Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 23:17
Static task
static1
Behavioral task
behavioral1
Sample
4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe
Resource
win10v2004-20241007-en
General
-
Target
4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe
-
Size
2.6MB
-
MD5
09e59590edcd3f5696701d395b57e4c0
-
SHA1
106854f79a73f5e62022a9545d7b4fb7b244012d
-
SHA256
4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41a
-
SHA512
e2ec36ecfd6e3aa6be9f50526498e4505f2ea05763750074edbe3b66e9add55d0dd958c04d46b8f1c324e9e358c4c4a885dba0db023061f062661f255ea9b4b6
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bS:sxX7QnxrloE5dpUpXb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe -
Executes dropped EXE 2 IoCs
pid Process 2060 sysabod.exe 2352 aoptiloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2696 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe 2696 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeNC\\aoptiloc.exe" 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintW4\\optialoc.exe" 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysabod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2696 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe 2696 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe 2060 sysabod.exe 2352 aoptiloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2696 wrote to memory of 2060 2696 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe 30 PID 2696 wrote to memory of 2060 2696 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe 30 PID 2696 wrote to memory of 2060 2696 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe 30 PID 2696 wrote to memory of 2060 2696 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe 30 PID 2696 wrote to memory of 2352 2696 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe 31 PID 2696 wrote to memory of 2352 2696 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe 31 PID 2696 wrote to memory of 2352 2696 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe 31 PID 2696 wrote to memory of 2352 2696 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe"C:\Users\Admin\AppData\Local\Temp\4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2060
-
-
C:\AdobeNC\aoptiloc.exeC:\AdobeNC\aoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2352
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD513b09ec264017a6746855080acb54b38
SHA1493183de9a35747d99796797521c6e53c4457519
SHA25640f40619be4e9e9002b327ace01e72ae13b1271e2d07369c003d327216959092
SHA51278c4c913e591cda1aa36ddac15d2432654a00d245d5189f1e4ccb7e2ac5b0974815aec8d723e47900fdb3a5e30f9e6b8182043605d7452023d45f26aa5606416
-
Filesize
2.6MB
MD59c572b0d02ba45d4cbdf9bb8de22ba14
SHA19a75ed5e18941b3c42578754a1077f61bc475be2
SHA2562d84cfe1d9a5cdc0a99504f086d21682e81cb480de8f2355428d3bd43361b39b
SHA512871addf24fc3c2c14d24c00844bdc24f088b6d418995e97a3e7dc3a421a53b7b7684f256d397698b71264ed94a5abec9252cd2683453a96cd7907c2af90796a8
-
Filesize
9KB
MD5069c7d5ebc20ead441519fc2807acdfc
SHA194eb49acfddc6450c4810d85271299b49f964a2a
SHA256af2d7152258913747132a41b113c445005357f268ca6a717b1a8a42c3ac7052f
SHA51291dd10db98a2c08140dabc8a5cbe76768d1878b4cbf579f7f2c7fc0466e81b35f6a33d4dc31c97b393de15d2bb730f141974d3a6784c8f6a2748d67bc75433e9
-
Filesize
170B
MD5249fcf756fb182764352b3dedbfbd9bf
SHA1f518f570ed08664eb37adc49e57eade25a8a5538
SHA2561db47da37f726d385c223a22bdae37178ddf868511909907116f3f84bfa34f93
SHA51280cf3c8d265aa529f5cc4197c1d6f16719a6464c5f46897bdb101954ab50c3a0fe004d45fa4b8508aaa615667dcca7cb7efe38144881d19b92ba7f4ff4f1ab90
-
Filesize
202B
MD5f0a65ae704b67c221eab61ba1a5f653b
SHA18cf6801e8aed1cf79d1615c310da06bbf43a70ac
SHA256053a36e58251bf9006bf4bae29af28361d3e934ca3c70a528674e4e61d0bf631
SHA51231d8d94e7ab3e3707c0c03796bd89314ed71102266fd41b7e730b5eb393b31c05bd94037df3d80871614a92f5663c41a9239d6fbe290b917e2113071cb9916ce
-
Filesize
2.6MB
MD5c8d9ac54abb6fcc2947f37a2be0d5d45
SHA1fb02f3f168868abfab5debe1db540a4abcc9f96f
SHA256ecb269550a4b84adb3a56ad57ad57ca565cfa787cd400b656d1905dd9b002807
SHA5123e2476727aa7377adb129ef41a6cfe9d6bd008a2191843dc5feba8d6d266608e35bf334072a34cbea5900eebb8b6901cf1c519c8d20ddcfc21c42723c69403eb