Analysis
-
max time kernel
120s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 17:16
Static task
static1
Behavioral task
behavioral1
Sample
cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe
Resource
win10v2004-20241007-en
General
-
Target
cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe
-
Size
2.6MB
-
MD5
1cc9f4da809ff5ede1c260a2d8bf1ab0
-
SHA1
2da2e9db9ee914d0a323c218a890a8e9b52c7d0f
-
SHA256
cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01
-
SHA512
5946e6509a71957fb7764745f7a5fed2d60e652ff3dbe3eb8709c833705c66e8c2cac5e037d5c248950e4bf4e265d813a4aab3092501d63d1899cde722d13399
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSq:sxX7QnxrloE5dpUpfbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe -
Executes dropped EXE 2 IoCs
pid Process 4948 sysabod.exe 3852 xoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotGM\\xoptiec.exe" cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ6P\\bodaloc.exe" cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3620 cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe 3620 cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe 3620 cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe 3620 cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe 4948 sysabod.exe 4948 sysabod.exe 3852 xoptiec.exe 3852 xoptiec.exe 4948 sysabod.exe 4948 sysabod.exe 3852 xoptiec.exe 3852 xoptiec.exe 4948 sysabod.exe 4948 sysabod.exe 3852 xoptiec.exe 3852 xoptiec.exe 4948 sysabod.exe 4948 sysabod.exe 3852 xoptiec.exe 3852 xoptiec.exe 4948 sysabod.exe 4948 sysabod.exe 3852 xoptiec.exe 3852 xoptiec.exe 4948 sysabod.exe 4948 sysabod.exe 3852 xoptiec.exe 3852 xoptiec.exe 4948 sysabod.exe 4948 sysabod.exe 3852 xoptiec.exe 3852 xoptiec.exe 4948 sysabod.exe 4948 sysabod.exe 3852 xoptiec.exe 3852 xoptiec.exe 4948 sysabod.exe 4948 sysabod.exe 3852 xoptiec.exe 3852 xoptiec.exe 4948 sysabod.exe 4948 sysabod.exe 3852 xoptiec.exe 3852 xoptiec.exe 4948 sysabod.exe 4948 sysabod.exe 3852 xoptiec.exe 3852 xoptiec.exe 4948 sysabod.exe 4948 sysabod.exe 3852 xoptiec.exe 3852 xoptiec.exe 4948 sysabod.exe 4948 sysabod.exe 3852 xoptiec.exe 3852 xoptiec.exe 4948 sysabod.exe 4948 sysabod.exe 3852 xoptiec.exe 3852 xoptiec.exe 4948 sysabod.exe 4948 sysabod.exe 3852 xoptiec.exe 3852 xoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3620 wrote to memory of 4948 3620 cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe 88 PID 3620 wrote to memory of 4948 3620 cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe 88 PID 3620 wrote to memory of 4948 3620 cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe 88 PID 3620 wrote to memory of 3852 3620 cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe 89 PID 3620 wrote to memory of 3852 3620 cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe 89 PID 3620 wrote to memory of 3852 3620 cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe"C:\Users\Admin\AppData\Local\Temp\cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4948
-
-
C:\UserDotGM\xoptiec.exeC:\UserDotGM\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3852
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD507fe53e036adad9d34e2e66b1f28c1a9
SHA1d0b6a82cf7d05776a8ca2edd1d4f04c79be1297f
SHA2565578cbdc067a67fea314675b8a46857b112635cc47faad7fe7281fbbb601c5e1
SHA5125b5eab820e58b7f0660b15e4425aa10b9cd63f34a6ca4364a17a0f8c39556f0dede10c6fe2276a71b97bdae20752ffacd2df7f829bec851efddb1a4bc6256f26
-
Filesize
2.6MB
MD5d97523eb37cc9b1fd31db187689fb578
SHA12daff9958151e843bf2d4c925e9ae4703ddc319d
SHA256b336785dc65f3cc904e243aca411ea2660ee63cba53aca3ebb2797fee4fea410
SHA512cca378c10ddac19b9ecb1c630e635b3475f80738e862473a74092de6df06aca55bdcded24c427c0b7f7b9815e9c9019ddb63ef5efad8d44ea15acb470b22a0c1
-
Filesize
2.6MB
MD5523a370865f0b1be7f45e3ba0c0089db
SHA1fc4b2d372f01505a1f7b56b7951a4c2ac4303673
SHA256f1e3022d02d52847f4508b69c4b5b0f427b0e723b48edcc367f30b7923be5647
SHA512fa670c94f1cf6aa534f87821df3aeff7f9c9eef8fac5aad5ed583b38f4df91feaf00389c3954d18ead07d04734c9d78bb7668cbc518b16d2a26d73990905edb2
-
Filesize
202B
MD56f6c2cd458413ab1f676197c4edba2af
SHA181a206308a3271a19affab3b43f60378a14cbabd
SHA256b1c0d20fec10f8d1856dd8fdc2aac263ae0c40f09a05f19b3cb394ba2831846f
SHA512f07c272b3c073c5594c9759dc530641ae2e613ccddb43c86cc013c4c44fe02620be813b8f0bd6de73c07849359f4cc99f5cdd7b17593f0edabecf638b2483627
-
Filesize
170B
MD50f490545dcc0116e13e59c42cfe70fc9
SHA1b95f29a24ded5214565ce70573f9175c9698a91f
SHA2564329d3a3ad95ded40bdc3aee9a0c0c3c2db827374aa67512a9f07cde8048b828
SHA5126c356ee407ccf3b77f6656d922885f315cde56418dbc12673727a85eacae9b937f1bf8bf9f8eee0a7da9e7f4ff17dd5a78fa869a204de945cc2bfdb6cdfc81b3
-
Filesize
2.6MB
MD59b04c8dd2af9ca806fd615b7f4b82882
SHA1720a1c3839766138592aa869af5d2188345292fd
SHA256d7125edaf76f06f8c4a78b5460950cfc0f48995ab7f6303965fde310aa268e25
SHA512e954aefb6e9a3036457a3c2228a88ba3fa7eabad7ae4a777b6a371bab1f69e324697b9c8ce7adafd3e13a583b6f4340be27c8fe00ee9f595872ccb0cca0ed651