Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 13:19
Static task
static1
Behavioral task
behavioral1
Sample
87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe
Resource
win10v2004-20241007-en
General
-
Target
87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe
-
Size
3.1MB
-
MD5
1cc4fd9074b31a840dc9915f9442bdd0
-
SHA1
f2fcd902e7097c95ac5391331d85aba2b4e6cc6c
-
SHA256
87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7e
-
SHA512
24d2c750c38f24c78d3ab58f03481a3cfab1666be113aa317bd9dbf94ebc46d157308d35f24c0df9669221e3a758d528dd304cdaffd83be456103da7552d1088
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSqz8b6LNXJqI20:sxX7QnxrloE5dpUpCbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe -
Executes dropped EXE 2 IoCs
pid Process 1676 sysdevopti.exe 2336 xdobsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeE4\\xdobsys.exe" 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNG\\dobaec.exe" 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4068 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe 4068 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe 4068 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe 4068 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe 1676 sysdevopti.exe 1676 sysdevopti.exe 2336 xdobsys.exe 2336 xdobsys.exe 1676 sysdevopti.exe 1676 sysdevopti.exe 2336 xdobsys.exe 2336 xdobsys.exe 1676 sysdevopti.exe 1676 sysdevopti.exe 2336 xdobsys.exe 2336 xdobsys.exe 1676 sysdevopti.exe 1676 sysdevopti.exe 2336 xdobsys.exe 2336 xdobsys.exe 1676 sysdevopti.exe 1676 sysdevopti.exe 2336 xdobsys.exe 2336 xdobsys.exe 1676 sysdevopti.exe 1676 sysdevopti.exe 2336 xdobsys.exe 2336 xdobsys.exe 1676 sysdevopti.exe 1676 sysdevopti.exe 2336 xdobsys.exe 2336 xdobsys.exe 1676 sysdevopti.exe 1676 sysdevopti.exe 2336 xdobsys.exe 2336 xdobsys.exe 1676 sysdevopti.exe 1676 sysdevopti.exe 2336 xdobsys.exe 2336 xdobsys.exe 1676 sysdevopti.exe 1676 sysdevopti.exe 2336 xdobsys.exe 2336 xdobsys.exe 1676 sysdevopti.exe 1676 sysdevopti.exe 2336 xdobsys.exe 2336 xdobsys.exe 1676 sysdevopti.exe 1676 sysdevopti.exe 2336 xdobsys.exe 2336 xdobsys.exe 1676 sysdevopti.exe 1676 sysdevopti.exe 2336 xdobsys.exe 2336 xdobsys.exe 1676 sysdevopti.exe 1676 sysdevopti.exe 2336 xdobsys.exe 2336 xdobsys.exe 1676 sysdevopti.exe 1676 sysdevopti.exe 2336 xdobsys.exe 2336 xdobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4068 wrote to memory of 1676 4068 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe 88 PID 4068 wrote to memory of 1676 4068 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe 88 PID 4068 wrote to memory of 1676 4068 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe 88 PID 4068 wrote to memory of 2336 4068 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe 91 PID 4068 wrote to memory of 2336 4068 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe 91 PID 4068 wrote to memory of 2336 4068 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe"C:\Users\Admin\AppData\Local\Temp\87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1676
-
-
C:\AdobeE4\xdobsys.exeC:\AdobeE4\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2336
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
299KB
MD5141fbb4f200db924e182b31df937dfc1
SHA1b9e778f1dfc9c7abed56a94a7d55f19c31ce049a
SHA256930d4d6dc926b819e0023b980aeb726d7facbc647d9331a1db73d84a4da411df
SHA512dc620aecdfb5242dc09900c8bb73cb01c9451e4cfa0dd5cd9ed4d4fb8189d5e219545099b2571316c121216740ae4c229dfdaf65c1050d2e5c4ab2d39592618d
-
Filesize
3.1MB
MD5ea2070c0b2b2c3741fa083bd651dae76
SHA152c66c3a6fd4b135ae861fb29a0853b7be6fc47a
SHA2562cd35a85ccce0fe694aec806169b60bc06354a9fa0523ae766b43b1d7c18b9b7
SHA5127b1a1735bfe7b8a4432997a80d2e32e8b8e74d5200624e2eac32de0d265d7a58126eb40073d8c9fbe7d01d325b414be3534cee6520e71a3938463a666975b1cd
-
Filesize
3.1MB
MD55d7c52949a65f525baa7c871a4755c89
SHA13749205b8babafed57ebe0244de922cc0d918db5
SHA256522640076b4946a999cb2d5624f029688fec4ce6ad8222d83b7a3dca858cb9e5
SHA512422ce3e477614957e621741184a4e2a998686c0739667419220b62bd7ab125d7da533d7b2dcbc69b334598b92566f2d181009df8d84c14bcf93c315e091c96d0
-
Filesize
3.1MB
MD50e0c92fb52ac15ef34204fbb95a38468
SHA1063ce6e25197dc1d11eb52caab37e6e7b3455afa
SHA256eac90185a0f5816328da27e75a62bd773b24977ebc39c2c9f1d8f1f1c89769d2
SHA51204247c473552384847a32f9cd54104cc69749a2a191bb83275968f921ae9d5ed0b337f209931d54c538bcded3c3f00de16f2a858ac0ccaa54991263bdd0f139a
-
Filesize
202B
MD5c7ffb16836cb698bb60b2d9dccdb51c5
SHA1d1d293d7c28bd33ce02b26692556a52de979e376
SHA2566229c9808003ed478b4374cdb0bf0293c358e1d17dc3b557d4cc8ca2840c9414
SHA5125cffa016fa494b246f0fbbd510ee2fb8323d7cf111ca768fa6f452b18adf885d59cb72ecef0166f40eaecbec0ac0e5c52c0d3672ce6d4d5b594d026d88ac2afc
-
Filesize
170B
MD5980efc9f74bb529f762cb3fb90d03644
SHA10bbf8584cf6b2a9e26792b1c90ab05e69049ed0d
SHA256596671ff7e69be370b3dd34a49411861b8b34911db5b57015d7765120d80d809
SHA5125ebfc10ce89f96512cab9fa3840f8302765b2a18534e2de0282439fa20eb025f29d5d60ec73ab6fe4c62db2a2e97a0014974da0922fcf2758870b9a253692286
-
Filesize
3.1MB
MD521c8429f4521e0cfe01f1eb67e9017f4
SHA19215e6e30faf7acc9b2a354371b7d658417e8cfc
SHA256e2db10aba2ee0815bc60bbd54d9cdcbf599202b86ddbf089c8ffc2b204bf4936
SHA512ee9cb6c2ee4f01ec54570a31e4497ec2a647a6be3193707e382cc3243bf8b3e4b64ceb20cf8602bc095ecefe72cd1bdbbc059fba3af6c22f1e93807a9071bb77