Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 23:11
Static task
static1
Behavioral task
behavioral1
Sample
ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe
Resource
win10v2004-20241007-en
General
-
Target
ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe
-
Size
2.6MB
-
MD5
e2c915908dc344b7f41f097704185160
-
SHA1
3302b95b46ed698840f8a7900f470e6a372cc399
-
SHA256
ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6
-
SHA512
35c58c22505af10c0197bda4782d062eb2a4188595b2fef1fbe08050667e625c144526f19ea3176ed819e8b85ab4421c5da6dea877dca137f839311a58701ee9
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bS:sxX7QnxrloE5dpUp0b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe -
Executes dropped EXE 2 IoCs
pid Process 916 sysxbod.exe 3948 abodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc0C\\abodec.exe" ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFJ\\optidevloc.exe" ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1016 ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe 1016 ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe 1016 ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe 1016 ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe 916 sysxbod.exe 916 sysxbod.exe 3948 abodec.exe 3948 abodec.exe 916 sysxbod.exe 916 sysxbod.exe 3948 abodec.exe 3948 abodec.exe 916 sysxbod.exe 916 sysxbod.exe 3948 abodec.exe 3948 abodec.exe 916 sysxbod.exe 916 sysxbod.exe 3948 abodec.exe 3948 abodec.exe 916 sysxbod.exe 916 sysxbod.exe 3948 abodec.exe 3948 abodec.exe 916 sysxbod.exe 916 sysxbod.exe 3948 abodec.exe 3948 abodec.exe 916 sysxbod.exe 916 sysxbod.exe 3948 abodec.exe 3948 abodec.exe 916 sysxbod.exe 916 sysxbod.exe 3948 abodec.exe 3948 abodec.exe 916 sysxbod.exe 916 sysxbod.exe 3948 abodec.exe 3948 abodec.exe 916 sysxbod.exe 916 sysxbod.exe 3948 abodec.exe 3948 abodec.exe 916 sysxbod.exe 916 sysxbod.exe 3948 abodec.exe 3948 abodec.exe 916 sysxbod.exe 916 sysxbod.exe 3948 abodec.exe 3948 abodec.exe 916 sysxbod.exe 916 sysxbod.exe 3948 abodec.exe 3948 abodec.exe 916 sysxbod.exe 916 sysxbod.exe 3948 abodec.exe 3948 abodec.exe 916 sysxbod.exe 916 sysxbod.exe 3948 abodec.exe 3948 abodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1016 wrote to memory of 916 1016 ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe 86 PID 1016 wrote to memory of 916 1016 ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe 86 PID 1016 wrote to memory of 916 1016 ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe 86 PID 1016 wrote to memory of 3948 1016 ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe 87 PID 1016 wrote to memory of 3948 1016 ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe 87 PID 1016 wrote to memory of 3948 1016 ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe"C:\Users\Admin\AppData\Local\Temp\ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:916
-
-
C:\Intelproc0C\abodec.exeC:\Intelproc0C\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3948
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD55ce46de9d1c8ab23eeb8a98bb0b2232e
SHA1eb2b026ffaf5a7802065fa5971c5c4495fa6763a
SHA2560f99b7bc2b192971b8bed8dbf4f50389b59e62d5cae4d0fbbb58657c2730a6b0
SHA512173969eb6ea4e493f9c0d1c1df5c1080fb72fc38f0fc13e5eaffdd7eeae658b9464603a66d0a918d3f86bca65b97dccfd201cd7d66c1758e452476026a290712
-
Filesize
2.6MB
MD59606761c172809659a6fab791bf9c2c7
SHA16fcc04080b049fdd3d41f5f8899ed283c0afbd11
SHA25627b9214cb8f6f54b2cceb5a747ff3b00666266bc66d61e818ac5bfd804079355
SHA5125b42cb9ba96ea16441fed47f86e4e6243d2393e1562c11d5fdbd7863a71da020987388f4f7c0b121eac595458d05f3efcd542544880a77830bb5dbeaa5f7de37
-
Filesize
4KB
MD534bd8ff991b1427aa83cc59b77d0487f
SHA11775fb0e77f2b1b201917c49e409123372df9167
SHA2568403bbb0bac4da664de516bbb70dba1484985a13d35a0b02c2b798b94ccd1eec
SHA5125ad1d34933d6a9cead5a8c6dade3c65e64d2de098018614533d08a57b36f862dedf6faf5cdbf1678c96c8a779ddd2da5af6f25798fda1194686676872e35721e
-
Filesize
2.6MB
MD55488bf8d623322cded444947d41bea06
SHA106e50fb2d904d2e8c2664c8e66a6862cfaadebdf
SHA2564a3f4d8b5e3f35305afd9d8d7939578366143f36087fd791dff20d7880011262
SHA512d7d8510a992624c2dba3241db74dd32d5a051adfb5af5efdc94fc8b8ca64640cd275e029759edb802a8a9df227cd46b2bf54dd87956f77572287470bde8862dd
-
Filesize
206B
MD5bfbb71807b5bad38b008c7ebb86a71b6
SHA132f34ba35eb9080094844aa25711a1e9ff5b3fac
SHA25614060741eb5c18868a90e178fcfb3b5786dd458c8f7f03663b5445872a8fc80e
SHA512599c2592f5b47c6c2dee40228c67506b0d1df9879cd65e7e35d5a20e4a3a8a81861fcf3668130bd0aa2b83ad4bd2f647c03922a9302968aad0afed0fa4bc00af
-
Filesize
174B
MD539713eacbc2efe14b982ea95702aac13
SHA1b0a2aa2abe2f00b9613c28e857359586d835b8da
SHA25657d91939662c0feba409b5a61e5e24058410b8acb53cc928b6e6a90f2fd536d4
SHA51222ff16f2c4212742f7019f1f80adc49e06c727fea730f615bf26a6aa706f998500cea9d2acb25e85c2d1efac0fa6193b7b8c8746d2c1f2f326be6fbc23e580df
-
Filesize
2.6MB
MD5c0232624eccf5a0bc36028ce53bb47fb
SHA19ad8d80ab3a70f0359f111cffec9d9de96a366ae
SHA2561bad22a0db0e2e8bb1534ba397cfb7d34ceb047c6ae182b4ebb4607fccd30386
SHA512a9e6b836665f04d759311df6708b5978c6b8ca366c9d3cf739c66266317b4ac9de35c84824fa465ec27a4fc593af3982bf83aff33d52e96e31f79eebe65a69b7