f158c258589cad814e9718
SHA256fb6500485ddc4bd45caebab384ad28748e867c5ee9e8ae48a7d5ab65bcb7feda
SHA5123eed7f363e73367289353fcd8afa8c6d2aae17b238a42a3f5ef14374888622b515f6ebd94c7b980339446914a71c1f4416c608b6ced32f3a943000e680be00f4
-
Filesize
2.6MB
MD54d79d663909d42d95db9fecbbeafa477
SHA171f7b23e7405aa1c5483d490f26d50f3a8af7607
SHA25679ce00d364fa673b97bf4a4e47a2e92b2335ee31c3e076b8eaaf2070b564a8a9
SHA5129681c566559fdf83adfe44feb423cba414462cf4fef139e2fe3e7d345523ce562fa448df44ac6427764ae8d947c54c68c44344dfc83ba06cfba4f063cf351714