Analysis
-
max time kernel
119s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 17:32
Static task
static1
Behavioral task
behavioral1
Sample
e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe
Resource
win10v2004-20241007-en
General
-
Target
e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe
-
Size
2.6MB
-
MD5
5cfb5045a8a94b4b6c681757807af2b0
-
SHA1
3cbf6a14a1ba6433233a88202d6db47b3bda51ae
-
SHA256
e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086
-
SHA512
78fb6a66d74c148586c47eef9db5a508d7997ce2ca464ed59a4954ca6b3a377b77c2fb2e7bf30cf53ec0460f86647c4ff85284d26c5940628388fdb1ff8b8d91
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bS:sxX7QnxrloE5dpUpNb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe -
Executes dropped EXE 2 IoCs
pid Process 4984 locaopti.exe 4596 adobsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeYI\\adobsys.exe" e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxUX\\boddevsys.exe" e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3516 e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe 3516 e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe 3516 e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe 3516 e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe 4984 locaopti.exe 4984 locaopti.exe 4596 adobsys.exe 4596 adobsys.exe 4984 locaopti.exe 4984 locaopti.exe 4596 adobsys.exe 4596 adobsys.exe 4984 locaopti.exe 4984 locaopti.exe 4596 adobsys.exe 4596 adobsys.exe 4984 locaopti.exe 4984 locaopti.exe 4596 adobsys.exe 4596 adobsys.exe 4984 locaopti.exe 4984 locaopti.exe 4596 adobsys.exe 4596 adobsys.exe 4984 locaopti.exe 4984 locaopti.exe 4596 adobsys.exe 4596 adobsys.exe 4984 locaopti.exe 4984 locaopti.exe 4596 adobsys.exe 4596 adobsys.exe 4984 locaopti.exe 4984 locaopti.exe 4596 adobsys.exe 4596 adobsys.exe 4984 locaopti.exe 4984 locaopti.exe 4596 adobsys.exe 4596 adobsys.exe 4984 locaopti.exe 4984 locaopti.exe 4596 adobsys.exe 4596 adobsys.exe 4984 locaopti.exe 4984 locaopti.exe 4596 adobsys.exe 4596 adobsys.exe 4984 locaopti.exe 4984 locaopti.exe 4596 adobsys.exe 4596 adobsys.exe 4984 locaopti.exe 4984 locaopti.exe 4596 adobsys.exe 4596 adobsys.exe 4984 locaopti.exe 4984 locaopti.exe 4596 adobsys.exe 4596 adobsys.exe 4984 locaopti.exe 4984 locaopti.exe 4596 adobsys.exe 4596 adobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3516 wrote to memory of 4984 3516 e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe 89 PID 3516 wrote to memory of 4984 3516 e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe 89 PID 3516 wrote to memory of 4984 3516 e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe 89 PID 3516 wrote to memory of 4596 3516 e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe 92 PID 3516 wrote to memory of 4596 3516 e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe 92 PID 3516 wrote to memory of 4596 3516 e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe"C:\Users\Admin\AppData\Local\Temp\e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4984
-
-
C:\AdobeYI\adobsys.exeC:\AdobeYI\adobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4596
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD53b477f47d6f8caae63a2f1c0e85f7b79
SHA159740ad26bb9ebd29de1715af29c6e0317487548
SHA2568e142bb68730f5c875b94e32473b39e19e14f4227f4bd7f021c828cb35d3ba83
SHA512918f34b88392f206d1687e5b36c36dd7c1ec104584b2f9178ab7bcdc0d836d492ad73d35955bfe0d57dcbcb6e3a9f99d792e44ab725f6cb574ecce707544203a
-
Filesize
2.6MB
MD5aebf8df897bafdbe1f72d99c04455d6a
SHA1bcd783466be3431826b1facb65fa864dc5d421aa
SHA2567ca99160fbf28242ac1b0bed1e7943d0908b4136bd44c90c3808f7917f08889a
SHA5128346123c8c1e4a03eb33603be70dfa40fe2b3ba07d3d322957baafd8a589f01bde554dac4bd75613e848f1ac75ce2c58c0b7450f42b9753247f77108b42e6ad2
-
Filesize
1.5MB
MD507e82883123d9ae3b4eecb5436022666
SHA1dbd61f5489aa9f265ca77e722d635355454a5be4
SHA2568e5d401c2f1b04884c96364431b71d14505abfa208b2cca4db7f24d361979cbb
SHA512358c24f77c4eb1a2aa5bfd2f57e3717742260192b0a74bf2108a2bb5be3c35d6da8d84094d986d4bf54d9469e534e76fb279adec99eddfe36503540e8f63d85a
-
Filesize
204B
MD535cb595ff132c2620534fe2d0f922403
SHA192557fe2e37c4f4235950280de0839e24ad5efe5
SHA2568b01800fcd266baf75449dda633816e6394ee492e4169fd0515d80e841a81066
SHA512f0a79fddb91f24e6ca71d8c41bd9a97bc2919f06b26c2c3368ad8dcdcdd6d1d50d1427816ff2e0fc2f62c095b2005d1305810edc15dfbc9d9f1182c4eba78bc9
-
Filesize
172B
MD5ddd2b10a801d372777871bec50651938
SHA101a53ae378e5598b8597fb7e7cb74de2112139ab
SHA256cd79ff5dbc003fada298a1945f2ef4ef5f116914d35fbc2a3e176cae7634bf42
SHA512877d5db152870802bc9a73fc6f467f6b7d766828dbec1fc0cddfedde93a5166535bdc6e71993c4a1bcb6eff66c3bd2be44820faa5131b60036f30abf3112dc2b
-
Filesize
2.6MB
MD54149536b9227b4e02071b94770952886
SHA1f0747b7cb9dcebfc33d3296adef5cc7fc13fcd16
SHA2560d792e71e221e578973ce197c73ae0de2b299be676e03ad91d65ce9552f984e1
SHA51211d17e20e2d8e7074be4a84e7bda0cbc8f48872f68ed36855d3ac8138c449077831691bee28a3e130c89d01fcf2199b49d6fa1a1cdf4f79e82d7f8af45f1fa75