Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 17:15
Static task
static1
Behavioral task
behavioral1
Sample
5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe
Resource
win10v2004-20241007-en
General
-
Target
5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe
-
Size
2.6MB
-
MD5
1adc363340d141addd5da75bbabdcb50
-
SHA1
37ae4b90d13aac1a98963a6577c209078230ebfc
-
SHA256
5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6c
-
SHA512
0cec4e680a693c24871bd786ac4ffeb36502ecbd69ab89686110699eaf6d37b2cb3a28dea4026ff86964bed114a817576df53243687e11b94d1853bd15150e31
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bS:sxX7QnxrloE5dpUp0b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe -
Executes dropped EXE 2 IoCs
pid Process 4964 sysaopti.exe 5036 xbodsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocR3\\xbodsys.exe" 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax88\\dobasys.exe" 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysaopti.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 756 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe 756 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe 756 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe 756 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe 4964 sysaopti.exe 4964 sysaopti.exe 5036 xbodsys.exe 5036 xbodsys.exe 4964 sysaopti.exe 4964 sysaopti.exe 5036 xbodsys.exe 5036 xbodsys.exe 4964 sysaopti.exe 4964 sysaopti.exe 5036 xbodsys.exe 5036 xbodsys.exe 4964 sysaopti.exe 4964 sysaopti.exe 5036 xbodsys.exe 5036 xbodsys.exe 4964 sysaopti.exe 4964 sysaopti.exe 5036 xbodsys.exe 5036 xbodsys.exe 4964 sysaopti.exe 4964 sysaopti.exe 5036 xbodsys.exe 5036 xbodsys.exe 4964 sysaopti.exe 4964 sysaopti.exe 5036 xbodsys.exe 5036 xbodsys.exe 4964 sysaopti.exe 4964 sysaopti.exe 5036 xbodsys.exe 5036 xbodsys.exe 4964 sysaopti.exe 4964 sysaopti.exe 5036 xbodsys.exe 5036 xbodsys.exe 4964 sysaopti.exe 4964 sysaopti.exe 5036 xbodsys.exe 5036 xbodsys.exe 4964 sysaopti.exe 4964 sysaopti.exe 5036 xbodsys.exe 5036 xbodsys.exe 4964 sysaopti.exe 4964 sysaopti.exe 5036 xbodsys.exe 5036 xbodsys.exe 4964 sysaopti.exe 4964 sysaopti.exe 5036 xbodsys.exe 5036 xbodsys.exe 4964 sysaopti.exe 4964 sysaopti.exe 5036 xbodsys.exe 5036 xbodsys.exe 4964 sysaopti.exe 4964 sysaopti.exe 5036 xbodsys.exe 5036 xbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 756 wrote to memory of 4964 756 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe 89 PID 756 wrote to memory of 4964 756 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe 89 PID 756 wrote to memory of 4964 756 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe 89 PID 756 wrote to memory of 5036 756 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe 91 PID 756 wrote to memory of 5036 756 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe 91 PID 756 wrote to memory of 5036 756 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe"C:\Users\Admin\AppData\Local\Temp\5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4964
-
-
C:\IntelprocR3\xbodsys.exeC:\IntelprocR3\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5036
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD55ddeb391ab3ac28373c49a18a9fc5820
SHA1e20d2b080bebd9139c84c58416d7c70625c1e9a6
SHA25653702ebe2017c945f2c47a2f890fa8800d9d4580a95231c1647d51b5506d8a21
SHA512915eb3a726b9264b2921ba1dc3dd7b58782f2b3513a4a13d8e08ab3548bf22c95f531cfefe0682c23602c5f94873b3f1b15ff79c4dc946cb35728044e5768597
-
Filesize
2.6MB
MD501b7985dbdabde462880f807a7d6eea3
SHA1a3512cb4e11ad51950a66767fcc8a6739490a366
SHA256d2fd4575805e6a38e91d64ecb6a8825e094ce5f3b6fc2374c63d72264f4408e0
SHA512fb454bebb68bfdc3c53b414ab27c8bc0200aec6e210eb80ff6f5ae9f0fe292426c0b07a100d4a6ae29b32fa9cfce1a9becd59c28c5e9913afa711e34f744202b
-
Filesize
916KB
MD50294e6ceeeee93c180c029b7954ea242
SHA1a06d7fd94adadb1d07c1b5894a5f571fcc7c8803
SHA2560452b24867b18148fb59fee832f300f49740e4fbd7b2b76784f728bd3cc76905
SHA512cbbbd4c938287a2b48331487af93a25afac7828689a90853180af2888236041d406b3f07057447c3fa1a9c8e6edd32036c902142ea91a3549fb0affa4a7899a8
-
Filesize
2.6MB
MD57cc65550790060baede29d570c3e8564
SHA12ebe4680e39d6df4520c2027f65c863dd0fea4f3
SHA2561d4eb8d7bf319b2b7f0027c6399c4b5e316a225d36341e38fd4141f3ed244fef
SHA512809e3c538bb1753b8da04fecdac1ba575d829f04503351be95e58d00a68aba76ca26f042dca81874e598a9573d261d8e91d5c761e5729974ae87959a8d7ffe17
-
Filesize
206B
MD5e3e790db0abf7eaa62cd41a76c23f3a8
SHA10f5543fe574cca5cad0997110c3a631768b7dd86
SHA25651d1a8b6eff29cf6b9923cc4cdb279c1d88ddf9186cd9af5df630ae19a2cc582
SHA51263e4c50eb8e32f7824cf3208a4645271a751209cf7a01556eff94cea09b42eb8fc58b2b14885fda19c9367b93102e77bc79803c52bdc0611bc8dcaaab2e3e58d
-
Filesize
174B
MD5f684046193b294bc3ffe3ee35e836ed4
SHA1bb19a4f6bac8e9d3e56c2062b12b669eda7812f0
SHA2567e89b30dcbc83effd13c61cf3263548a239bd3f4723b85f351050f7873ec225f
SHA512ddb99a2df83dbc5f3ed94ca688c8c442ef09b555e329ee4797bb5b943ddcd278f12110a7a307eef4313b12808a90c8cdcc3739b0a77db3bdbbd912e2d4fb173f
-
Filesize
2.6MB
MD5dd5e1277518c2506e3013a2c56130122
SHA1abef124210cb1359e87977d09ed8f79fb30bef35
SHA25650ed4ab234a8c8362ff712ee96611eca44276d041c6ce51496d45540e8558f25
SHA512169511251e9351d28d0d10608b9794dc184ec99972b5a9fed7e1d2388aa71ca26dc0c6c50d401bc3e63eb7497be09ef037daefc0479e04917fed88afce632bdd