Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 16:38
Static task
static1
Behavioral task
behavioral1
Sample
6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe
Resource
win10v2004-20241007-en
General
-
Target
6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe
-
Size
2.6MB
-
MD5
82ee2caabd4291c3f418f19b01e71ef0
-
SHA1
ae4eecd2446a59803a079037d2cfd42e3cae528c
-
SHA256
6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad
-
SHA512
bdd9f4ef5d20e7ea24ae506ba6e929d968bcf38fc66341165b19979dbf9d5f3f57a8272a43adfdeaaea37de372c8329c1b6fd978440aaf22caa8ff9da5f706bb
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBzB/bSq:sxX7QnxrloE5dpUpMbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe -
Executes dropped EXE 2 IoCs
pid Process 2788 sysabod.exe 2684 adobec.exe -
Loads dropped DLL 2 IoCs
pid Process 1876 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe 1876 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesY5\\adobec.exe" 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBRN\\dobxsys.exe" 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1876 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe 1876 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe 2788 sysabod.exe 2684 adobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1876 wrote to memory of 2788 1876 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe 30 PID 1876 wrote to memory of 2788 1876 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe 30 PID 1876 wrote to memory of 2788 1876 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe 30 PID 1876 wrote to memory of 2788 1876 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe 30 PID 1876 wrote to memory of 2684 1876 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe 31 PID 1876 wrote to memory of 2684 1876 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe 31 PID 1876 wrote to memory of 2684 1876 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe 31 PID 1876 wrote to memory of 2684 1876 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe"C:\Users\Admin\AppData\Local\Temp\6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2788
-
-
C:\FilesY5\adobec.exeC:\FilesY5\adobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2684
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD53b42f40ce641136c286e451de1180057
SHA13841dfd4b3380d4f288634a411e5e805b3a22f84
SHA25666e851d96fb939a9f2beddeaa5ad8b9e454f1af5d44b4e39457dedb0adedecf0
SHA5121351f736ea3b7d0d42f49d425708ade5b8f20933854d9b5e005c34d3e3485e4310201ddd06aae3ec470a90a87ea67009a4ff81a5fc75c61a36594bfebcc00be5
-
Filesize
2.6MB
MD56d80315fe7e3c391a78b8ab4cd8b59b8
SHA10b8289fef5c26d21bb35e9f7391d444e882626d4
SHA2561212f7f989e54d3a4dd5b1f7c141bf1af080f9ecbdd95459e4e5be4fc14ea070
SHA5127de1e06636217651c75cc111e39aca96752a447479cd89c60328f56ea27d187dcf60f71f0d8605a5a6f0455a149ab4c564964c8265305bfec228744c9f368bb5
-
Filesize
2.6MB
MD52430594276154b359e82593045abe164
SHA1de7f5d38e61b4c9e56a2b4bd1c4b147f3615a4c9
SHA256864c7c837a86d6d0a9ad0cd1c30127932441abe822487bd2eb29369419153e1e
SHA5123217cbbf1343fe965b7c1196aa313515330d63c5b64194a9d33fadf860400d788f1da78ad6e74ee00aa6fe12c4648d991733f33521d7636c29f10b9bda154af4
-
Filesize
167B
MD5c53c40e59294e1e2eed5f658a4d1a8c8
SHA102ab5f6caee6d6b196d27d9331260d713b4d42c5
SHA25607237624a0ed0a4cfa5041fb55f5e28858a82f6118ea298666b4576396825dbf
SHA51236c72f11e91424224a8b1cbf97fcfb320e6175476465d1d64e6c0acdd157ca7ccf342779687b79bc40bc98dee4db8e0b7ca246e415e67129c62e74aec544c148
-
Filesize
199B
MD5927dc9d0edfbb129bd2142d325e7d16b
SHA1bc2cab6df3cb0f0c127e7b42a4323a15d9d6bd2b
SHA2561a4bbb9de5c9c982a22032dbe7ebbb424f70eed95a86b93f5a6bbf6d2906b8e3
SHA5128862633c57d03ea6c44f57b4a7632a3d8af14b7072c8f79455dc21ac7df0c6d3652afc2f76c873ddd37a5b6c24ad71b835077026bf2fd7b4d5967e3e2bd0884a
-
Filesize
2.6MB
MD566dfc3049629a01c730729943495b47d
SHA1a52eef5f8f088c6c214ef94911083a20368be253
SHA2560b4eecf4faeb67e9567c8ef2e4950646d3652c60f90086bd0fbc1ca58b7782a9
SHA51258bab0041208be7922c3d8eb052881e1520348eda2ad3de3357e6a7163a3b76bf868ee85e08567309e84e6fc47d7a128c51c376375413d7e283c9bbc7d760c41