Analysis
-
max time kernel
120s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2024, 14:18
Static task
static1
Behavioral task
behavioral1
Sample
a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe
Resource
win10v2004-20241007-en
General
-
Target
a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe
-
Size
2.6MB
-
MD5
17bd71999c3667dfe3464ed87b0aec40
-
SHA1
fb31deedb3f4a7c27e38ba54c023e1c18fc8979a
-
SHA256
a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170
-
SHA512
5e8117c8ebbdf6954a3d7ae066daa7d4287686b02a65160fe61a1ce3ab24333463addf8218d64a01700473b2562fd203a5e1b2f90d469572427cdb38129c1d10
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bS:sxX7QnxrloE5dpUpZb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe -
Executes dropped EXE 2 IoCs
pid Process 896 sysxopti.exe 532 adobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBU6\\dobxsys.exe" a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocMZ\\adobloc.exe" a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 412 a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe 412 a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe 412 a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe 412 a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe 896 sysxopti.exe 896 sysxopti.exe 532 adobloc.exe 532 adobloc.exe 896 sysxopti.exe 896 sysxopti.exe 532 adobloc.exe 532 adobloc.exe 896 sysxopti.exe 896 sysxopti.exe 532 adobloc.exe 532 adobloc.exe 896 sysxopti.exe 896 sysxopti.exe 532 adobloc.exe 532 adobloc.exe 896 sysxopti.exe 896 sysxopti.exe 532 adobloc.exe 532 adobloc.exe 896 sysxopti.exe 896 sysxopti.exe 532 adobloc.exe 532 adobloc.exe 896 sysxopti.exe 896 sysxopti.exe 532 adobloc.exe 532 adobloc.exe 896 sysxopti.exe 896 sysxopti.exe 532 adobloc.exe 532 adobloc.exe 896 sysxopti.exe 896 sysxopti.exe 532 adobloc.exe 532 adobloc.exe 896 sysxopti.exe 896 sysxopti.exe 532 adobloc.exe 532 adobloc.exe 896 sysxopti.exe 896 sysxopti.exe 532 adobloc.exe 532 adobloc.exe 896 sysxopti.exe 896 sysxopti.exe 532 adobloc.exe 532 adobloc.exe 896 sysxopti.exe 896 sysxopti.exe 532 adobloc.exe 532 adobloc.exe 896 sysxopti.exe 896 sysxopti.exe 532 adobloc.exe 532 adobloc.exe 896 sysxopti.exe 896 sysxopti.exe 532 adobloc.exe 532 adobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 412 wrote to memory of 896 412 a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe 90 PID 412 wrote to memory of 896 412 a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe 90 PID 412 wrote to memory of 896 412 a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe 90 PID 412 wrote to memory of 532 412 a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe 93 PID 412 wrote to memory of 532 412 a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe 93 PID 412 wrote to memory of 532 412 a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe"C:\Users\Admin\AppData\Local\Temp\a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:896
-
-
C:\IntelprocMZ\adobloc.exeC:\IntelprocMZ\adobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:532
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5cf44ee1af43640718ed150e7f550dcda
SHA109b3ebc9c3af14cb9dd9817be039272c96d58147
SHA25684aad92648f090d03e417dcbbceb68f35c460def6a6d600d297b57b9a88d51f8
SHA5127e5d1a79a324f6e678930cce2a81e74d75bc373a5fe7f3053a3729884be74723217be5b2a239ea11883215fa080b8ec582673f822fa21f962b4b7bebdc4178df
-
Filesize
2.6MB
MD564d0ad248163ccb0994bdeadd0482bc3
SHA1a21e35819cc06d62a9a01a0f921a3d413968206e
SHA256d3ba4d0bf1b1f4f5d5b13949d63f534000b1f49c5c591ecb36d0191667177c9d
SHA512731664ed03b81edb24640249a25e43c3d1e2e7af68a3fcf6f5b5259c2d4f9c55220b735c71a51d813f2305b06a23345149acdc5d7d7cdfba5cf9a34d31bd54ff
-
Filesize
2.6MB
MD50f2c60d681ff6af2886a801e6abed029
SHA154ae15d55b80bdc2c6046caef21c109e679f4656
SHA2567e6683b502b796d839615ced588115a6282dbc5ff7775edae49a56423af5b6f3
SHA512f35b83d48379b7d75b0b8b4411d5bb288a2caf827cf2d898ba55f2e51288c14fd2ca2dfdcd06d5d459f53efd684801fdd14c59879b62f806ad96346d470db61a
-
Filesize
2.6MB
MD5f0c1bb84a17da5414f29688a73e29939
SHA16bf36d583f661e65639b604ae41fb04d5cde42d7
SHA2565fd2e333bad448c5d4c79a3d9914a8419aa85adf3e88bd59279e4e4854ab7f14
SHA5121e0f781c177585da78013dc54259d995762e7a63afed2e25171be5745692fdab4f4cd6fed53f1f9cacb260b269e29323ef5a6f4b5f7be322fd83f4080d5ffc23
-
Filesize
205B
MD5e5dafea2155ae91d8de8aff6608cc96b
SHA18cab31bb83b4655d3e7ca36ec2c53ca4c2555d8c
SHA256816d941aa1da3f1836fe7042b2519dad2250dda1f506f5980d5b8fb5ed3a1c65
SHA5125ecf2e80ee97f8fe58e3cf4cb76c274116da53275e0624c741c7c9e8b405002847fbbf1ff0e05cdab42072c9d4092900cd67db5195bfc7c67ae984f3ef87f661
-
Filesize
173B
MD5eaae9842f6630a4318172d4c3617f9b1
SHA1ae7f40df7d36e922f11f78dfa7228b32f1d2c2ec
SHA256b4f6a3cd039f93f1caa10942d20928d0b35b3a08e76fa4b233590458c82867c4
SHA512f111cc3551cc71751f6c5a053be942731f65ab18f78a4f054fd9be761aa0916b77e0eaa715a266f61583e7ec2fdd2660065ef5e818d5063eadf901c971e0178d
-
Filesize
2.6MB
MD50a6e07db315c24acce35f0a75d9ddda4
SHA193e347386406bb80a2c28e97a955f56d9543998e
SHA2560bfdc65374ae2d49639779ce2a1baf6fb9a45b5c223377935c4457021499e21c
SHA512550d63246a31daea4f56ef05d3ecbc41512ab127f1b23fdc9c7b143b2e497f47f9cbd299f1923cd8565e1ccbaa59228f73846143daa426efb300f259e0db4111