Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 16:56
Static task
static1
Behavioral task
behavioral1
Sample
739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe
Resource
win10v2004-20241007-en
General
-
Target
739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe
-
Size
2.6MB
-
MD5
035de7c08de365c74452708c8c4e8870
-
SHA1
dafa05d73b2fa0a03da19772482ae4a85b738baa
-
SHA256
739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32
-
SHA512
e7ffb3d87e4addb180fd5881ec9a5e093a0b1a5d57307a77bd6c23fa92c48a6553dc95dc60cd2a3fbd80275cb8deefa93d2815f771e69551399bee91c3807e44
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bS:sxX7QnxrloE5dpUpeb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe 739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe -
Executes dropped EXE 2 IoCs
pid Process 812 sysabod.exe 2232 xoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotR8\\xoptisys.exe" 739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBGN\\optidevloc.exe" 739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4708 739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe 4708 739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe 4708 739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe 4708 739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe 812 sysabod.exe 812 sysabod.exe 2232 xoptisys.exe 2232 xoptisys.exe 812 sysabod.exe 812 sysabod.exe 2232 xoptisys.exe 2232 xoptisys.exe 812 sysabod.exe 812 sysabod.exe 2232 xoptisys.exe 2232 xoptisys.exe 812 sysabod.exe 812 sysabod.exe 2232 xoptisys.exe 2232 xoptisys.exe 812 sysabod.exe 812 sysabod.exe 2232 xoptisys.exe 2232 xoptisys.exe 812 sysabod.exe 812 sysabod.exe 2232 xoptisys.exe 2232 xoptisys.exe 812 sysabod.exe 812 sysabod.exe 2232 xoptisys.exe 2232 xoptisys.exe 812 sysabod.exe 812 sysabod.exe 2232 xoptisys.exe 2232 xoptisys.exe 812 sysabod.exe 812 sysabod.exe 2232 xoptisys.exe 2232 xoptisys.exe 812 sysabod.exe 812 sysabod.exe 2232 xoptisys.exe 2232 xoptisys.exe 812 sysabod.exe 812 sysabod.exe 2232 xoptisys.exe 2232 xoptisys.exe 812 sysabod.exe 812 sysabod.exe 2232 xoptisys.exe 2232 xoptisys.exe 812 sysabod.exe 812 sysabod.exe 2232 xoptisys.exe 2232 xoptisys.exe 812 sysabod.exe 812 sysabod.exe 2232 xoptisys.exe 2232 xoptisys.exe 812 sysabod.exe 812 sysabod.exe 2232 xoptisys.exe 2232 xoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4708 wrote to memory of 812 4708 739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe 88 PID 4708 wrote to memory of 812 4708 739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe 88 PID 4708 wrote to memory of 812 4708 739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe 88 PID 4708 wrote to memory of 2232 4708 739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe 91 PID 4708 wrote to memory of 2232 4708 739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe 91 PID 4708 wrote to memory of 2232 4708 739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe"C:\Users\Admin\AppData\Local\Temp\739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:812
-
-
C:\UserDotR8\xoptisys.exeC:\UserDotR8\xoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2232
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD554561225560aad2546dadfcde1c1d94f
SHA15bf0caf64b258b0f18d53a9e45efd4506656c80f
SHA25603a7f6a182fd85636ba9a0dafdf4552300ab6c1bd8a5eb86761a0fcaf4486289
SHA512f2c2cd7963b31f9c0bff47af68751c46f6dc1cd07079086a3a68eb24db18a8cc98fbad8894055bbd1fc4c7fe2847e8cfb1a56c4c53c069d34c67234aebad1e5d
-
Filesize
6KB
MD5c8190a91500bb1d9caa61e3b11eaf128
SHA1ab7eb6ce00d2fb8ec932dee7fe6f72551ada8684
SHA2566396e1bd18ed0ea864d8f56b7885ef5813fe836854b68c3ebafb7d49b8580b1e
SHA512bc143ae225ca8cceb9e90f7dc6f36a8608eafed2d7e67396657444f3a004832c0c51921fe8c0487de4ca21430686dbc62c6a304de00cbbfb8c0e8dc538f5492b
-
Filesize
2.6MB
MD54df78a5601ba1b5b581eef69e34a77b8
SHA1f17972609a2e6407a89829c71070154861c922d0
SHA2563dceff21bca32885fa18924d13d8f91965ffcf1c2c0d7eac47546bb78ad65907
SHA512ed0cbba4815e07e38805c6e97e35e60f19f2ecdc3502c678cfac2e54dfee55440b51e23a5676ef1b2036c06a924f404691799221af2841b211c7cd99ec580245
-
Filesize
206B
MD5261cfd1eea9e8c20161886b269915bc9
SHA1401220c366c9df786ecc1cb683b87e0febbb058e
SHA2565c9b98b8c0292d8bed3a3bd2605b6643273e4a357d11a8493cf37a0f67c17678
SHA5120b49ceb86d2a9d983c857ea966d9e8338330ea578cdc3244c05e21a294fe63a19cda5090710ab86c187b314c8d758a6f8cf501c2f8b0e5a529acf49edc3c5f9e
-
Filesize
174B
MD571fef6c5a7c141e4be15071cde472add
SHA14e99e1f43e5210251a07b7b29043b5633cdbcbf0
SHA2568a29ea35142eeb2d8f70fb7d64bf54ab70f2ac798b213f6f3a0639a2b2cbae74
SHA5129913a145f77ce0b32fdcb477a8a1568b00723d1f81d31621d86642d24355824c977f0baabdbdf4d23d2d574d8d3cdb659e1343adbd20dc87519e12a0206ec506
-
Filesize
2.6MB
MD5b70dbeecfeaed875dcf47f675d67c37b
SHA1597cf888220ca9328415d6aa01a5b72bab6a80cf
SHA256abcebe18e2c52eb506383d0f65370bd12c3d6e1b0f4430419eebafdf9044d08f
SHA512c57157ca89c756f507a47b4a0814ba864fb51df5ed9795213c2cd710daef77065ca6a08cb4fcf7835da40181b15d10dc710db1993e6b8009173906415ab28582