Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 16:56
Static task
static1
Behavioral task
behavioral1
Sample
47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe
Resource
win10v2004-20241007-en
General
-
Target
47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe
-
Size
2.6MB
-
MD5
da11845940bba82434441431461226c3
-
SHA1
1871690ab9f59b0ed5e6bc612daeadea82f9fd03
-
SHA256
47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9
-
SHA512
f077761aa3f23263b2ae31ca733a4504cadd5227202c48becebbb33b560336b48d10ad214b5a4b40cb71a5ed8155741f7af7a521cdf590d82108318409c53076
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bSm:sxX7QnxrloE5dpUpeb/
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe -
Executes dropped EXE 2 IoCs
pid Process 884 sysadob.exe 2344 xoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 2904 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe 2904 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot24\\xoptiec.exe" 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZBL\\bodxsys.exe" 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2904 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe 2904 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe 884 sysadob.exe 2344 xoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2904 wrote to memory of 884 2904 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe 28 PID 2904 wrote to memory of 884 2904 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe 28 PID 2904 wrote to memory of 884 2904 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe 28 PID 2904 wrote to memory of 884 2904 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe 28 PID 2904 wrote to memory of 2344 2904 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe 29 PID 2904 wrote to memory of 2344 2904 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe 29 PID 2904 wrote to memory of 2344 2904 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe 29 PID 2904 wrote to memory of 2344 2904 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe"C:\Users\Admin\AppData\Local\Temp\47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:884
-
-
C:\UserDot24\xoptiec.exeC:\UserDot24\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2344
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD58b1dc8d3e16b12f0b4c8bfdb62218b42
SHA1bce372dd19dad6e28b0834e997ab07daac76335a
SHA256797ea14ae1de21253a7699252a077be858d54e1f612bfff85718942d4da179f5
SHA51200c5c08f04863bc02b3d3c81c87190852390d21bef5d3cfb2d07105fc77c8cd3c5ce95178157c2fd69d7bf6c2c0f676973c840529e2b5abd7f5e6eea710afa03
-
Filesize
1.9MB
MD5f876acfe3e051e1249c885876e6077f0
SHA1fe9e244fac08e71cd6b65495f6879ef8c4463e31
SHA256df648d5bac1a602ab14c24522f4299169aaea196a92f9dcd3a957ed74a2fe0d2
SHA512faaa5eca2cc3ac77e34c64971f8e756c83e667a5e019e339e55bffe71438c39ca7790017ed17787daff4375098af09e4fc7baec09fdec318d1b212bf51a4bf95
-
Filesize
2.6MB
MD5402db5b943826ace50bc64bce2019240
SHA1907c267e332daf406e858be23f223bb07ee5c080
SHA256b70b9a851e3109843f13e07f80431e83126c11dc601c59c593ab5a9a65988e05
SHA5122c951f006eeeff33eb61523f4909c964780b14dcb320c5a64a84cd1082ec81246bfdc1bda6734c7be977be6ba200165e5e7f45a1c2c7749bac563a531c426d2d
-
Filesize
170B
MD5ae5582f55c658dad990f20bcd1b70586
SHA1810650e264e46ff512480621f7717a13d5c41c8b
SHA2564a922ec2e0557fd73d0b834ad3c2738dd401dde7a6a4bed545201e2d4bb3d28c
SHA51212b32893e536e7c472bef9ab1f28363e397c3903338ab266f422588e20c599613ff3a92140bfa466a5d8843237f97c5dbf962ef104d95cab8b8ef975da8b486a
-
Filesize
202B
MD5a1d8f1705f5ff3095bf58ad50c3b5a44
SHA151a5074c2f36d12df8fd1b62490f0395edde2001
SHA2567b94e3d217fef1dad153316cc5085dc694a57ff1320b1d9d156df7d9686b6eac
SHA512eae642e1632dadaebe60d2807899ded91d5362806770b411db25191f2532a2967da85a008b6db2cd378d37eb8d844863cc985d0c0d20216e42fc2b263114f40b
-
Filesize
2.6MB
MD511189ace6c82c66ec43067b290ebcc91
SHA1265a67983bc74d2376439b542f6cc09ba6e863ec
SHA256a62afb8f2226704de890f81f8883925127eb94127698567f5b62edc4acc4fd16
SHA512287e23b395ab3fbbe9c2155555aebcf3991b1dc61a3d51f32c9714b046cb4f1c5a4bee12888a725392074168870b70dc9e3884eff967980a71b3ea6df45e3887