Analysis
-
max time kernel
119s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2024, 13:43
Static task
static1
Behavioral task
behavioral1
Sample
54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe
Resource
win10v2004-20241007-en
General
-
Target
54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe
-
Size
4.0MB
-
MD5
14be2a9e768c5f9b271bb6e12c719800
-
SHA1
296d5bd1976aa5a7c4171a877fb03a99ee7b0c82
-
SHA256
54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904
-
SHA512
c43f39c3c8aa961f320f4d47d3b42afeb81e5eebab7f29730f919ef354fa474cc46ed5b854816d0731cb6118027370efdcf6e4cb487218229ac953cda1ac3468
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpZbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe -
Executes dropped EXE 2 IoCs
pid Process 2220 sysxdob.exe 2360 aoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files1O\\aoptiec.exe" 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint4Z\\bodaloc.exe" 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3488 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe 3488 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe 3488 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe 3488 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe 2220 sysxdob.exe 2220 sysxdob.exe 2360 aoptiec.exe 2360 aoptiec.exe 2220 sysxdob.exe 2220 sysxdob.exe 2360 aoptiec.exe 2360 aoptiec.exe 2220 sysxdob.exe 2220 sysxdob.exe 2360 aoptiec.exe 2360 aoptiec.exe 2220 sysxdob.exe 2220 sysxdob.exe 2360 aoptiec.exe 2360 aoptiec.exe 2220 sysxdob.exe 2220 sysxdob.exe 2360 aoptiec.exe 2360 aoptiec.exe 2220 sysxdob.exe 2220 sysxdob.exe 2360 aoptiec.exe 2360 aoptiec.exe 2220 sysxdob.exe 2220 sysxdob.exe 2360 aoptiec.exe 2360 aoptiec.exe 2220 sysxdob.exe 2220 sysxdob.exe 2360 aoptiec.exe 2360 aoptiec.exe 2220 sysxdob.exe 2220 sysxdob.exe 2360 aoptiec.exe 2360 aoptiec.exe 2220 sysxdob.exe 2220 sysxdob.exe 2360 aoptiec.exe 2360 aoptiec.exe 2220 sysxdob.exe 2220 sysxdob.exe 2360 aoptiec.exe 2360 aoptiec.exe 2220 sysxdob.exe 2220 sysxdob.exe 2360 aoptiec.exe 2360 aoptiec.exe 2220 sysxdob.exe 2220 sysxdob.exe 2360 aoptiec.exe 2360 aoptiec.exe 2220 sysxdob.exe 2220 sysxdob.exe 2360 aoptiec.exe 2360 aoptiec.exe 2220 sysxdob.exe 2220 sysxdob.exe 2360 aoptiec.exe 2360 aoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3488 wrote to memory of 2220 3488 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe 87 PID 3488 wrote to memory of 2220 3488 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe 87 PID 3488 wrote to memory of 2220 3488 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe 87 PID 3488 wrote to memory of 2360 3488 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe 90 PID 3488 wrote to memory of 2360 3488 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe 90 PID 3488 wrote to memory of 2360 3488 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe"C:\Users\Admin\AppData\Local\Temp\54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2220
-
-
C:\Files1O\aoptiec.exeC:\Files1O\aoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2360
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD5b5c0de4a0aeb209ef138246a7fb84861
SHA1d1d8776f857ca62f150a0ff55e52436c1f0d285e
SHA25653a2e937a09f39809cf6cc39c9c16b6f04c72a56da860d85c5682e9c42221093
SHA5128238641d9edf8d17ca4b133742898b11a31eaac6d0c14fb8b9bcd281980e0e91d247b5a07b0fdbf51312d51d7595a1ea2edc4a7e6a4ec65cbc9474b4dfd896c7
-
Filesize
4.0MB
MD570080309d1cf5ac0817d1e56e38026c7
SHA1654a44a7013bc0d8fd46ff568a71ef2c4fb51eff
SHA2568bef7198499be009425b3d9ad2237710a000d8b7ace1bd48a2af941a9a955a3d
SHA5121c53b8097b2791b2080d8992107ebb082cc56ab4b5bb599beb1d790a10de18dbf2eec1ecdc861650d4fdecc4a58f7ab9ffc0617fd85164721a652d0ce05b63b1
-
Filesize
1.6MB
MD5afc3f238d7b77db08bff177f42f0da56
SHA123638de8b5081d205a77e7617bd11cf26b7e8a02
SHA256a2eef49fb4aec5ddfea8f1deb57fb39e92cb83e7b2a26bd182136fe8b2a6f2b7
SHA512114aecd61e401401ab3b26b18a49bf3b6f44d09f0f8bb0f71ed7461a3bbcaf5454c8dfcb6cecca433a55bb473249ab52b202c8e566e99710104f992b12554ccd
-
Filesize
167KB
MD5f723fd14245742bc54fdaa5ce3177ac0
SHA1dfce84126d809b47ae87ce723b290779380ba5f9
SHA2565a0b3e5642da5a6f5dddc996ae2d7c8f11cba9debb86835c041953f7ebc2fc65
SHA512e08e6388a8b777cd03ce50af18489246b563f5b70af24c693decc03b7f1ad43e8b007b1758b9fb65136d2a452575a052a91461bfd72555122174f54a5f072bc6
-
Filesize
200B
MD5f80bf74803b3472042ef15449cf19068
SHA132fb8b8ed1756a7ab77eba0f6ba55d80c1ea9a92
SHA256efa278446cd18a84941935b346039a335be87dd7284967c198c04681341de8c9
SHA512d42aa2907526736a0e31da396305be6f9d9a3d7af6ee5520a5dbe3ee334835a4060acb93e6dbea28068078bcf46e67942a14be9b2249aa6e3e8a88c7650dcf70
-
Filesize
168B
MD5897f766a5006fc1352b43b59c1ab728c
SHA17a74164c36f6d737be9f12fa1337c662dbf9365e
SHA2560a27024f7a752d2e34ad29702cd1bf7968c812da002cde7081fd4feb2b60866a
SHA512d5a38282be6dfef77894c372dc17b9b0c719d6738edc6e25ab2025fd3677ef82f94a54b42a417c8ca9dd5978355807d0c5eccb22b014133991208611e8ec440d
-
Filesize
4.0MB
MD500e6a9e7a3a8b9b41abe44c13d1a4085
SHA1746f03f63a0833b3437016fe8645b6cb66a91cd2
SHA256325966b84cdbaf8e73b2fc03fbbbef64fac8902f8c00d02e7e5f62aa4ec2a93f
SHA512966ea7cdee1778796e808f5654383c05c9058aa0426c0cc7342271ff742420c2d30f7a8f367d05067752490511f3f3ee8fdc01e13833ac9cf3ec756508e098c2