Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:11
Static task
static1
Behavioral task
behavioral1
Sample
67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe
Resource
win10v2004-20241007-en
General
-
Target
67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe
-
Size
2.6MB
-
MD5
8f8e1cdd9154f1733e8c7246264bd4c1
-
SHA1
ba5ac23a3dd0657542f218c68e3370a413f16dad
-
SHA256
67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe
-
SHA512
2619102b7625d49e22207d477beb662bd546370419156e8cf63050308f373970b168ae76f671966f9fafa323f19f11060740e076def0abdbfe5f151f504d4903
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSq:sxX7QnxrloE5dpUpEbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe -
Executes dropped EXE 2 IoCs
pid Process 1448 sysdevopti.exe 2056 adobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files9M\\adobloc.exe" 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintGD\\bodasys.exe" 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1216 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe 1216 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe 1216 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe 1216 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe 1448 sysdevopti.exe 1448 sysdevopti.exe 2056 adobloc.exe 2056 adobloc.exe 1448 sysdevopti.exe 1448 sysdevopti.exe 2056 adobloc.exe 2056 adobloc.exe 1448 sysdevopti.exe 1448 sysdevopti.exe 2056 adobloc.exe 2056 adobloc.exe 1448 sysdevopti.exe 1448 sysdevopti.exe 2056 adobloc.exe 2056 adobloc.exe 1448 sysdevopti.exe 1448 sysdevopti.exe 2056 adobloc.exe 2056 adobloc.exe 1448 sysdevopti.exe 1448 sysdevopti.exe 2056 adobloc.exe 2056 adobloc.exe 1448 sysdevopti.exe 1448 sysdevopti.exe 2056 adobloc.exe 2056 adobloc.exe 1448 sysdevopti.exe 1448 sysdevopti.exe 2056 adobloc.exe 2056 adobloc.exe 1448 sysdevopti.exe 1448 sysdevopti.exe 2056 adobloc.exe 2056 adobloc.exe 1448 sysdevopti.exe 1448 sysdevopti.exe 2056 adobloc.exe 2056 adobloc.exe 1448 sysdevopti.exe 1448 sysdevopti.exe 2056 adobloc.exe 2056 adobloc.exe 1448 sysdevopti.exe 1448 sysdevopti.exe 2056 adobloc.exe 2056 adobloc.exe 1448 sysdevopti.exe 1448 sysdevopti.exe 2056 adobloc.exe 2056 adobloc.exe 1448 sysdevopti.exe 1448 sysdevopti.exe 2056 adobloc.exe 2056 adobloc.exe 1448 sysdevopti.exe 1448 sysdevopti.exe 2056 adobloc.exe 2056 adobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1216 wrote to memory of 1448 1216 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe 89 PID 1216 wrote to memory of 1448 1216 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe 89 PID 1216 wrote to memory of 1448 1216 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe 89 PID 1216 wrote to memory of 2056 1216 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe 91 PID 1216 wrote to memory of 2056 1216 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe 91 PID 1216 wrote to memory of 2056 1216 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe"C:\Users\Admin\AppData\Local\Temp\67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1448
-
-
C:\Files9M\adobloc.exeC:\Files9M\adobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2056
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5274e5585aedfe98896b8ed6e3dac0e64
SHA1bf56fdadcbf15e2f9d58281be1a7b944995409c2
SHA25671aa807c7a8eec222df62231c87998670ceabb67389c69a00c719afe43c73820
SHA5129c115d495cb8387fc243a8e67ecfed31e15f0169137a68e00f36cff634a53498726e69506869f26c8f19bfcdd4d0af175278f386cd7a43eec0634af9f9bff45f
-
Filesize
2.6MB
MD53f55fb9ab7829db24a822ce85b240c3a
SHA176428855a95a89dd8aec0283bd6790ab906bd0cf
SHA256d725e6769caf1273e0fa565bd3db86f57854765b5c830f7ee8d296e4c22d7a84
SHA5127f8a1deb30088733f9b47dd9e38158862e4dc1c1adbe53230df2e87d22145b775973fda86948fb180045d184eee9ae3ff8d4a08fe401bc30404a476b38582265
-
Filesize
2.6MB
MD51a5c7f172ad273d235d0f868c1be4c37
SHA1ecc8f1f0e52cde30a4e5f429c11eead50b17a6ce
SHA256369a68a29f50b1ee76751e6e9c3e86e735524f4a52ca9dfa6419f494ed745d27
SHA512bdbe641bc4577789f78056b34915f1fe5d1f9d9b84bcb36150c4c681a3006ab234966d8fc056fdb37d531151dd1bc5862590fb249426bfcbe82d124c22d361d8
-
Filesize
203B
MD5d44362fe379f3f635404cb8887cbde71
SHA1411dffa57b1f9f85a6283c8a55b4508499dc53bf
SHA25689680c99b1c3de936b5aa03bf1afc2cfebbc795644f03f11dee64e7a6ec943af
SHA5126524dd4c853b09eac7d83b4471cd50937ba03c9da886b8dd541e3ba00e819e3b2ffbb523bf520f2247ce7f6b7e4672fffbdc82400e76838f064b04e95eca9f54
-
Filesize
171B
MD54b901f056344704ee8e7a3590ebc8ebd
SHA1828272ab43014917c56241cfe560b1f042af4813
SHA256865e244b3665ead5657c2e9d9c27ef4916de7590fe968386a0384f1dd97aa6d5
SHA512245fea705bc8ed2a6567d779fbccceb8ca2bfef5c5f32bcf97feaa0c8ebd5e57ea17d6c58d4c35dea0a7c95148e73dcc07ddc9905d6d7fd918f2fa954ed964c5
-
Filesize
2.6MB
MD51983324de22177c05c175fc86f8a2d0d
SHA1b12c52b998cf474df4e0ec53bbea83c0e64cb218
SHA2568e289fea78dda9dad5d2813de8fce5b2e1961b0f728524302abefd8ef6a21e51
SHA512622c8c2e54bb719085d87644b9aac75619a2d3ba09688fcb1aa968c63749f876690cd16ede7f23fa930a3c559aeab5e221b8e24cda639ab9177fd46ad599a068