Analysis
-
max time kernel
119s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:30
Static task
static1
Behavioral task
behavioral1
Sample
8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe
Resource
win10v2004-20241007-en
General
-
Target
8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe
-
Size
2.6MB
-
MD5
d2403f45884e0fde9b26de7e4bd1c3a0
-
SHA1
5a6c9b8dc6a3f9e98d0a6680769d17854782bde3
-
SHA256
8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141
-
SHA512
bcc057d3047b35f3804727f51c84e7dfef6573f9c0dc85c77fca03ee6859ba5d15553021541cfdbe2c089bc7b22587466ebbf7455dc3e671b14b9fa69853735f
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bS:sxX7QnxrloE5dpUpkb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe -
Executes dropped EXE 2 IoCs
pid Process 3396 sysadob.exe 4472 aoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc0E\\aoptiec.exe" 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidJB\\boddevec.exe" 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2936 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe 2936 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe 2936 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe 2936 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe 3396 sysadob.exe 3396 sysadob.exe 4472 aoptiec.exe 4472 aoptiec.exe 3396 sysadob.exe 3396 sysadob.exe 4472 aoptiec.exe 4472 aoptiec.exe 3396 sysadob.exe 3396 sysadob.exe 4472 aoptiec.exe 4472 aoptiec.exe 3396 sysadob.exe 3396 sysadob.exe 4472 aoptiec.exe 4472 aoptiec.exe 3396 sysadob.exe 3396 sysadob.exe 4472 aoptiec.exe 4472 aoptiec.exe 3396 sysadob.exe 3396 sysadob.exe 4472 aoptiec.exe 4472 aoptiec.exe 3396 sysadob.exe 3396 sysadob.exe 4472 aoptiec.exe 4472 aoptiec.exe 3396 sysadob.exe 3396 sysadob.exe 4472 aoptiec.exe 4472 aoptiec.exe 3396 sysadob.exe 3396 sysadob.exe 4472 aoptiec.exe 4472 aoptiec.exe 3396 sysadob.exe 3396 sysadob.exe 4472 aoptiec.exe 4472 aoptiec.exe 3396 sysadob.exe 3396 sysadob.exe 4472 aoptiec.exe 4472 aoptiec.exe 3396 sysadob.exe 3396 sysadob.exe 4472 aoptiec.exe 4472 aoptiec.exe 3396 sysadob.exe 3396 sysadob.exe 4472 aoptiec.exe 4472 aoptiec.exe 3396 sysadob.exe 3396 sysadob.exe 4472 aoptiec.exe 4472 aoptiec.exe 3396 sysadob.exe 3396 sysadob.exe 4472 aoptiec.exe 4472 aoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2936 wrote to memory of 3396 2936 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe 87 PID 2936 wrote to memory of 3396 2936 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe 87 PID 2936 wrote to memory of 3396 2936 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe 87 PID 2936 wrote to memory of 4472 2936 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe 88 PID 2936 wrote to memory of 4472 2936 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe 88 PID 2936 wrote to memory of 4472 2936 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe"C:\Users\Admin\AppData\Local\Temp\8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3396
-
-
C:\Intelproc0E\aoptiec.exeC:\Intelproc0E\aoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4472
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5dbe22823c7022a2ca08e09183f69c5a1
SHA1f20a210b2d8d193b046def7e50d1d6d68ffb858b
SHA25637b169becdc2af09818564b23d1ab585e522732df01e231667b04e8464bf941b
SHA5123d7a30e9d21aaaf67802c3b875e8ec0ea94349164280e74cb30aa10b4ce7a54f23d00ed86a7abbde52866a54a866633d7047091ef05d4c9e2dc794a1da943e6c
-
Filesize
204B
MD529632ef342cd4d058fab7081de8b38c9
SHA179fcb2b64984de7b955f2c445e357c46c584fd7e
SHA256119125a768af84827fa9d16285b175f411b6dded4f33c1311d14f5c561cbfb3d
SHA512ebfb6db3d898e4c4f05f8187d4eae5a09647e3e4432d8fb4021ce02261d729ea8831a761500aaba028139e648bdcd351431dd9332b3786bea68ab0fca79bb82f
-
Filesize
172B
MD55956c438f20edb92abb9bfbe0d32898c
SHA13e9913e2171b59bef5f8dda06998e67f984643d4
SHA2569370abbfe9cc5e05024a9148e024dc238883dac0d346d855c634d22d79d0ea7a
SHA512cbee199dac2ee63814e4f0f4c1fff1d08bb7bf5acc598275227e21e4fc2a046b5ee01e351ace01562d003f5454f63b68b7d21d521266ffd0c6b378654c3e0c95
-
Filesize
2.6MB
MD55933cdefdad094e75a166510b89f0e9e
SHA17dbb983188ca7fa5418a4020a988b91a8a8dbe08
SHA256e4abc9536253a97547d89c9ff472e9bf1751ca8be3389102d74fcf5603a5b993
SHA512aea12f8f51667e17477a333bf1a36bd606d493a554cae21e04c53195a3b783784f26e0be8a7489a270c4737f3fa76934afe22199f85a3a058471b8dc66a4ed66
-
Filesize
2.6MB
MD5a0990a322d88eb89c7f828a7aa4d0548
SHA136f0a6b2656310f34302bf0013856be5ae37fff7
SHA25628d50350bf4349acde64371c7dffc78b9097dec1d54f745f58de13575e2a79e0
SHA5128e8da40d6c1c27d42bd6bfab611c36d4aee3d764220d8e73ad19b67584ae698f0d7672bf2f26130e8d697a41e18b3c1f323c62d98e96d02bd340992bc640fbea
-
Filesize
2.6MB
MD5d6ef944603d160b8ca825a93471a86fc
SHA1d117d894fe73e8cbe5a09bafc0cc8890919d74ce
SHA256ae5a5c4498946e8e41773d2b484fb1c6a500a96eec5634e9b7b72332a1db95d5
SHA512e7df1acc0d9ed243403cac264495a98bc335f538c479b79e0d047c030a5649ff280e0257a5aa11838f229bcf5a6dead3c87d20d73a124a8800c1d3dcaee7b844