Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:11
Static task
static1
Behavioral task
behavioral1
Sample
67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe
Resource
win10v2004-20241007-en
General
-
Target
67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe
-
Size
2.6MB
-
MD5
8f8e1cdd9154f1733e8c7246264bd4c1
-
SHA1
ba5ac23a3dd0657542f218c68e3370a413f16dad
-
SHA256
67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe
-
SHA512
2619102b7625d49e22207d477beb662bd546370419156e8cf63050308f373970b168ae76f671966f9fafa323f19f11060740e076def0abdbfe5f151f504d4903
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSq:sxX7QnxrloE5dpUpEbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe -
Executes dropped EXE 2 IoCs
pid Process 2916 sysxopti.exe 2428 xdobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2388 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe 2388 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeLY\\xdobsys.exe" 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBRU\\boddevloc.exe" 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxopti.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2388 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe 2388 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe 2916 sysxopti.exe 2428 xdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2388 wrote to memory of 2916 2388 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe 30 PID 2388 wrote to memory of 2916 2388 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe 30 PID 2388 wrote to memory of 2916 2388 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe 30 PID 2388 wrote to memory of 2916 2388 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe 30 PID 2388 wrote to memory of 2428 2388 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe 31 PID 2388 wrote to memory of 2428 2388 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe 31 PID 2388 wrote to memory of 2428 2388 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe 31 PID 2388 wrote to memory of 2428 2388 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe"C:\Users\Admin\AppData\Local\Temp\67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2916
-
-
C:\AdobeLY\xdobsys.exeC:\AdobeLY\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2428
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD510e6df3619bbbd1a2464d5000a56fbb5
SHA19080f324c059847c04fbc434d62d8ab2e06140a9
SHA256e437e0733cdde421f32dedbcb49fb69873f23116dc2523e2a45b18e005fd1559
SHA5129cf956066c20f94e36fc21e8c536ef7625e51e279c3c9794d5029cac42d155db5a2e79ccfe4010364e50c34b0675745a5fc121a112892a31b331ab14427ac6ff
-
Filesize
33KB
MD50bff6a8bffb6b865fbe4908d666b07ee
SHA15e176ff62c86ebbdaab5e545079308f50395f3f6
SHA2561eb6a2dfe3b351441008aee76bdb1d3a3300807adc21d0dad4766ded0fe17855
SHA5126a6d353a1d440a17b0b10022744e48ce835c6b0a92b97224dff9d7f00f6e0a619ae3c0ecaeb891c68baa42a686e14df25712d05c5893b56d84075279e3cf1a2e
-
Filesize
2.6MB
MD5b5b522feeb98d018a0726b259322835a
SHA1d71081e65329944182b60b9443f24be45c7c6d50
SHA25656ffaa2f1b523e7b125e495f6106d9ed7c56eadf2488b2022976075188047389
SHA512b8649bc9de4bcb3d66c4c40f1c3c34768c1d563338763fd44405568623765bd7ca8450097910c8742fefcc9d31bf24555f3f07b5aae7ab9be5f9e081329023af
-
Filesize
171B
MD5e761304cbd60bbcd692dd7d7f5dc2634
SHA181287d927e1095d683c151d4fe8a2463cabeeff6
SHA2565a303610386a82c6bba0f70967ede2f03b35527bbf5e35f449da34290f06f219
SHA512fa8db3b8c995866b72c914eb62da17afaf175df14cc1c58ded828d886dcd021f16279de3c14d70fa237470b4407c9ade317e5712340c28a6e3434d78e47ce886
-
Filesize
203B
MD51eb93465e67d9e83063cebfb39299343
SHA1177f56f2065cbb02d4ccecf6afb031116f4501b3
SHA2567d499b47d6ea8bae64e5fda7ced238b89ca61f0fd4dab6716194060faa8cf0e5
SHA512a7c2ef207175d67f55b8217432ea5d8dcb5583c7716a5c398810a323438e27f8c14355450c405a715812393de83321e53656da0633e88fcc5b61c33d27a6583b
-
Filesize
2.6MB
MD53b3e70f8f17bd6d0cb900dc7cf6a95e2
SHA1d0c6f8710d067a717aa28770a00b51f568a406e5
SHA25691d67129d201a76a55b983ecd427a999b091ce4e615b8dc2169917e648dcfcf5
SHA5124e8c4c88011d53ceedc26ea04a94abd50b2c67a49ab5b60c826b50a09d86b856fb379a23f69e7274da0e51a18181a4d68d4225ab6f6961ca96b15bdfbb46b863
-
Filesize
2.6MB
MD58187191e9cf58684a89c8ae94842c6e3
SHA189c5d60bfbfda4aa26acfc4bc28c288f7875d6cc
SHA256d218e41e086c465e1a1ba18dce49929c064f1748c7836adcfbe8a76eaa7efbd7
SHA51235d997e0de54c4913939a11b6ed4ccbf9f1059a59f48d47e45858a6b298a0e5c1f5f7bdb5909e44d8de2b8bb32ce6c4a2432e124f403982639c516f680e5d50f