Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:20
Static task
static1
Behavioral task
behavioral1
Sample
12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe
Resource
win10v2004-20241007-en
General
-
Target
12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe
-
Size
2.6MB
-
MD5
b4c9c128686a3fac8b814409e999a4c0
-
SHA1
c04f59affa44c0a1f545ade6c6145b66f6797db7
-
SHA256
12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988b
-
SHA512
39ae727769be238737997b53e6dcbe94e9b79d25ab99ea120930954e9802649bd389522fc0aff82c44bb1314142d880fd8d105fa329ceb3d237e351cfa8a3581
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bS:sxX7QnxrloE5dpUpMb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe -
Executes dropped EXE 2 IoCs
Processes:
sysxopti.exeabodec.exepid Process 2488 sysxopti.exe 2252 abodec.exe -
Loads dropped DLL 2 IoCs
Processes:
12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exepid Process 2132 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe 2132 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZX\\abodec.exe" 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidP1\\dobasys.exe" 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exesysxopti.exeabodec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exesysxopti.exeabodec.exepid Process 2132 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe 2132 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe 2488 sysxopti.exe 2252 abodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exedescription pid Process procid_target PID 2132 wrote to memory of 2488 2132 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe 30 PID 2132 wrote to memory of 2488 2132 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe 30 PID 2132 wrote to memory of 2488 2132 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe 30 PID 2132 wrote to memory of 2488 2132 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe 30 PID 2132 wrote to memory of 2252 2132 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe 31 PID 2132 wrote to memory of 2252 2132 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe 31 PID 2132 wrote to memory of 2252 2132 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe 31 PID 2132 wrote to memory of 2252 2132 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe"C:\Users\Admin\AppData\Local\Temp\12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2488
-
-
C:\SysDrvZX\abodec.exeC:\SysDrvZX\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2252
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD588c9807917b8fc1f18ae6cac69e12974
SHA15780a2f721532a3d5572f879a8e362f8773af0f5
SHA256fa789c3a884ba28d5503ff5f9ed8d6927a6422e995688c214636d8b99d515b3a
SHA512801b6b5cf0a2be780c3057b9899825cffbf638414bb4da326f2ea8962baa57e51480e50b789df1ef4c166506f555e2752c93b48006b85e14af81a7f3a0206f02
-
Filesize
168B
MD5339e058d85760ea128fb6c6e7c782b7e
SHA1766cc330814964cdbeaf0cdc3a1bc39e0e6ab026
SHA256647cb98f6d720e6b1a6088281613874fae215d962b53b7211272b0ddb6701be1
SHA51230c9873ccc82d194efac702a5c5d3e79f2ef609b8d1f07482a0340d927ffba14bcfff6974cf94cf43b600614ffe80b5a4c5f27927f23c59919e763e382fedf6e
-
Filesize
200B
MD51a8fe00cda1f4e0898495021ceeb2520
SHA1e0a7cef9e576aad2abdc86c547668b3676078af4
SHA256e5a0219a1ba82b9dc8c963d0876c9925762231037e9421df59771b3dd507ed92
SHA512f62bd66b4817f808b3432ef6456a220b1aa348dd7e6755c150e135bc9dad963240b1990b802d794f9dd7b44354f9af7ddf06606cfad678802509ad64bc04574b
-
Filesize
2.6MB
MD53fd8a40292597394b4b380f8c47ea0c9
SHA14ab5d744b2a01845d956822bd7b7178ce691cae6
SHA256be1e9e8480d31f2d9b756989299057c973fdd7b6b9e4ee7293157793de5a6543
SHA5122caf393b8c527da5c430035d8603762fb1c33418268b9be5254f3c5d3561bc2d384f82d3f1202e3988ebcf960723047f7cb3869e5ffae1e4f0fb034f91e53736
-
Filesize
2.6MB
MD5be3d274cfe12f814bcd7082cf593c23e
SHA1fc1f0a1ff23a6f1cd5855dd4dfcf988bd5ceba3d
SHA2567af6faf1a811320922dc694af6a55c3d74dff694f166a79a1e45ac526d6f3aa0
SHA5124c98dfdc7d30bcf62bcbef10e3ed7ee50674e6194b2154b12e2173688310830defb5c79dd3c51c28acd969c882caa52dd77a8512537abdd32d2228bb8d9e0f4c