Analysis
-
max time kernel
149s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 19:46
Static task
static1
Behavioral task
behavioral1
Sample
1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe
Resource
win10v2004-20241007-en
General
-
Target
1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe
-
Size
2.6MB
-
MD5
8dd78af353a40a21e7f4a68d1f98d862
-
SHA1
968360bbe8492b80a45278d27f38f55a03dff1d2
-
SHA256
1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d
-
SHA512
dedf814fd9efaf3506bfeddc1189419968b2d2bb11927fae67936938d0a2a9518b1e319267f2a9b633663e9adb19edb4297d664f1f4492327c50a64e40b07a17
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpWb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe -
Executes dropped EXE 2 IoCs
pid Process 2828 sysaopti.exe 2476 adobloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2200 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe 2200 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4N\\adobloc.exe" 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBW3\\dobxec.exe" 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2200 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe 2200 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe 2828 sysaopti.exe 2476 adobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2200 wrote to memory of 2828 2200 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe 29 PID 2200 wrote to memory of 2828 2200 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe 29 PID 2200 wrote to memory of 2828 2200 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe 29 PID 2200 wrote to memory of 2828 2200 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe 29 PID 2200 wrote to memory of 2476 2200 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe 30 PID 2200 wrote to memory of 2476 2200 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe 30 PID 2200 wrote to memory of 2476 2200 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe 30 PID 2200 wrote to memory of 2476 2200 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe"C:\Users\Admin\AppData\Local\Temp\1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2828
-
-
C:\UserDot4N\adobloc.exeC:\UserDot4N\adobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2476
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD55923515b3fce01ebc92e0c070146cd6f
SHA170322451010207b3477426800f83c2dafd955477
SHA256bf6be54fbd76564887bc3a7586d35c86be31d7e88eae308e05139ff4f27df8fe
SHA512ad194aef8a0b362b4706e7ebf0b22cafaf3f28426e539f0f674d6e3b0da8a1d9a02c464a57d89cd9790d16d72f4cd7a2b7a4f5daa8064d86edcbfa0225cc275a
-
Filesize
2.6MB
MD5313500da59f28a965bf6ca399fb560d9
SHA1b26030fa4e63bd01d27b57b3aa11a7d5cd7100e5
SHA256d351fa1fb8ba789289aed52c4020c0ca26e1958178480caff086344baed18e21
SHA512f6df5ea3cc4f2fc83c929a0ebe2c808b5775c4801c5a3977330193ed6cd8b19188cd60c8bc63eaeab43783874b75d7ab87ace56efbe422e15e0893d69b583a45
-
Filesize
2.6MB
MD5e31a65ae579441b45f3c309409ca442d
SHA163363ce16cb0eaccac734e53dd40cf7e5f564770
SHA2565ee8b287c5c39e452fe2cc9d72b7eb544fe1ce8b9c73f0e997fa0438ddbcd9c9
SHA51282e350d3f7b0ab7c5990407200b3a4a4a0192cb0eecd49665233f996a4854794b265d176ba653ec5ea2bdf1d6195fe832467e078eb5590b426bc85028d180b07
-
Filesize
170B
MD55ed5f607e3160309103f88f4162fbb3f
SHA1a5d425cfff5fd231d1c74f23c60e005a5b426547
SHA2568dbce2cf1ed3f4e6d789fa4c4be59899b049811433834ff70548520f32c24a79
SHA51295fc2fa26f096a11695f8be36656f88eb2e897f4742d2399a7dcb62cb09828ce10ff6d74bf95d89ebdfce1c995da541916c72dcf88980383652e223d4c114d5d
-
Filesize
202B
MD571a4f1220e76772077eb1839f81c463a
SHA110177d9db956c5f8baef38bcbe8ae91fff06c895
SHA256b5f33c220a208c189e62ed02e41a1c2b09eed1bedebe71a5d8c0c69ef1dc270a
SHA5125fb9c45aa84ba220941713f6089e7651c1ee9c99c6730b1a55e666e269374223f7fa278677ee61e5d6b7da20441ce196fb5576fdfc693a6af8d2462eb37e6b65
-
Filesize
2.6MB
MD59fd8a9bb9f08394e386b41a0c260df4d
SHA190029781c44accfc5342ba5b317daec2fae19949
SHA25613f47561316a13097429cbb08bf4dc966236f86629520ee6155ffe68bd6756df
SHA512258d66dfe52d450810548910ec785d925bb18eee246fc0784882de0288f98ec790e775658188dabb466fdce69e3019704cf975caca12cff6e31891c9843dd6c9