Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 14:54
Static task
static1
Behavioral task
behavioral1
Sample
a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe
Resource
win10v2004-20241007-en
General
-
Target
a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe
-
Size
2.6MB
-
MD5
5fd1eaa5bafc7b3c881b91da1d0e0ae0
-
SHA1
fc34e90d58f6e4d457fea938a790713b58e43ee2
-
SHA256
a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04b
-
SHA512
87ca8039307e11b974a1c3fdb891defb14f7dd3096397813d80ae443c36a8dce4608d21db613ccf76371d183a1a099222eca2331fb2235d672bc1bfd16f36049
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bS:sxX7QnxrloE5dpUpKb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe -
Executes dropped EXE 2 IoCs
pid Process 2484 sysxdob.exe 2060 devoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 2580 a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe 2580 a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv2P\\devoptisys.exe" a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintQG\\bodxloc.exe" a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2580 a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe 2580 a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe 2484 sysxdob.exe 2060 devoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2580 wrote to memory of 2484 2580 a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe 30 PID 2580 wrote to memory of 2484 2580 a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe 30 PID 2580 wrote to memory of 2484 2580 a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe 30 PID 2580 wrote to memory of 2484 2580 a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe 30 PID 2580 wrote to memory of 2060 2580 a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe 31 PID 2580 wrote to memory of 2060 2580 a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe 31 PID 2580 wrote to memory of 2060 2580 a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe 31 PID 2580 wrote to memory of 2060 2580 a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe"C:\Users\Admin\AppData\Local\Temp\a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2484
-
-
C:\SysDrv2P\devoptisys.exeC:\SysDrv2P\devoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2060
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5e22b211e4c3a14d8679472a91fa57309
SHA12798d43cd1213b41d2e6c96440c86ca624783736
SHA256c97755b61fffe077638a97f2535729a6299fa63706ad9a42962b163dd0f87710
SHA5120ceeebd90f81e754fc340a452c9336c163a1a7d08e5b6c5beb2b0ea70bab0ee212f5c6add386a536ea9ca112ddad919a9b392d133a17ece96acacb28478b2c9e
-
Filesize
2.6MB
MD5189ed192d349acd2a83ddc2a288ceb1d
SHA1fb475a47f96cabbd115dc00105ae0edae7798f61
SHA2566af10c1ca9d8a216ce7d79fe510761f1a93cde6933519781e994bad49482fae8
SHA512b3c43dc218b9223ed27d3980a6fe71213e12b6ff6ce52f4740d204256ec42f667bae4e33fca58a0a079ed9477306a2214641d2028bac427e193f75745185f9a1
-
Filesize
2.6MB
MD5a4d61fa0d0ef10d83e911cbd09f8f9bb
SHA14445de2827595773d68acf1a6282be19c2bfbd5f
SHA2568c6e61a563c505a916f881c5857a9133c1ffabd7108733cd8fe8d7f23a7af81e
SHA512273574fead5d0878977c9c44d4e1ecc182880fd46ed72ed75e10492c03106bc1ac53e863e06bb99422137a8bec9d27998789c46c3963534b4d376cc6c9f8a9f1
-
Filesize
172B
MD5da257bfeeb38af3fc37155d3c1e465b0
SHA113213c8afe982db6c9edd009873ca48c747de6f5
SHA256343e5e84610efb515a7a5e4d0bb2d61456e1ba25b10e27989ce20ae6e8fbeb78
SHA512308a3674471eca924b7592dcf40777e9b0fbf96ae54b52c60ed24962a29bc869b34145d3111e5e8681a648dfd7295692670597200344f9fc7225a789b9a07096
-
Filesize
204B
MD5706af30d638f1719b15fddce114bcd7d
SHA1a1a61a334e00ba6ca0c93899f1c83d35ac67742c
SHA256d00f1b2007caf8d4a8f299fca71aa990b7877c3a6eede409e3a0ac5ba60522bc
SHA512d1dbf1a901ba3634c5756b0878c1a9c5d64621801c4bfe8bb22408597967ab6e211d57b112d077ccdf30471c702bb208c2ccbc1600f3b5ae47d7fff1da27a8c1
-
Filesize
2.6MB
MD51dff1f451476e3f9aebc190ae77f65d2
SHA129376e1f6918b5d738eceb96b2a9d315ea5ff371
SHA2564867f15676cea68c8ca6ba8113a215c2092688c263077d3e9a6bb211aacf3dc2
SHA512777e6c3a7b138dc25b5d57760400bf4c81b0e75be1ed5dc3823787fd2eabf927c9ba482056114b78e1f68fc27bf935df4d246888b2494a5592fc504c0e28100f