Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:02
Static task
static1
Behavioral task
behavioral1
Sample
dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe
Resource
win10v2004-20241007-en
General
-
Target
dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe
-
Size
2.6MB
-
MD5
2592424d2fc5fed0e389c9ef93d1ffc3
-
SHA1
cfa1a620ad2808318c8d4f282d474e0fbb4556e8
-
SHA256
9f162b3ad9ca4820511ca82de5d7b93bda80f37228bff0b996482b207e2c8260
-
SHA512
5d769a726a5c2f6e3f126682b97be67cca53fedded8bf313d85a858df3458001c78e2718c32772ca44c4594240e842253f254a6f867f7410b995025fb3f61f7e
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bSqi:sxX7QnxrloE5dpUpmbVi
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe -
Executes dropped EXE 2 IoCs
pid Process 2236 sysadob.exe 1256 xbodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 1868 dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe 1868 dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7G\\xbodsys.exe" dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBXB\\optidevloc.exe" dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1868 dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe 1868 dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe 2236 sysadob.exe 1256 xbodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1868 wrote to memory of 2236 1868 dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe 30 PID 1868 wrote to memory of 2236 1868 dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe 30 PID 1868 wrote to memory of 2236 1868 dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe 30 PID 1868 wrote to memory of 2236 1868 dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe 30 PID 1868 wrote to memory of 1256 1868 dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe 31 PID 1868 wrote to memory of 1256 1868 dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe 31 PID 1868 wrote to memory of 1256 1868 dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe 31 PID 1868 wrote to memory of 1256 1868 dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe"C:\Users\Admin\AppData\Local\Temp\dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2236
-
-
C:\Adobe7G\xbodsys.exeC:\Adobe7G\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1256
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD55ce46de9d1c8ab23eeb8a98bb0b2232e
SHA1eb2b026ffaf5a7802065fa5971c5c4495fa6763a
SHA2560f99b7bc2b192971b8bed8dbf4f50389b59e62d5cae4d0fbbb58657c2730a6b0
SHA512173969eb6ea4e493f9c0d1c1df5c1080fb72fc38f0fc13e5eaffdd7eeae658b9464603a66d0a918d3f86bca65b97dccfd201cd7d66c1758e452476026a290712
-
Filesize
2.6MB
MD5dc841518908b59993a7dc3b76f2d8fa5
SHA111080f957adaf78193805a781975215a008b1e41
SHA256b9dc4e1720ebc4c4fcdd2a375915ef115c2ddfb26164fd1c32aa96d7e59d07a4
SHA512fe4e06f7a689364c17062b5a8f43776ba7f64659e639ec71584188cf1c2f80c3eef37240e05fcab92fff1af5ee53089a9251005d799060080098bbeb37aaf11e
-
Filesize
10KB
MD5211c211281a83cae04ba8989e177223a
SHA12c6a912a90ce71ae095e8f16a97222e28964a271
SHA256c2beca0f3cf592fda96ba710769ff2d67fd97592da9df195990bf22499d20a4b
SHA51210dbfb3c33737e1b9a691fdbb89cea3f018443e481d57887d53a605597bc3ba56db26480f2efdbf443c71b4f4a0b594257d8f34f4cbd7826ff71936f4b5487eb
-
Filesize
171B
MD5815912636a6bb7ff6b5e88866341a66f
SHA199ba5bf340c1b92572512d21a35c1d28b82659ba
SHA256fdf009d1c26fa1a7e9c214ea694e3eaf6921831afb38ba862d2a2d8255517da5
SHA51255ff89d5eafb204d1df9861e6bad9a749fb27ac80b67a3daa6b25e488f31bd1b8e9a5b6ad2592a04fb37ab5f88de0e356df0236dd88d9e55cb5d5bd20bffe981
-
Filesize
203B
MD5d1fc3f201e8090f8dcee64c474cd0cf4
SHA16024cc3ca5aa6ad6de71eadad73d8bb33deec076
SHA256a60d58e4cfc3ce5d8a12fcdd798d8d94a7917bb1f845021ae4e800eb9008095d
SHA5128f4d8310c3f0c142b2507d3232d85176bfe8dabadec18c5f986d007320b420b7ffa823fe37c66c1b4f23380e3ea1c238d89b4966594b9e547e9f3780cf1a9731
-
Filesize
2.6MB
MD56549aa20c876e6bf63cadac932ef0590
SHA116c184a26ece04e50897d6f0ca3dccc459089713
SHA25669a0d6dcae021488732fa5d434a86b9bc7b4ff9571f55b8d5090b670eb55a55b
SHA512261968386848629b0f1000a2ef42810d6c963ccd1f5f422cc0e35296f2b7ec59d0499d1cc50f1580935875b47433102ff57d82eea4766ac7928755286095537b
-
Filesize
2.6MB
MD5cd4f5eddc43ba9e26c1df2090b781fc1
SHA14f5a040edf0f2d95416f304f86878a3cfd5b9b07
SHA256c1d4c6e0110f24dd5cc07a7468dec5fd6962ac4c67aa63bca49eaa9848583fe7
SHA51244d5e9bca88ed2689ad8b84fd881b816f4ad0f36feff7f3d2bd7f9c1e8e9c69682a9486eef0439c5a526ef36b2fb66994a71f1bda611ee59312bb905240c27d4