Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/10/2024, 14:18

General

  • Target

    a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe

  • Size

    2.6MB

  • MD5

    17bd71999c3667dfe3464ed87b0aec40

  • SHA1

    fb31deedb3f4a7c27e38ba54c023e1c18fc8979a

  • SHA256

    a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170

  • SHA512

    5e8117c8ebbdf6954a3d7ae066daa7d4287686b02a65160fe61a1ce3ab24333463addf8218d64a01700473b2562fd203a5e1b2f90d469572427cdb38129c1d10

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bS:sxX7QnxrloE5dpUpZb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe
    "C:\Users\Admin\AppData\Local\Temp\a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1892
    • C:\AdobeMM\xoptisys.exe
      C:\AdobeMM\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1856

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeMM\xoptisys.exe

          Filesize

          2.6MB

          MD5

          bca4ec2f7ef049849fad13d2cd302039

          SHA1

          016f54cea1fc44df7b96766bde30611952efc346

          SHA256

          6c7a4e54f64ff0511baba1e85178393224728b90191ff748545e427fbf34760b

          SHA512

          631bfbc8d0ba6dbf25dbf2a76870dfc981b58c23c27322a039286f80f07842381c2f80ef8c58f90471c8e95806e46c02b29064521f2ffe9a00f09a06b47eb052

        • C:\GalaxTA\dobdevloc.exe

          Filesize

          2.6MB

          MD5

          6810c6c7dc1950a82822bee772c22321

          SHA1

          685f0abedbecd5cd3e322b5784b7cda2d9afd5e0

          SHA256

          f9b961b398d3f0a37ccdb2baa586ccd425893441837d0679b8bee0f936136c34

          SHA512

          6be4d2c4b253510923539915ed8fb53b232911fc36060afda19c98e2df83c1d74c21a0b53c5f20c17efe339c66b89a0be1a837cd6468964c8ea22491da4c7122

        • C:\GalaxTA\dobdevloc.exe

          Filesize

          2.6MB

          MD5

          ccd73f864170972b977f6f3540c4948e

          SHA1

          f8fdd665ac873cbc47d09a271a01300ddf2c5dc7

          SHA256

          44811fe55204f79af6d8d2846122f34cb38f9be4d43d8481612c93792a15f0cc

          SHA512

          8c60fe0bd91d77151b218e88271bc369d15f91868127680d85ab3204f56f9a93c5078f172779e8f38bedb6d7922e9253033936fb96cf3a694761835e611b371c

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          172B

          MD5

          bea8c51006da4c19a3434213109453df

          SHA1

          86357fd3d1174378763fd4dc6722293ed900183c

          SHA256

          72c766ccf6c9bb563f8010c8172a4d01d07270f8d0d136ea8d9a3f7312b5923d

          SHA512

          b50bbfc832413d46e8ef9fa1f329fb85a24cd31e9659d84abdfba40b242b42d4366312a5c50e8def01efc90a2940c00882c717ef149899479756dfd5cb64ea76

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          204B

          MD5

          03350d1432556c7e993ecefd8b24a9d5

          SHA1

          23df6d366792c4c3ef10769c544abd53f1eaf9d5

          SHA256

          a54cb55440e4481b6e65261c1904e5c6eb9c24e4a4f6af06044972c619165c0c

          SHA512

          2e7275468d1f6cf98ad55854fb2f48d5ead27cde0350cd0e0584580c59824ad0f052a5a0ab7399032aa9b90ae771ed8f814a222f1e409b54052df0dc0e0561c3

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

          Filesize

          2.6MB

          MD5

          2ccd635014b83816afc3642238523938

          SHA1

          2ef312bc391206cebe620862f865406f66674437

          SHA256

          a73f11f47c121c9aca089ce8c6314920b9fe0b83f2de15bd5b5fe8ecda312f29

          SHA512

          163aa5de10a3ce046a2c358cc8a0526f6c27026a9ab5703809b3a7b929d92df7299fc519074e6e3a50b6ba2b44aacf62add9cd3320603d68b8324716a8721189