Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 23:11
Static task
static1
Behavioral task
behavioral1
Sample
ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe
Resource
win10v2004-20241007-en
General
-
Target
ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe
-
Size
2.6MB
-
MD5
e2c915908dc344b7f41f097704185160
-
SHA1
3302b95b46ed698840f8a7900f470e6a372cc399
-
SHA256
ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6
-
SHA512
35c58c22505af10c0197bda4782d062eb2a4188595b2fef1fbe08050667e625c144526f19ea3176ed819e8b85ab4421c5da6dea877dca137f839311a58701ee9
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bS:sxX7QnxrloE5dpUp0b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe -
Executes dropped EXE 2 IoCs
pid Process 2148 sysxdob.exe 1628 adobloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2364 ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe 2364 ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxX4\\boddevec.exe" ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe1I\\adobloc.exe" ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2364 ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe 2364 ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe 2148 sysxdob.exe 1628 adobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2148 2364 ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe 31 PID 2364 wrote to memory of 2148 2364 ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe 31 PID 2364 wrote to memory of 2148 2364 ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe 31 PID 2364 wrote to memory of 2148 2364 ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe 31 PID 2364 wrote to memory of 1628 2364 ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe 32 PID 2364 wrote to memory of 1628 2364 ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe 32 PID 2364 wrote to memory of 1628 2364 ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe 32 PID 2364 wrote to memory of 1628 2364 ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe"C:\Users\Admin\AppData\Local\Temp\ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2148
-
-
C:\Adobe1I\adobloc.exeC:\Adobe1I\adobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1628
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5150c7220a6e81d003e665376d6160a17
SHA1a12bee8eb2ec75a11dfb469be652439a0c983f07
SHA256da993f3470b38a98679d932982d207e26687be77e86df6d9dd90dca50bf6b30c
SHA512a53d6106c250cefd6c16bd77d9793e38eebeb101378e9a6ad23f7ce33f47255e93921d82b8ed75a59f39b643ecc10db460b148f267704b7b5855ba18d2a18d44
-
Filesize
2.6MB
MD5b6592563985d86e01142ba780f684a8b
SHA1f1c2c8931d00b3e75c1a3f4cc0e3730d17c2d43b
SHA256bca35dade0b17ba7f80d613c5c01671f4841a871b3d571d491ec1cc258d07c41
SHA5122e01fb506808d9bec50accf3688e38da3c4c16c3e8091cb302823f3118190c865cc37299ccab28c88b449da7f74a1814ad77b1f8456a4ffbbd60fc6bbaec224a
-
Filesize
2.6MB
MD552852db9260eff5578ddf35ac7285268
SHA10f12795c06ad7b9c939290975896c7c2054c7bb9
SHA2560984926d9ed8488d10b2fb112c1cd8206360fb163636848be84956eea86a0762
SHA512d7f6ac56795c7f40a62bdf2f4bb78ca200c1de6a6793d17811a7c0f582a6905b314b735aca90f9efb9bb11ae3b08d8a223f9d0b97432c4fbe0f689c0a786a6f9
-
Filesize
170B
MD585e39321c47d7405f7efbb1eb1fe96d8
SHA1d5ab705c5ed9f7c080f300ad3a143a2a05dc0dd6
SHA2560a0de5433fe2fbab278830783e189310bdff7211305330396422a6fa5194c24f
SHA512ddd9c87c296f520f652a18bc225507a6c9c6d6e7a9019c2a5840ff9c958a992362bdd3f23e48ec11b254e694f619001f71aadaf62fe1f82bb207b2c09e5d29eb
-
Filesize
202B
MD5a4ad12ebe5ed13752c79b9a8de878f68
SHA12546f6b4c3fa9e532dd4a2b75f8a77859ce00dcc
SHA256df7d3e438566cf022ba4ba3c72ba8ec7a8010a6ca6989232c6d986c226e41d37
SHA51290916aa06daf0a0d57e26a0cd2445aece43c768e46aff00a7791d29489bc1c5b54b30d2930ad3e52cc6a4f0337fe973094d42bb50549aa95b1214ba0c0fa7139
-
Filesize
2.6MB
MD5c91d32c42c1ba68a9e1ec9950ffd6107
SHA1964d0e05b51537a269bc50e66f2fcdfbe71c2a4e
SHA256cd594a342ca657f1e8758c03c742dcbdf9312259a60787e9f3d51d3a4b1d7b5e
SHA5123262b9cba35a1f0e11889f34a08fcbb0503461d6b3ef1f155a61b2112e74180cc259208f1011ad124b248a97a73658ac3be2e571130059834655379d67dd9c8d