Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 17:05
Static task
static1
Behavioral task
behavioral1
Sample
c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe
Resource
win10v2004-20241007-en
General
-
Target
c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe
-
Size
2.6MB
-
MD5
9f0b34d341fca709b940188f7317ed70
-
SHA1
e48250b68b58d5604d4c715b41b768a570b5bd4c
-
SHA256
c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8
-
SHA512
d8ef9ae955dbafb2c31f2a801ced2c31136b206f6e11790ee18e1375203f0701582a194b9e70b434cca9bd795f67c42614daf81edcf3fc5f21ded9d6bc7ece3c
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUpBb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe -
Executes dropped EXE 2 IoCs
pid Process 5056 sysadob.exe 232 xdobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvI6\\xdobloc.exe" c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintX4\\optiaec.exe" c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2672 c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe 2672 c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe 2672 c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe 2672 c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe 5056 sysadob.exe 5056 sysadob.exe 232 xdobloc.exe 232 xdobloc.exe 5056 sysadob.exe 5056 sysadob.exe 232 xdobloc.exe 232 xdobloc.exe 5056 sysadob.exe 5056 sysadob.exe 232 xdobloc.exe 232 xdobloc.exe 5056 sysadob.exe 5056 sysadob.exe 232 xdobloc.exe 232 xdobloc.exe 5056 sysadob.exe 5056 sysadob.exe 232 xdobloc.exe 232 xdobloc.exe 5056 sysadob.exe 5056 sysadob.exe 232 xdobloc.exe 232 xdobloc.exe 5056 sysadob.exe 5056 sysadob.exe 232 xdobloc.exe 232 xdobloc.exe 5056 sysadob.exe 5056 sysadob.exe 232 xdobloc.exe 232 xdobloc.exe 5056 sysadob.exe 5056 sysadob.exe 232 xdobloc.exe 232 xdobloc.exe 5056 sysadob.exe 5056 sysadob.exe 232 xdobloc.exe 232 xdobloc.exe 5056 sysadob.exe 5056 sysadob.exe 232 xdobloc.exe 232 xdobloc.exe 5056 sysadob.exe 5056 sysadob.exe 232 xdobloc.exe 232 xdobloc.exe 5056 sysadob.exe 5056 sysadob.exe 232 xdobloc.exe 232 xdobloc.exe 5056 sysadob.exe 5056 sysadob.exe 232 xdobloc.exe 232 xdobloc.exe 5056 sysadob.exe 5056 sysadob.exe 232 xdobloc.exe 232 xdobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2672 wrote to memory of 5056 2672 c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe 88 PID 2672 wrote to memory of 5056 2672 c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe 88 PID 2672 wrote to memory of 5056 2672 c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe 88 PID 2672 wrote to memory of 232 2672 c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe 90 PID 2672 wrote to memory of 232 2672 c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe 90 PID 2672 wrote to memory of 232 2672 c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe"C:\Users\Admin\AppData\Local\Temp\c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5056
-
-
C:\SysDrvI6\xdobloc.exeC:\SysDrvI6\xdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:232
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207KB
MD576840a35cf3749f16427ffae318cb45d
SHA1358c51a8cf123b763b5f50e7f76a3787f5461651
SHA2565f80b9fa3b5db93123b3db5edd4016de36c73d5d0d7c10de98d7eaac984942bf
SHA5127ffc4d738246df86a5fd6327fd82cc9d70415bc434e49f3e6469b3d6f619f198430f3ed102f3b68776b963112c9ed90def04c41587a202c6869fe67d4c61a537
-
Filesize
2.6MB
MD5fa8cbaa4d554d6ab62a2ccac96ca1ee9
SHA14089c34bba36660127d921628fed83b236f43b1c
SHA25676c67222af1af83a70e70e0e29e92063c37d3861489f83bfd80e8db87b595a59
SHA512acdb54c56f33a2a1c538619a3dfd4b25bdf23e07a241537afebda9e0b31b66b72f5c335d0b877c4a1b1b628bc72dd9f71dc679ab1746d40f80a6d56426278dae
-
Filesize
2.6MB
MD5d727bbcec65e4a8a64a4675dc311947f
SHA13fb799f9a2677244e1c3f52273b8aa41c1a835ac
SHA256578917fd7bfa71e3e12978ddd8b7ac2b8c27bef7b85f7c41303ba18f6cd2da5e
SHA5126933c719a041b928206f18d2e13a24686bfe08662f9ac600b4a3b4b7261f3a6feca4acc4428d076b9c944f7bc11ae2ac028f1ae240985c5199ab9c54633d533b
-
Filesize
201B
MD5b7a17337d693c47c9150767275f15b7d
SHA19ac4170174df9e2b73b065f7200adc33fe1c7d50
SHA25632f551e258afb0f21f3fe25be8dab70eb5bee7d5baf44ea14061b37e4d023437
SHA51294f8bd8e0fb853783d0a2ae5a224d0766af5cfc1176dae7875c936a8c81b95ce0ad3f44bb37520e0bfa8852ece783fe745078786b706b509cc6fbc5ad0bfe1a9
-
Filesize
169B
MD5396e73b7ae2f6de8a8ac35750c2e8dd7
SHA11b4981db941612599314ed83795cd6be3baeea3e
SHA256778fadb294625d94a2ef2c79b284ce46f0b8aec5c41830070f0a6430b5f1ec2b
SHA512a7c8e1e71f4a01a0553f64f5379ab05f74d0794bfd6d6ede79a6156f2827fd4243ceaaf3d8de4f17cf5f95cf412f04770fa6dc24b426b53927da48e588df0683
-
Filesize
2.6MB
MD5942caae9702c34a42c59d8b02eaa4d2b
SHA185ecdb96039476979280d3db03ceb67901a17d1f
SHA256c250ea2fc75c47269191eb44676bdc71b0eddc32ac5f40f9ccf0c2ac9641b8fa
SHA512d302f9a35ed5f5293df95bd9622156311b3e1bb70a78f18c87092bb1fce3133fa259cca3653085b3e2572e9a77bdc163e34ce92ab630d59c4dd2aa4d2ef875e2