Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 22:31
Static task
static1
Behavioral task
behavioral1
Sample
5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe
Resource
win10v2004-20241007-en
General
-
Target
5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe
-
Size
2.6MB
-
MD5
67021d50d2ef7b5d6af33d2f6d9d4990
-
SHA1
96cdb395a603e4418ebdac4275e2eeea03d242e0
-
SHA256
5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2
-
SHA512
cf1b7e39de9b65e8a3a99f88bda660b15ea1b85176fbb6aaa9a36db83ed7b319427e310c0d103b6fec7c3668d989c21c3cf22c793d15cc44aff31668a5bbe1fe
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpGb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe -
Executes dropped EXE 2 IoCs
pid Process 4852 sysxdob.exe 2716 adobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files9Z\\adobloc.exe" 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZK3\\boddevloc.exe" 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 112 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe 112 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe 112 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe 112 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe 4852 sysxdob.exe 4852 sysxdob.exe 2716 adobloc.exe 2716 adobloc.exe 4852 sysxdob.exe 4852 sysxdob.exe 2716 adobloc.exe 2716 adobloc.exe 4852 sysxdob.exe 4852 sysxdob.exe 2716 adobloc.exe 2716 adobloc.exe 4852 sysxdob.exe 4852 sysxdob.exe 2716 adobloc.exe 2716 adobloc.exe 4852 sysxdob.exe 4852 sysxdob.exe 2716 adobloc.exe 2716 adobloc.exe 4852 sysxdob.exe 4852 sysxdob.exe 2716 adobloc.exe 2716 adobloc.exe 4852 sysxdob.exe 4852 sysxdob.exe 2716 adobloc.exe 2716 adobloc.exe 4852 sysxdob.exe 4852 sysxdob.exe 2716 adobloc.exe 2716 adobloc.exe 4852 sysxdob.exe 4852 sysxdob.exe 2716 adobloc.exe 2716 adobloc.exe 4852 sysxdob.exe 4852 sysxdob.exe 2716 adobloc.exe 2716 adobloc.exe 4852 sysxdob.exe 4852 sysxdob.exe 2716 adobloc.exe 2716 adobloc.exe 4852 sysxdob.exe 4852 sysxdob.exe 2716 adobloc.exe 2716 adobloc.exe 4852 sysxdob.exe 4852 sysxdob.exe 2716 adobloc.exe 2716 adobloc.exe 4852 sysxdob.exe 4852 sysxdob.exe 2716 adobloc.exe 2716 adobloc.exe 4852 sysxdob.exe 4852 sysxdob.exe 2716 adobloc.exe 2716 adobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 112 wrote to memory of 4852 112 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe 87 PID 112 wrote to memory of 4852 112 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe 87 PID 112 wrote to memory of 4852 112 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe 87 PID 112 wrote to memory of 2716 112 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe 88 PID 112 wrote to memory of 2716 112 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe 88 PID 112 wrote to memory of 2716 112 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe"C:\Users\Admin\AppData\Local\Temp\5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4852
-
-
C:\Files9Z\adobloc.exeC:\Files9Z\adobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5ffdc4ff2abd3e19c131d1a2d301c1289
SHA1c0f0b291ca6b2cc549bc38ecfea6ef649ee3da1e
SHA25673445eee3c9f1327d056f8519d92bef33ccda6a00807d0d75dd471e3201781fe
SHA512211b260129247031284402411da259cab5c92d36b12b39478f909910730028d7b04b76798784be24f71c88fcf40f0fda84c8738ec5a767a7c566c9ba9951ce56
-
Filesize
2.6MB
MD52eb391968816d7122b3af25b8833ca50
SHA135e3f80179a4b4f26754984f58abf1eb9760b2f1
SHA25678f68dfffed0b3717f863171d14c5b19eeb02cb7a876eaca714a0a4e233d0d54
SHA5124c1e8c6c1853a07fc2b26a2afc4ccc88448e9d3208c330f6a6fd8c9c877f5566996fd95b4787af1d2731acf2b8c6ced1fb08f42fdc04384544614f42d49728e2
-
Filesize
1.4MB
MD53bacadc52901f954dce0a5446166fe93
SHA1b29f3d30a741a100e701927a676863b496bbb044
SHA25633fd825e2c21dedd19b54fa868bee99e9f0d3bc4c72817d4fdf1c70c208a874e
SHA512f7e6cf5b363867db10e21159bea60b6a41bce944d0c18bfeb50587530c4c2348eca8a4ead244d178c3bf56997c6351f3d19bd2aa88a0ee51f76643d306d5fffe
-
Filesize
202B
MD593f460237f451e4ccf701c52fba40e30
SHA131f0433907e768fcb2c397c965b0814b7fbf98ab
SHA2566172a5e8d0853619ca11eb56a33345dd8bee711ee728eb82912d6e3e5daa1ef5
SHA512d31496d79a970a0d6c9bf581f1a77f330a638c4d55e3ade2c14048e08e0e2c6d0288c1800122fd827a115b751fbf85bdab054682d9eb88be6fb73bc6ab60e477
-
Filesize
170B
MD50a816590c9f3757763af7e920b2e0835
SHA182620a2bf429e6952fd463e26267b8f9cefd1155
SHA2561c5abc3641d6956a45ff7e55d55e81fea309256899b96c414f3d11af02b4b969
SHA5124633c440d83fb77c92ad1e57d7c17f5c33523dab851d80555270d9979784f940a573b309eb884eca6f22f7b7e932f2e571b0dc9eb2a1917206b63c01fe7d6edc
-
Filesize
2.6MB
MD591ff049977cfedcd8a11e95b641b73ae
SHA1c560a627a4bc4a35ea8b6c47749faf819c4cf615
SHA25663e05b02d2a6a89f56b127bf8ff8b438cafea637c21cdc03786b50f400306482
SHA5129f89ecebc29418b95f8a13c779fedabb2bb0818233cbd6e46fab9cc765fb33414e5f24e1f5ef16b730baa3ac8c97bc2b749d255f317e0a6f3c3f03d615dd318f