Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 23:05
Static task
static1
Behavioral task
behavioral1
Sample
d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe
Resource
win10v2004-20241007-en
General
-
Target
d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe
-
Size
2.6MB
-
MD5
af4e02c1ae0d33b078cec2d88ad2d5c0
-
SHA1
ea2627cc11ffaa4c76257382aa820d04cb804c8f
-
SHA256
d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616fa
-
SHA512
f13586399790e9bc542002393ffc77e48ffabc21ee487fc6a523f365557060306e35df5f0e2ce2738821e5d7a7c00d07cf6a41ae692acd6034ee03a3a7680bc2
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSq:sxX7QnxrloE5dpUp7bV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe -
Executes dropped EXE 2 IoCs
pid Process 2312 sysadob.exe 2520 xdobsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeIS\\xdobsys.exe" d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintH1\\bodasys.exe" d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5060 d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe 5060 d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe 5060 d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe 5060 d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe 2312 sysadob.exe 2312 sysadob.exe 2520 xdobsys.exe 2520 xdobsys.exe 2312 sysadob.exe 2312 sysadob.exe 2520 xdobsys.exe 2520 xdobsys.exe 2312 sysadob.exe 2312 sysadob.exe 2520 xdobsys.exe 2520 xdobsys.exe 2312 sysadob.exe 2312 sysadob.exe 2520 xdobsys.exe 2520 xdobsys.exe 2312 sysadob.exe 2312 sysadob.exe 2520 xdobsys.exe 2520 xdobsys.exe 2312 sysadob.exe 2312 sysadob.exe 2520 xdobsys.exe 2520 xdobsys.exe 2312 sysadob.exe 2312 sysadob.exe 2520 xdobsys.exe 2520 xdobsys.exe 2312 sysadob.exe 2312 sysadob.exe 2520 xdobsys.exe 2520 xdobsys.exe 2312 sysadob.exe 2312 sysadob.exe 2520 xdobsys.exe 2520 xdobsys.exe 2312 sysadob.exe 2312 sysadob.exe 2520 xdobsys.exe 2520 xdobsys.exe 2312 sysadob.exe 2312 sysadob.exe 2520 xdobsys.exe 2520 xdobsys.exe 2312 sysadob.exe 2312 sysadob.exe 2520 xdobsys.exe 2520 xdobsys.exe 2312 sysadob.exe 2312 sysadob.exe 2520 xdobsys.exe 2520 xdobsys.exe 2312 sysadob.exe 2312 sysadob.exe 2520 xdobsys.exe 2520 xdobsys.exe 2312 sysadob.exe 2312 sysadob.exe 2520 xdobsys.exe 2520 xdobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5060 wrote to memory of 2312 5060 d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe 88 PID 5060 wrote to memory of 2312 5060 d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe 88 PID 5060 wrote to memory of 2312 5060 d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe 88 PID 5060 wrote to memory of 2520 5060 d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe 90 PID 5060 wrote to memory of 2520 5060 d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe 90 PID 5060 wrote to memory of 2520 5060 d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe"C:\Users\Admin\AppData\Local\Temp\d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2312
-
-
C:\AdobeIS\xdobsys.exeC:\AdobeIS\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2520
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5e7fff80824000bc9b8cfd042561deb9d
SHA1e98524827d8afe81835fe4e94bc061dcf512aa68
SHA2565ef02a2b7fc43d58e1b4be84722980a5513703a2d301cc43eaeb2cb57364512a
SHA512ee4dce9e46d5b24bac5d03aad29c5d9135095b7557fa3d11dfb45deb9704ff297261434bf1e4a67bb2d97554bd80106c59856343acbdc2aee28f4b6eb64e0436
-
Filesize
2.6MB
MD508c7cca9409d64a0633eea162b853bf4
SHA19b5ffb9f52214b4e6e27a153699797b3fd5188d8
SHA256c6c7568c24a90614b0bd628f14de89377650b570bd8964c9ddc1d92646dd6ce5
SHA512f7fa50e873eb2724fa58051603f69a2de82748dd68e45b8684cf26be474fc83adf9c8b5744b19a1390ff61388867bf9005b7cd08ced44244b0181feefce2d066
-
Filesize
2.6MB
MD524e5ec3ef012c24d443d65703fb9429d
SHA11c6aaf2db04a94c50f08dc48fbdab187806e8195
SHA256356c770afdf106a86a261941db2319606fbdc986b1141a278f8e6ce2059d4fee
SHA5122acee48f03b74208a8b3e073debd1506269acfcc01bd5a5c5370dfdcca40bc4f4820c5eaf7a72b06118991403413bd81521598001cdee0245969ee00443f6b87
-
Filesize
968KB
MD5bfe139fac30aa5e103919ac78684b003
SHA116c1055e78683a2a2584f7cb992fb8859e3212db
SHA256b92b86976bcaf813ada2874f61f4dc67df81f29499d825404520b21297ae6834
SHA512f0c4baf867936845232c7b808a5cc8500b42aa16e917b7cf921a899a8961c49e4c963dba5ff6a3c16880563782619a441bb76f477dad627f5bade232ece91f0f
-
Filesize
200B
MD5f8259994458e9e4c8e103fb293c90b71
SHA1fd0838eba58ede33fb0969050fd1530e664ad057
SHA256dfc4eefec35a6f9c5120849d7151b31cda76d9d6ee7768e8767f01fbd9f24a49
SHA512232adf410686e509919219add52e709c328b025647d114e1f756775709ce9eb8591150e4eab439482fe6a0a81d8257a82ab36de53d38cff5dfd0f502bb2207d1
-
Filesize
168B
MD55cd7d2af0139b97e6dc9b69a4dd6a440
SHA14a2ef764762c4db3ab5596bbad99f6d09dfd6abd
SHA256d1c7088bea97ad85e5443fc38a510cacd18728d630132a7c26e89dea550a1bb0
SHA51289217723c64a438c264d8e61e36b2606a6e5dd60562e5dbc53f7050435892aa39a905188388de1a2b6429fcd0f6f436d6fccd586ddc1431d0e98e1488cd4a171
-
Filesize
2.6MB
MD5e8279f05299deb43dee7784cfb09617b
SHA1896c17e0a4f6e6b185670578c40d179eed2f1493
SHA256e69d96bc4076493c5658091079074071fb375c8485ab92e6a7f0e1a1b0688077
SHA512c41432702dd4f46710b14157c8463469af13caee2a7cda2362814813e2fb37f687c4f4f1b79afd5bfc3ca606f44942f66e9b0fc7c4e7a8e3683d55ee0ec63bf7