Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27-10-2024 15:58
Static task
static1
Behavioral task
behavioral1
Sample
87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe
Resource
win10v2004-20241007-en
General
-
Target
87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe
-
Size
2.6MB
-
MD5
485119cab14345a88de5b76cdb10ccd0
-
SHA1
6d30a874aff198919da09984739c24ea6dd85ea9
-
SHA256
87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206
-
SHA512
f1d3483d567267362c868b0a28ebbc93dc767c824ccca0fc13bef04245f9a41868ffba9e2261d3d1f1df30c628f278b815ada0d76d19da98d493c693019e0fcf
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpmb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe -
Executes dropped EXE 2 IoCs
pid Process 1184 sysdevopti.exe 2840 adobec.exe -
Loads dropped DLL 2 IoCs
pid Process 392 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe 392 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxLQ\\bodxsys.exe" 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotMF\\adobec.exe" 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 392 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe 392 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe 1184 sysdevopti.exe 2840 adobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 392 wrote to memory of 1184 392 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe 29 PID 392 wrote to memory of 1184 392 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe 29 PID 392 wrote to memory of 1184 392 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe 29 PID 392 wrote to memory of 1184 392 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe 29 PID 392 wrote to memory of 2840 392 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe 30 PID 392 wrote to memory of 2840 392 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe 30 PID 392 wrote to memory of 2840 392 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe 30 PID 392 wrote to memory of 2840 392 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe"C:\Users\Admin\AppData\Local\Temp\87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1184
-
-
C:\UserDotMF\adobec.exeC:\UserDotMF\adobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2840
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD59e5c47ebf907fd49713d362401639607
SHA17403795c61bdd015981490672424e91d407fcfbd
SHA256af365f05c0c1d759666fc1d08927c7b78c2e9a8560b24bac0ee3c0c971256006
SHA512df426977779c648e91a20a45f4cd6b01ac02de17c3dcb3fa76c2a763244c71749e20cec94f5ee0eaa711f5e014b96a39bf099515b4f7fffd578787f58bf99818
-
Filesize
2.6MB
MD5ff03a214bde96015a9ab7317d09c70cf
SHA134c5b89483d53bd81c5ea0e3c06b8a7588446865
SHA2560d45847b7939b06e826f91d86bda77480f92c33c40f79ef00dd7379d36725240
SHA512e43d9992a6a3961f55067947cb1acdbe145496e7cd2d772d590404e999dd0a32c0400f69f956f9d3804793418024d49321a8ed2937a1ac64f78603ce4944664b
-
Filesize
2.6MB
MD51847caeb026b2bf8d289901423efc9c7
SHA1677dd754a92e85b6aa9be35d144e627a1ab26558
SHA2568e9ea329f575ddff4bb741815e335e590cd0e18fa4ecb1e13f94765958c3f381
SHA5128e6ec98a250e6ccc3ed70b7fef284f448abb9938c5681bddb45a0b558a20ed0a0661dd3f8d29ab8d5b094c63b665aa12ebd8f9cc324c65b591e3bd539981251f
-
Filesize
173B
MD5a0c6dcc51b56622788643606a2d527de
SHA162cd38b62eaa37f614ed4f30b6331f426fba4d3e
SHA25647ed11d16479b7712ad89717b941c5a12f5d5a9d6a1c0f922a6cd5e17ebf72e2
SHA512fa6c36707f3ba78382dd6078747e24b2d7941e59dbcb0640abe15d1d8618b61469f1782663fe28029b372409fbb1b50c14b155de687ad103c2af6a36a65212e2
-
Filesize
205B
MD567f2c8b48294bde9a7a4a1d94a9cf141
SHA1fc991b3254d4ad05965b637361fb046595e35a9c
SHA256ecd9af44cd7bd720f072fb4f4bea588b756dee542575317911d4ee85de334041
SHA512358f8411f95aa19266d53d39cdec75794296fb5b256c3789916666b6ee622522da66b87a97b1813e6c23751837471f8093b14f054472b8a11b4baf7a9d0d41d7
-
Filesize
2.6MB
MD51770dd3b001c55598f0d309a36d22016
SHA13f74d6c04f83a4e01ceee3c8b8087e7cd7be66f1
SHA256c333a3b88f2e6aaf0d152f565d7c1cec270373b9f52ea9a1546d9a5dd2ef4410
SHA512f4d83c0dc2284fe942455d1ef7c7ba3d28395f5a654d8a7b422b68a4fad913d3827a0eeea505a9c593e55baa233e8a221c6a9b91abc86dc8f98873d8202d4e84