Analysis

  • max time kernel
    120s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 23:05

General

  • Target

    d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe

  • Size

    2.6MB

  • MD5

    af4e02c1ae0d33b078cec2d88ad2d5c0

  • SHA1

    ea2627cc11ffaa4c76257382aa820d04cb804c8f

  • SHA256

    d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616fa

  • SHA512

    f13586399790e9bc542002393ffc77e48ffabc21ee487fc6a523f365557060306e35df5f0e2ce2738821e5d7a7c00d07cf6a41ae692acd6034ee03a3a7680bc2

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSq:sxX7QnxrloE5dpUp7bV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe
    "C:\Users\Admin\AppData\Local\Temp\d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5060
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2312
    • C:\AdobeIS\xdobsys.exe
      C:\AdobeIS\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2520

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeIS\xdobsys.exe

          Filesize

          1.9MB

          MD5

          e7fff80824000bc9b8cfd042561deb9d

          SHA1

          e98524827d8afe81835fe4e94bc061dcf512aa68

          SHA256

          5ef02a2b7fc43d58e1b4be84722980a5513703a2d301cc43eaeb2cb57364512a

          SHA512

          ee4dce9e46d5b24bac5d03aad29c5d9135095b7557fa3d11dfb45deb9704ff297261434bf1e4a67bb2d97554bd80106c59856343acbdc2aee28f4b6eb64e0436

        • C:\AdobeIS\xdobsys.exe

          Filesize

          2.6MB

          MD5

          08c7cca9409d64a0633eea162b853bf4

          SHA1

          9b5ffb9f52214b4e6e27a153699797b3fd5188d8

          SHA256

          c6c7568c24a90614b0bd628f14de89377650b570bd8964c9ddc1d92646dd6ce5

          SHA512

          f7fa50e873eb2724fa58051603f69a2de82748dd68e45b8684cf26be474fc83adf9c8b5744b19a1390ff61388867bf9005b7cd08ced44244b0181feefce2d066

        • C:\MintH1\bodasys.exe

          Filesize

          2.6MB

          MD5

          24e5ec3ef012c24d443d65703fb9429d

          SHA1

          1c6aaf2db04a94c50f08dc48fbdab187806e8195

          SHA256

          356c770afdf106a86a261941db2319606fbdc986b1141a278f8e6ce2059d4fee

          SHA512

          2acee48f03b74208a8b3e073debd1506269acfcc01bd5a5c5370dfdcca40bc4f4820c5eaf7a72b06118991403413bd81521598001cdee0245969ee00443f6b87

        • C:\MintH1\bodasys.exe

          Filesize

          968KB

          MD5

          bfe139fac30aa5e103919ac78684b003

          SHA1

          16c1055e78683a2a2584f7cb992fb8859e3212db

          SHA256

          b92b86976bcaf813ada2874f61f4dc67df81f29499d825404520b21297ae6834

          SHA512

          f0c4baf867936845232c7b808a5cc8500b42aa16e917b7cf921a899a8961c49e4c963dba5ff6a3c16880563782619a441bb76f477dad627f5bade232ece91f0f

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          200B

          MD5

          f8259994458e9e4c8e103fb293c90b71

          SHA1

          fd0838eba58ede33fb0969050fd1530e664ad057

          SHA256

          dfc4eefec35a6f9c5120849d7151b31cda76d9d6ee7768e8767f01fbd9f24a49

          SHA512

          232adf410686e509919219add52e709c328b025647d114e1f756775709ce9eb8591150e4eab439482fe6a0a81d8257a82ab36de53d38cff5dfd0f502bb2207d1

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          168B

          MD5

          5cd7d2af0139b97e6dc9b69a4dd6a440

          SHA1

          4a2ef764762c4db3ab5596bbad99f6d09dfd6abd

          SHA256

          d1c7088bea97ad85e5443fc38a510cacd18728d630132a7c26e89dea550a1bb0

          SHA512

          89217723c64a438c264d8e61e36b2606a6e5dd60562e5dbc53f7050435892aa39a905188388de1a2b6429fcd0f6f436d6fccd586ddc1431d0e98e1488cd4a171

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

          Filesize

          2.6MB

          MD5

          e8279f05299deb43dee7784cfb09617b

          SHA1

          896c17e0a4f6e6b185670578c40d179eed2f1493

          SHA256

          e69d96bc4076493c5658091079074071fb375c8485ab92e6a7f0e1a1b0688077

          SHA512

          c41432702dd4f46710b14157c8463469af13caee2a7cda2362814813e2fb37f687c4f4f1b79afd5bfc3ca606f44942f66e9b0fc7c4e7a8e3683d55ee0ec63bf7