Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 12:52
Static task
static1
Behavioral task
behavioral1
Sample
7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe
Resource
win10v2004-20241007-en
General
-
Target
7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe
-
Size
2.6MB
-
MD5
f0b744b1415c66f734160a603184c720
-
SHA1
3e3eb1b6ff0da239fed74b163db964a07989b53d
-
SHA256
7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2f
-
SHA512
2eb3d293682bf0599ea86b7d455818f3201d0aa71a2d0e14ee43d5f9f63ec608f370a2ba299e5362906a244e402d58377d9e2a940d35992696e7f291a2eb6d76
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bS:sxX7QnxrloE5dpUp2b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe -
Executes dropped EXE 2 IoCs
pid Process 4984 sysaopti.exe 936 xbodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files4L\\xbodec.exe" 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB6W\\dobasys.exe" 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 916 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe 916 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe 916 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe 916 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe 4984 sysaopti.exe 4984 sysaopti.exe 936 xbodec.exe 936 xbodec.exe 4984 sysaopti.exe 4984 sysaopti.exe 936 xbodec.exe 936 xbodec.exe 4984 sysaopti.exe 4984 sysaopti.exe 936 xbodec.exe 936 xbodec.exe 4984 sysaopti.exe 4984 sysaopti.exe 936 xbodec.exe 936 xbodec.exe 4984 sysaopti.exe 4984 sysaopti.exe 936 xbodec.exe 936 xbodec.exe 4984 sysaopti.exe 4984 sysaopti.exe 936 xbodec.exe 936 xbodec.exe 4984 sysaopti.exe 4984 sysaopti.exe 936 xbodec.exe 936 xbodec.exe 4984 sysaopti.exe 4984 sysaopti.exe 936 xbodec.exe 936 xbodec.exe 4984 sysaopti.exe 4984 sysaopti.exe 936 xbodec.exe 936 xbodec.exe 4984 sysaopti.exe 4984 sysaopti.exe 936 xbodec.exe 936 xbodec.exe 4984 sysaopti.exe 4984 sysaopti.exe 936 xbodec.exe 936 xbodec.exe 4984 sysaopti.exe 4984 sysaopti.exe 936 xbodec.exe 936 xbodec.exe 4984 sysaopti.exe 4984 sysaopti.exe 936 xbodec.exe 936 xbodec.exe 4984 sysaopti.exe 4984 sysaopti.exe 936 xbodec.exe 936 xbodec.exe 4984 sysaopti.exe 4984 sysaopti.exe 936 xbodec.exe 936 xbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 916 wrote to memory of 4984 916 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe 87 PID 916 wrote to memory of 4984 916 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe 87 PID 916 wrote to memory of 4984 916 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe 87 PID 916 wrote to memory of 936 916 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe 90 PID 916 wrote to memory of 936 916 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe 90 PID 916 wrote to memory of 936 916 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe"C:\Users\Admin\AppData\Local\Temp\7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4984
-
-
C:\Files4L\xbodec.exeC:\Files4L\xbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:936
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD53274fb7b1e41af62f5e1599fe37975bc
SHA1edb4cef9f85e9f2da43cdf7ed7da32acf0966791
SHA25616293dbd4aca13eae316c035ac521dc1e8b56ae2eab0add4f857e1b6252e2c92
SHA5121e82dbda15b85b1ec2750fb528dee396dfdf037ab58eebad2a1b08fb77fb9d63643e0f9637b94e78aa8ca1197ed7a0da8a9cea286767db5f81800854d7fa5f65
-
Filesize
2.6MB
MD55d02be3d7fa3783754a6a2a261804e0d
SHA18816b8fc938856924030544a394a1f4349c31eda
SHA2568a549cf241ed5c0f1590e134906735461218856cbc5d5a59f9a82d038f33f4ef
SHA51218a6dd1c8e7cfba70edd0507cb49de504247d3f40952d4a91081aecf9a3c297b071d44430ec44ddd0296b6bb794d2096fe8898bc346582d51a7a7b1f46ddb35e
-
Filesize
903KB
MD58061bf712d9a838fd6dc7b1418e16377
SHA1a55109db63df11e56306f4e26a51656ac532fd43
SHA256b239ffc41b459f36a0f56fa3a57061e32adb4d09fbcb92ef6e30386e387ae9f4
SHA51233a4b8edcee731d4c6e726e7298ce94a10cdbdb116b422c8476fff894fef2379ca44f111134bff736a15962e7c329bc3dd74302da26c46cae0e00685b50ffc23
-
Filesize
200B
MD5b649e013f0a558a09cf03599172d0731
SHA11fd7a9df0fe2aeb3b22d9a0c96967d89f254db89
SHA25638cf65c2d026a8ad26657aa7b487466c4f0b33c04d0d61f3a6cac8a1db947b63
SHA5129ddae270f4de77e0c314f6c0e1525e59016068024b2eee38df52b3393d44202bceb483a4e69e54e5a9cbc28050fe3840df5637aec5f08520c57ba973eb8140ea
-
Filesize
168B
MD57ce02e981e1405b6511c95f11a5c9515
SHA1b1bc2c9bfcc89ce7a2f1a37e9d32ca410ec72962
SHA2562669f8b48e8e65651a37d3274859d7c15245e2ff57c591202da30e27263a1f79
SHA5126c591376e0dd8365615522e3f77727d5f004f9b5508e7d00555c85a66d849dc850ae86f109cab14338db7f74c2adc989dae4d35b5f6611747fff9766eefb10a1
-
Filesize
2.6MB
MD57553c1e5bea01a916c1ad0f70918b82c
SHA1e606f6e17d32542452b76520bc017c8c50554ca5
SHA25692b431922676a7ae1f21d85a15805f963ec798a6a69fd7fa39add2e117a387cc
SHA5128b30879b4983651ba6267dcdf88d152b4741db5bb26feb496c5a63d4f478947ffb036f699a8802955412b47667933fdcabaeac2a1a70ecc481182c6371376ffc