Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/10/2024, 14:18
Static task
static1
Behavioral task
behavioral1
Sample
a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe
Resource
win10v2004-20241007-en
General
-
Target
a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe
-
Size
2.6MB
-
MD5
17bd71999c3667dfe3464ed87b0aec40
-
SHA1
fb31deedb3f4a7c27e38ba54c023e1c18fc8979a
-
SHA256
a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170
-
SHA512
5e8117c8ebbdf6954a3d7ae066daa7d4287686b02a65160fe61a1ce3ab24333463addf8218d64a01700473b2562fd203a5e1b2f90d469572427cdb38129c1d10
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bS:sxX7QnxrloE5dpUpZb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe -
Executes dropped EXE 2 IoCs
pid Process 1892 sysabod.exe 1856 xoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 2352 a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe 2352 a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeMM\\xoptisys.exe" a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxTA\\dobdevloc.exe" a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptisys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2352 a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe 2352 a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe 1892 sysabod.exe 1856 xoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2352 wrote to memory of 1892 2352 a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe 30 PID 2352 wrote to memory of 1892 2352 a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe 30 PID 2352 wrote to memory of 1892 2352 a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe 30 PID 2352 wrote to memory of 1892 2352 a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe 30 PID 2352 wrote to memory of 1856 2352 a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe 31 PID 2352 wrote to memory of 1856 2352 a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe 31 PID 2352 wrote to memory of 1856 2352 a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe 31 PID 2352 wrote to memory of 1856 2352 a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe"C:\Users\Admin\AppData\Local\Temp\a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1892
-
-
C:\AdobeMM\xoptisys.exeC:\AdobeMM\xoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1856
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5bca4ec2f7ef049849fad13d2cd302039
SHA1016f54cea1fc44df7b96766bde30611952efc346
SHA2566c7a4e54f64ff0511baba1e85178393224728b90191ff748545e427fbf34760b
SHA512631bfbc8d0ba6dbf25dbf2a76870dfc981b58c23c27322a039286f80f07842381c2f80ef8c58f90471c8e95806e46c02b29064521f2ffe9a00f09a06b47eb052
-
Filesize
2.6MB
MD56810c6c7dc1950a82822bee772c22321
SHA1685f0abedbecd5cd3e322b5784b7cda2d9afd5e0
SHA256f9b961b398d3f0a37ccdb2baa586ccd425893441837d0679b8bee0f936136c34
SHA5126be4d2c4b253510923539915ed8fb53b232911fc36060afda19c98e2df83c1d74c21a0b53c5f20c17efe339c66b89a0be1a837cd6468964c8ea22491da4c7122
-
Filesize
2.6MB
MD5ccd73f864170972b977f6f3540c4948e
SHA1f8fdd665ac873cbc47d09a271a01300ddf2c5dc7
SHA25644811fe55204f79af6d8d2846122f34cb38f9be4d43d8481612c93792a15f0cc
SHA5128c60fe0bd91d77151b218e88271bc369d15f91868127680d85ab3204f56f9a93c5078f172779e8f38bedb6d7922e9253033936fb96cf3a694761835e611b371c
-
Filesize
172B
MD5bea8c51006da4c19a3434213109453df
SHA186357fd3d1174378763fd4dc6722293ed900183c
SHA25672c766ccf6c9bb563f8010c8172a4d01d07270f8d0d136ea8d9a3f7312b5923d
SHA512b50bbfc832413d46e8ef9fa1f329fb85a24cd31e9659d84abdfba40b242b42d4366312a5c50e8def01efc90a2940c00882c717ef149899479756dfd5cb64ea76
-
Filesize
204B
MD503350d1432556c7e993ecefd8b24a9d5
SHA123df6d366792c4c3ef10769c544abd53f1eaf9d5
SHA256a54cb55440e4481b6e65261c1904e5c6eb9c24e4a4f6af06044972c619165c0c
SHA5122e7275468d1f6cf98ad55854fb2f48d5ead27cde0350cd0e0584580c59824ad0f052a5a0ab7399032aa9b90ae771ed8f814a222f1e409b54052df0dc0e0561c3
-
Filesize
2.6MB
MD52ccd635014b83816afc3642238523938
SHA12ef312bc391206cebe620862f865406f66674437
SHA256a73f11f47c121c9aca089ce8c6314920b9fe0b83f2de15bd5b5fe8ecda312f29
SHA512163aa5de10a3ce046a2c358cc8a0526f6c27026a9ab5703809b3a7b929d92df7299fc519074e6e3a50b6ba2b44aacf62add9cd3320603d68b8324716a8721189