Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:42
Static task
static1
Behavioral task
behavioral1
Sample
668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe
Resource
win10v2004-20241007-en
General
-
Target
668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe
-
Size
2.6MB
-
MD5
94e10e447e2a27fbe826f53226aafc60
-
SHA1
0cf3b90fbcad5eacf96fbb85ee2ea9b675918b8f
-
SHA256
668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61
-
SHA512
3f4b0a685bb2d64c49689406f7c140d9488c64b53f154e69667a738f8eff66e77c29b8f341c32e4052e38ae8ca9528ce4700e7abecc7ce8fc772b2e971681519
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bS:sxX7QnxrloE5dpUpYb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe -
Executes dropped EXE 2 IoCs
Processes:
sysxdob.exeadobsys.exepid process 2808 sysxdob.exe 2732 adobsys.exe -
Loads dropped DLL 2 IoCs
Processes:
668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exepid process 2152 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe 2152 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4V\\adobsys.exe" 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintJE\\bodxsys.exe" 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exesysxdob.exeadobsys.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exesysxdob.exeadobsys.exepid process 2152 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe 2152 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe 2808 sysxdob.exe 2732 adobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exedescription pid process target process PID 2152 wrote to memory of 2808 2152 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe sysxdob.exe PID 2152 wrote to memory of 2808 2152 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe sysxdob.exe PID 2152 wrote to memory of 2808 2152 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe sysxdob.exe PID 2152 wrote to memory of 2808 2152 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe sysxdob.exe PID 2152 wrote to memory of 2732 2152 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe adobsys.exe PID 2152 wrote to memory of 2732 2152 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe adobsys.exe PID 2152 wrote to memory of 2732 2152 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe adobsys.exe PID 2152 wrote to memory of 2732 2152 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe adobsys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe"C:\Users\Admin\AppData\Local\Temp\668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2808 -
C:\UserDot4V\adobsys.exeC:\UserDot4V\adobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD55ffab038d17d47771c031d3b701e0cc5
SHA174d331d26e5210e7e523c750b0080e1641bb61f5
SHA2561b2bb8b0c13c9e1418b1e48501e2a62606e0e890934e027d746c196943068982
SHA512fad3e0cee5656b4fb350050395b6d8039f870087a145394dfc2eab77587a10e53b2e421be937a90a9a80244cbd3096e07f785a35d7df3b5efb0e258ca75678ec
-
Filesize
2.6MB
MD5c18410dae2f8f403e9119c90d20f9350
SHA13050df89e1d8a12e6931d85290f57310b97156b3
SHA256cbc6098f1ffeebc297284f32d23888696b800239c85097e2a83e995736cf01a3
SHA512b68d08252e6c0375195ef830eb4013dd69be6b16cc2ddbb1b6cd772e107f3fa600dae9311eda18b728c60ae4c6ea024a62ea43d6e531307df14865f134ee700a
-
Filesize
5KB
MD5b1bff5461f6eccee15bc13b90b862c37
SHA19b68b3e8bd60c2c4b00d1ff961e9c20b00350466
SHA25631ee37ebd445cdf1397bb80f305ea15a1b3d12fced2d3dd773fe436cbaaf9498
SHA512fc655a29154ddbd88a87bbe6eff59a7e0654e6306682a7ea2f70c240b99f1e7026089df3a2803df3ec6f1a12c75d0ea1438ffc856440b95121dbfdcbc15800b0
-
Filesize
2.6MB
MD5246b1ad5d4e63d93358cb17d9c8e6f4e
SHA19b8ba61df6f3fc44323e371a5919f8364f2ec712
SHA2564dd27231988530313ac5252af1c0be1756195c16621a7d5b8e2f6274e04b08b3
SHA512c20b4f1d84be999b582343a681c8a9480386e87c7523716fc5c85903b93e87866f19d7aec334c897d0f37c1713a7df3bd874e82440553939c3b09c946f1a8589
-
Filesize
170B
MD550cef773ffe689b44d7b1b7cf47d18d6
SHA1330b7308674bc7f70e83f52dd2ceffda94934dc2
SHA25617d8ceb214db6e0860064c7df1f366b0d0a11399fd8866a1dbbd004f8a8268b3
SHA51269ac24ccd4453110dfae2b30a38c90e8467a6bf9cedbd5a535e0942a74b324e814007a131cdddc7cb1cc7ea16fadbd1d502e715457bcd07548c90e07d881c4df
-
Filesize
202B
MD5aeb384f1e097ea21d505bf5ca2c7c1a2
SHA1828bb63147b318e28988954fb745cfa007a35e12
SHA256343aa316bc647a2651641fe3ca303ce2030d4c35e426bdc31a4b655797011fd8
SHA512bdfe85dd5268ad255e9fdef1286e03aaba2143450a3b7a984086e9b81a2ec8934ef3184044336ff009c30d706acafe79d54233834a3e9381879aefae3607acfd
-
Filesize
2.6MB
MD552aad5152b34da661b520fb20c24d729
SHA11cfadaa19d566a7d114a70f865d4aaee6e36fc66
SHA2565d3ed0b5e47c42157dbed8e29c6f64aa9ba98b0c6d2e60430fe02fabbe1fe310
SHA512be2b5b137a0214e497fb0f5a5a1f6e42d50e0d4b0738e2a2786eef7e220069689138ba0fa271ae8e76ed06c5ea4a045c62deea78ca5b910aa9bfbe03992a26f5