Analysis
-
max time kernel
119s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:32
Static task
static1
Behavioral task
behavioral1
Sample
3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe
Resource
win10v2004-20241007-en
General
-
Target
3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe
-
Size
2.6MB
-
MD5
595bcd0a806be82959f06afb72d6a4c0
-
SHA1
b1e3af0a5df5e4ec1910c2be73a3f3e36422d6f8
-
SHA256
3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517
-
SHA512
b92379ef39290027d3509b91cceee0abc4b0ec73a6246c088d4232c641e11be6b493f3992e5e3a4287352aaae61cda95a7f89f9da9cc949afd092bc288ecc3c1
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bS:sxX7QnxrloE5dpUpRb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe -
Executes dropped EXE 2 IoCs
pid Process 1960 sysaopti.exe 992 xdobsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe27\\xdobsys.exe" 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxKJ\\optidevsys.exe" 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3668 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe 3668 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe 3668 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe 3668 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe 1960 sysaopti.exe 1960 sysaopti.exe 992 xdobsys.exe 992 xdobsys.exe 1960 sysaopti.exe 1960 sysaopti.exe 992 xdobsys.exe 992 xdobsys.exe 1960 sysaopti.exe 1960 sysaopti.exe 992 xdobsys.exe 992 xdobsys.exe 1960 sysaopti.exe 1960 sysaopti.exe 992 xdobsys.exe 992 xdobsys.exe 1960 sysaopti.exe 1960 sysaopti.exe 992 xdobsys.exe 992 xdobsys.exe 1960 sysaopti.exe 1960 sysaopti.exe 992 xdobsys.exe 992 xdobsys.exe 1960 sysaopti.exe 1960 sysaopti.exe 992 xdobsys.exe 992 xdobsys.exe 1960 sysaopti.exe 1960 sysaopti.exe 992 xdobsys.exe 992 xdobsys.exe 1960 sysaopti.exe 1960 sysaopti.exe 992 xdobsys.exe 992 xdobsys.exe 1960 sysaopti.exe 1960 sysaopti.exe 992 xdobsys.exe 992 xdobsys.exe 1960 sysaopti.exe 1960 sysaopti.exe 992 xdobsys.exe 992 xdobsys.exe 1960 sysaopti.exe 1960 sysaopti.exe 992 xdobsys.exe 992 xdobsys.exe 1960 sysaopti.exe 1960 sysaopti.exe 992 xdobsys.exe 992 xdobsys.exe 1960 sysaopti.exe 1960 sysaopti.exe 992 xdobsys.exe 992 xdobsys.exe 1960 sysaopti.exe 1960 sysaopti.exe 992 xdobsys.exe 992 xdobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3668 wrote to memory of 1960 3668 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe 87 PID 3668 wrote to memory of 1960 3668 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe 87 PID 3668 wrote to memory of 1960 3668 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe 87 PID 3668 wrote to memory of 992 3668 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe 90 PID 3668 wrote to memory of 992 3668 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe 90 PID 3668 wrote to memory of 992 3668 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe"C:\Users\Admin\AppData\Local\Temp\3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1960
-
-
C:\Adobe27\xdobsys.exeC:\Adobe27\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:992
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5e1dcebc2290766a1c8e947140b876183
SHA14c6db1cb0999ea0123a8add18f7343b78b8b9cad
SHA2568bf008185a9c70e90e8d0656e0c51c8841c3c8747d6a510e346cb6a180158f09
SHA5127ce86bdffcafe3b9fe3a8c44cc471d600942f3103e010342125ba9ccba3e46a572da64b12e712820d03c0c59ddcceaa89d72bd91b0e36527697c9170fbbc951e
-
Filesize
2.6MB
MD527a0d70052ebcd0267e5878748ed0d7a
SHA11a47c73bbe6246b372d05b9102183f3e7c5c71df
SHA2566455960942b87b99cc771199fb0f661b6c219bdd24a8738ce57df205b009f63b
SHA5120f9b6daaade91bf9489b279c4e325dad639e8f207ce2327304ccac36f0722f00d6f1d421b295ab7bfac72b8e24a08f3c2219e8d733de5aaddd6d8f3a7d992784
-
Filesize
2.6MB
MD5fca093ff6eb73c5b0b9834f5ac203ebc
SHA168fda4fd327e5bdfd2caae85b38f4d68a69320a6
SHA2565124f37d1e685de65bae71f9061fced73ce057ffb3875e959d3577a85dc3f552
SHA5126d44dde9e7130f41929f62cb9172324e3ffb4586c0c22ac913e6c52be2d13188fbd5fd69364243f74e09f4da9e19a0ed0c77ad2acac5e2a1beb6b0e07a912ca9
-
Filesize
205B
MD525c91cecff43e10811bfcec772145c87
SHA17110188f290742ebef687395674e5a35e080059d
SHA256445efe35b889125767330c0ec20b200688a9663737e9c67b3a264456ddef53b1
SHA5128b813063d1c91cc15e30fcb35971a83d4e56f0281aa089c2e691dbca6b377ecd773e3e31105d87cb2e93742f3d9103e1e5a99bf850a257c1bd95d0fa52bcc50a
-
Filesize
173B
MD5a1135c6e0308c2db0588dc361480ff23
SHA107ee01348b9916af4c2f41103ea6926aa63c334d
SHA256ac01b57888acbaa66b17994b6ba1628d9ef2b10c4ef83cd0bb22d1468b158d21
SHA512656f78e8d757e8cc99fe08e969eb4ed17105a5a7147eb53a333b8162063a32704b9161b93e55c25657600cec58f6cfb8284690d583296a62f13f25e1f7ad309b
-
Filesize
2.6MB
MD5c088e24b0bcb9804bc1788931dc18ecb
SHA186c24e63055c1b74d833e8907a2fb08e1ec9ca2c
SHA256e3ea10859b68429fc2b9655e4f2e346bbfe195ec4192d77083e3d0007e889902
SHA512dcbecddc2149615ca626dd60b966a080d7a795cf9fd38170574d7dda86489bcdb9b8c6562455e52221cbc2989000db2ede7aec673e6446960c2c57f0715c9fd7