Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 22:31
Static task
static1
Behavioral task
behavioral1
Sample
5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe
Resource
win10v2004-20241007-en
General
-
Target
5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe
-
Size
2.6MB
-
MD5
67021d50d2ef7b5d6af33d2f6d9d4990
-
SHA1
96cdb395a603e4418ebdac4275e2eeea03d242e0
-
SHA256
5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2
-
SHA512
cf1b7e39de9b65e8a3a99f88bda660b15ea1b85176fbb6aaa9a36db83ed7b319427e310c0d103b6fec7c3668d989c21c3cf22c793d15cc44aff31668a5bbe1fe
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpGb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe -
Executes dropped EXE 2 IoCs
pid Process 1144 sysadob.exe 2720 abodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 1792 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe 1792 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeIJ\\abodsys.exe" 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidH3\\dobasys.exe" 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1792 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe 1792 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe 1144 sysadob.exe 2720 abodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1792 wrote to memory of 1144 1792 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe 30 PID 1792 wrote to memory of 1144 1792 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe 30 PID 1792 wrote to memory of 1144 1792 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe 30 PID 1792 wrote to memory of 1144 1792 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe 30 PID 1792 wrote to memory of 2720 1792 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe 31 PID 1792 wrote to memory of 2720 1792 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe 31 PID 1792 wrote to memory of 2720 1792 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe 31 PID 1792 wrote to memory of 2720 1792 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe"C:\Users\Admin\AppData\Local\Temp\5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1144
-
-
C:\AdobeIJ\abodsys.exeC:\AdobeIJ\abodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD50407f06098d6a9dad3830dcd9d1839d2
SHA1cdd5dc1352c2b1efd29d19ee5832cbe5f99374a6
SHA25607fc5974f0c21868898ce347f3e7392b8cc00e6f5a6e89432462ebea46f39ecc
SHA51297a51c1cc5669cb49736f7a72525b5807eaabc014bd54859f6bbfcb3fcd7b50f79abcaaf222d41fae5aa256a18a452af56799ba893664b62aec50530b2ffbb44
-
Filesize
167B
MD5ec23fd78a0ff407a5424d43ac152b3db
SHA19c1139e7be79ad3ba98cc84710a2780c9770292a
SHA256ec7e5c059b5df06d5385bee862c365bc7ae5e5b1f873e099b9073675af639711
SHA512287770f1023c989a9dfec272602153729c936789a36e8a2ce792d32e0088b9ac4d32bd8524d94915030c6b06b2dbe137fb88d2d8145cb8184189b9ed6a158be7
-
Filesize
199B
MD5e4b0a200b6d697eca857e2ba41547062
SHA18ea6b02866d1c2d63bace93665a99e0efa6407ed
SHA256c47f0f603207962bfe07dda571a90d318b65a87f53a5815589896aac1ffd50e5
SHA512c56439f7e8f0f2ea50016a55fb088e56aa565bfb81fce8b9c6129f8def1bdc301fc74819c9a73804a450ad24479c51fe2aee5e05efd3ceecb95f174c4e86ddef
-
Filesize
2.6MB
MD5b6d8bb080ffc30e8bc4c2a14f4d227dc
SHA15fb48f98295a1738289f3d7c467c4249aa3a1271
SHA256a2c14847e80126752a6d847148d6c8f246e994464a824c7e83c6d638d6270771
SHA512c31901974c58016fa55358e9ae39923f83471648b6a1ff18c3e18e8ad65814dd9f0eb4220c716f14fe95268c09104a7e91e947a391d740e353024956dd951432
-
Filesize
960KB
MD532a12fffb91f7574b7ee8257bb2bfa1c
SHA1075b0199d5d34bd0f32b99f622a41afa192da49f
SHA256aa469563aee02de6f0826682e8c80a753f93fa9f27258b766d0bb8d9def92eb9
SHA512429e56ff041f0aee29dfe6fd5dde029e04e2fa09555414974a9a9c4a771756483739fea06de6a5f6372e7f4f5b12fb15e2c638f5d236076d83c59049ba7cf5c2
-
Filesize
2.6MB
MD5c07b9cf2d93c17de9d7b5c5205504915
SHA1c00f7c3149d51544f6f6bd9b523ca564749c6800
SHA256bfc76d427682f31e30cbfc80cad15f6d8efe991db5ba5db312e0d654b0f37d68
SHA512e48ade98a36821d1819797aaaf45feea876ada59836612dccc295e7108a2e80f895ced403bd6e3b42c9317d2475bebd766cd756d461e597f219214876cc2b28e