Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 14:37
Static task
static1
Behavioral task
behavioral1
Sample
6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe
Resource
win10v2004-20241007-en
General
-
Target
6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe
-
Size
2.6MB
-
MD5
2c5727a954b8acb61e9702f5f8624360
-
SHA1
1d787ffc4d49ae5bf8878f35d966810d8c9cae8c
-
SHA256
6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcf
-
SHA512
e9cc85af137e2b0731ab1714b46bce5df7cacb166668780227bf1530003265532591e81dcbd0583c110045b77c5ab1b3ba880efb9df42be977478c2e22a5b3ad
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUpFb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe -
Executes dropped EXE 2 IoCs
pid Process 2664 sysxbod.exe 2780 abodec.exe -
Loads dropped DLL 2 IoCs
pid Process 628 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe 628 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeVA\\abodec.exe" 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidNQ\\optixec.exe" 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 628 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe 628 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe 2664 sysxbod.exe 2780 abodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 628 wrote to memory of 2664 628 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe 31 PID 628 wrote to memory of 2664 628 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe 31 PID 628 wrote to memory of 2664 628 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe 31 PID 628 wrote to memory of 2664 628 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe 31 PID 628 wrote to memory of 2780 628 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe 32 PID 628 wrote to memory of 2780 628 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe 32 PID 628 wrote to memory of 2780 628 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe 32 PID 628 wrote to memory of 2780 628 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe"C:\Users\Admin\AppData\Local\Temp\6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2664
-
-
C:\AdobeVA\abodec.exeC:\AdobeVA\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2780
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD52e2ad8c4872ad10cd2f913a6664c465f
SHA17661ea0fe45a5fff7ec2eca624e471651bef2bbd
SHA256c3bb104b485f1d060b46a744627926857c85450032ef4da95f802b8373cd1950
SHA512a12a9f1421a15e23d2f470a7578bda07bbd4a3522252c9bf957cbf27bb9ab7ef0af06169b9095ed820f4c97238740a453291f41aaa39e74b5ca17b1f2237b416
-
Filesize
166B
MD580d6138e564e7fd2c4a1661211e29cc3
SHA106214a0c1477cc025be2d6124517fe887e674c65
SHA25669dea7a9b85de633ed3ddbf9dd32db02c6a2d4c3ab45a8d72fb4111197c8a977
SHA5122fd9c46642dd4fc2de01e5c5cb8bc8a2427d1bee387d1919698a6fb53602faae2e31e64825d7e8702063b4bb363f009364ca258cea11d8e851bef7c1bde025bc
-
Filesize
198B
MD5a2293175928f191234dc68156f7274ed
SHA1652ba82b0ae3916c9101d35e6ccf63311ad028a3
SHA256808b5bd08e529475cd0ae08db191f9dc01483000bc6a0ab84eef90cd29827747
SHA51280a9910a8f25157a1b09d265baf2f8b7d5673c8e6aa92820761a0829ca70c7ba0a315edfaa484111269d728d1928bd666a385c91506ef7c8dc0957c4ab4c6278
-
Filesize
2.3MB
MD53f741ff25655ad6e1a7642dd208cf5f4
SHA14e0c7488787b0066dbb806d5b7417dc39b70c5b5
SHA25656c91d8a748fc8617b8dcc8ba55bfb93b8d132ebd8c64c3ff20329cd6c1131cf
SHA51206a108f5ec4e958c36c48b9d7c7a182841538462a36009dc8484b49847431e0183e696f0831e122ae7d3b982d12a7d65f7d24ec5cea990f52f6711eb8b7f3d53
-
Filesize
2.6MB
MD52b23ec558225c41f12d928026a556b97
SHA1e9678b27b3f0a940fe3de221374212f4c0b2d953
SHA25627a7e0c8f5760ea6bec2cb242d4106017d86c41686a8b1a5825da4123407d1dc
SHA51259d7c703d4242bf8b8325004e794c252bb199252218d0b66b3feea1d27105e9bf9856cea46c9aa6a688e013aea7b11a9398047414b2bb86ab37a80d536719868
-
Filesize
2.6MB
MD552187aa753bc94cdebd9a56a2ddab035
SHA1be195be9df5a0af742166b0d4ccba2accbc7a17f
SHA256d0ebf86797d41f0ca23cfffd9587288ea30916790fc485970a1fde028b5ecdf9
SHA51227820671ee21e8fa046de0e21e58917a50e095e97c401eeb71acd6f394fc7255027d9aa0a9f0401ba7c6d9c68aef1248a66a8cb9fd8e226127fc0d5bc412c248