Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:29
Static task
static1
Behavioral task
behavioral1
Sample
1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe
Resource
win10v2004-20241007-en
General
-
Target
1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe
-
Size
4.1MB
-
MD5
ddd71148549b197fce05d66ec84290ef
-
SHA1
3018bf432e92a1bed6ead13c2bda44ee933de2c2
-
SHA256
1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8
-
SHA512
82e0812e2cd9868f241d08f0177ecd8f5fe052708cdf2637381772563b874c398854f07e255f50dc5cb518cfe07ea8d499f736240cdc5300fe428d048506626a
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB3B/bSqz8b6LNXJqI20tJ:sxX7QnxrloE5dpUpgbVz8eLFczU
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe -
Executes dropped EXE 2 IoCs
pid Process 2260 sysxdob.exe 2920 xoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 2004 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe 2004 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeN9\\xoptiec.exe" 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZJU\\bodxloc.exe" 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2004 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe 2004 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe 2260 sysxdob.exe 2920 xoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2004 wrote to memory of 2260 2004 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe 30 PID 2004 wrote to memory of 2260 2004 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe 30 PID 2004 wrote to memory of 2260 2004 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe 30 PID 2004 wrote to memory of 2260 2004 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe 30 PID 2004 wrote to memory of 2920 2004 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe 31 PID 2004 wrote to memory of 2920 2004 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe 31 PID 2004 wrote to memory of 2920 2004 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe 31 PID 2004 wrote to memory of 2920 2004 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe"C:\Users\Admin\AppData\Local\Temp\1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2260
-
-
C:\AdobeN9\xoptiec.exeC:\AdobeN9\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2920
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD5586b21e16f10308e2d00eab380060642
SHA19449a83b92afd855941105a172af7485c49979be
SHA256179a56de98cd38d7732bf826e0a18694033bedda128d2e222d71c8a03bef04a4
SHA51212c7c23132aecb99a84683a2cc3ab77f7832e50d8ec0a72afdc4a0ad0fdb97d9fff8ed74dac3822ef367644c6909a377da3c42d3d893e25a09cce1beb7dafcbf
-
Filesize
4.1MB
MD598dc1fa6ac7da671a48622b1e22cd088
SHA1249a163cfe1f2a275e83b69dddf617baba1700c6
SHA2568020869dfd8e5877605b2001fc96ed3fd8425c0b0e3b2b27d1f825959e063867
SHA512d10f08bbf52080fd9dd15aca625d8a2e9bfd027c98067040107b4033c9d0869ad4606abc003abf3490cd329bd6fcca7d237a3d176c3bbc368f447eb30ce37d1e
-
Filesize
4.1MB
MD58b1bb25e11fc64b413df49a0d245bee1
SHA140abde953c5b013c6f511a922156cca4a6b74cca
SHA2566c034872c13dfda6055e3d77d0322dfb35673c80649a37ece4c9819a56189ee1
SHA512ac0dee0901fa161bd46af2fbe54ec468c830c1e881d303f3f3e48f43d7b7bfc2e6a86d239ec150239f0df40ff9e2cb56d4748c71a86ce429a5877787927bb3df
-
Filesize
168B
MD5ddb5ba669bc632dfa7b5f827f4954be4
SHA11bb887f34b93e16d98f5c6431b3ec09b7852e734
SHA2567bfd413e0e77f2c42e96a3ab3cdb421c65dfe09878c91fe2099ad2437e4bbd14
SHA512cd32c7659aa4cc69dbe3ec3a6bf342135dfe3f99eb0081ab26a365c693a2d2cde3f57f158d5b2a3675ac6a6b0c359387e20c3d0686eb911f5c90541b552797d6
-
Filesize
200B
MD5f3e8a5bb6de7e40db15f1cd4ca14aefb
SHA1b25ffbf3e98cd27ad1be8ab538b57d11c88c30dd
SHA2561e714c197adc2855e9948aeaea596a461fda671ce56172bdcf1751762371438e
SHA5124495f51b476b8fda8ef3de89483da498ea47e37177b99132593e8cc277dba3242d71cf0c55666fed331176e6872b0e723d36cf55c075dddea6839921756a1f1f
-
Filesize
4.1MB
MD5532ac040b275abde224d88f3bb7ff26c
SHA1fc38822d46eda8465c6f39925d3d7f754f2ae439
SHA25633078cd2dfc696cb6fb1fa2338fccd0e1a77956af9c0441bbaf656bceb755b61
SHA51255d9fc9c87c859df09015806bbb17356a7f34a4ce3f64fe6773e55cd5b16cfd4611abee2d32ce3b9e3425e4065ca8823a8dba6552067495945660ed326ed7e36