Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 01:20

General

  • Target

    12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe

  • Size

    2.6MB

  • MD5

    b4c9c128686a3fac8b814409e999a4c0

  • SHA1

    c04f59affa44c0a1f545ade6c6145b66f6797db7

  • SHA256

    12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988b

  • SHA512

    39ae727769be238737997b53e6dcbe94e9b79d25ab99ea120930954e9802649bd389522fc0aff82c44bb1314142d880fd8d105fa329ceb3d237e351cfa8a3581

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bS:sxX7QnxrloE5dpUpMb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe
    "C:\Users\Admin\AppData\Local\Temp\12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2488
    • C:\SysDrvZX\abodec.exe
      C:\SysDrvZX\abodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2252

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\SysDrvZX\abodec.exe

    Filesize

    2.6MB

    MD5

    88c9807917b8fc1f18ae6cac69e12974

    SHA1

    5780a2f721532a3d5572f879a8e362f8773af0f5

    SHA256

    fa789c3a884ba28d5503ff5f9ed8d6927a6422e995688c214636d8b99d515b3a

    SHA512

    801b6b5cf0a2be780c3057b9899825cffbf638414bb4da326f2ea8962baa57e51480e50b789df1ef4c166506f555e2752c93b48006b85e14af81a7f3a0206f02

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    168B

    MD5

    339e058d85760ea128fb6c6e7c782b7e

    SHA1

    766cc330814964cdbeaf0cdc3a1bc39e0e6ab026

    SHA256

    647cb98f6d720e6b1a6088281613874fae215d962b53b7211272b0ddb6701be1

    SHA512

    30c9873ccc82d194efac702a5c5d3e79f2ef609b8d1f07482a0340d927ffba14bcfff6974cf94cf43b600614ffe80b5a4c5f27927f23c59919e763e382fedf6e

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    200B

    MD5

    1a8fe00cda1f4e0898495021ceeb2520

    SHA1

    e0a7cef9e576aad2abdc86c547668b3676078af4

    SHA256

    e5a0219a1ba82b9dc8c963d0876c9925762231037e9421df59771b3dd507ed92

    SHA512

    f62bd66b4817f808b3432ef6456a220b1aa348dd7e6755c150e135bc9dad963240b1990b802d794f9dd7b44354f9af7ddf06606cfad678802509ad64bc04574b

  • C:\VidP1\dobasys.exe

    Filesize

    2.6MB

    MD5

    3fd8a40292597394b4b380f8c47ea0c9

    SHA1

    4ab5d744b2a01845d956822bd7b7178ce691cae6

    SHA256

    be1e9e8480d31f2d9b756989299057c973fdd7b6b9e4ee7293157793de5a6543

    SHA512

    2caf393b8c527da5c430035d8603762fb1c33418268b9be5254f3c5d3561bc2d384f82d3f1202e3988ebcf960723047f7cb3869e5ffae1e4f0fb034f91e53736

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

    Filesize

    2.6MB

    MD5

    be3d274cfe12f814bcd7082cf593c23e

    SHA1

    fc1f0a1ff23a6f1cd5855dd4dfcf988bd5ceba3d

    SHA256

    7af6faf1a811320922dc694af6a55c3d74dff694f166a79a1e45ac526d6f3aa0

    SHA512

    4c98dfdc7d30bcf62bcbef10e3ed7ee50674e6194b2154b12e2173688310830defb5c79dd3c51c28acd969c882caa52dd77a8512537abdd32d2228bb8d9e0f4c