Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 17:21
Static task
static1
Behavioral task
behavioral1
Sample
d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe
Resource
win10v2004-20241007-en
General
-
Target
d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe
-
Size
2.6MB
-
MD5
b4479cc4f5a9479b5d4259b7eb25d2b0
-
SHA1
8d575cf4883182cbf288c7db009ab72ccc086968
-
SHA256
d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825
-
SHA512
070db49fddcfae383d9d7e30c8a86a74f666de352f9033c5056a7a75bfa791ae60093236d35ed8e2e313e30afe76a882ee108c8aa19db91d3daef665136881d0
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bS:sxX7QnxrloE5dpUpZb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe -
Executes dropped EXE 2 IoCs
pid Process 1428 sysaopti.exe 1696 xbodloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2592 d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe 2592 d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotMA\\xbodloc.exe" d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZH5\\dobxec.exe" d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysaopti.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2592 d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe 2592 d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe 1428 sysaopti.exe 1696 xbodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2592 wrote to memory of 1428 2592 d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe 30 PID 2592 wrote to memory of 1428 2592 d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe 30 PID 2592 wrote to memory of 1428 2592 d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe 30 PID 2592 wrote to memory of 1428 2592 d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe 30 PID 2592 wrote to memory of 1696 2592 d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe 31 PID 2592 wrote to memory of 1696 2592 d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe 31 PID 2592 wrote to memory of 1696 2592 d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe 31 PID 2592 wrote to memory of 1696 2592 d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe"C:\Users\Admin\AppData\Local\Temp\d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1428
-
-
C:\UserDotMA\xbodloc.exeC:\UserDotMA\xbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5a72e7fad90474585c4e7d919654bc44c
SHA1095806dd6f741b9e7ce8d54566bfb0caf487ebfe
SHA25619bf40e02c3f03abbdfb042fce564c94751ba5e41f402a265727e5a1e2bd4448
SHA512d47432d2b484e8440dcaa8f291352528b93a508ad7714de0a106f08f027b14474f70b062f55e6374c9c15ad8fe6c50e53a18568b9d6ef561cc7ff2b1159b474e
-
Filesize
2.6MB
MD514a710b464814e4f1d9d06cfb0b013ff
SHA143603b164dfeb009960d07484ce1b64c4757c23e
SHA256264a01b598952d34d7455ec9fdd5a4d6d21f35c5453d4005bbe1bac4045846d4
SHA512576d2e6a35d9f9f2cec00b72e56eddd9019c83010c98498b3ca2d62fda977209150b80d66f616a3b56d88e1b31a309604284c55539ddce6f40f78226abe4635d
-
Filesize
78KB
MD5cd3d3d8495b4c10ca847825b99214fff
SHA12a366450a0f29f8a55d544189eccce8f1a92262e
SHA2567e5c3acd4625592a804e32bef2bf5f7aece1ff43c7e4deea1c717e8bdfca8513
SHA512f8485fafe893d2045eaf14b02ce35dbcb976672f0cf939dd6a89f529c97e58dd566c33f2c99eca1a66095621066a2bc147de36d9319a720a91c5fea90851e49d
-
Filesize
170B
MD5d6cff1d930f0b6c26a95afd4f91afe3c
SHA1c2be2b7e1bb87cb12debfaf243ae7d78053e8bb8
SHA25651089e46f72a1fac4ebc11301c67be4cd8f6dd9c6342eecee6d25a1e307a9644
SHA512a80cec80f2c3b429fbcc4cbf2efbf9c3737a9117b29b94aaf534ea04c58702ec08786e17d284e3a4abd8a512af8e76c198b843eb299335a6b574208a441ce550
-
Filesize
202B
MD598efee698dcc5b1314498b54f31e427f
SHA13174e373170791072b969aa90f1f4c6aa03a14da
SHA25619616fd9c68cb07adf018f26488ffb9fe746ba0ba981b6c4fa6b57fa87464c97
SHA5127518be278a47a27b345199f54f58952d6399cb2e49f7e24125724e2fc5eeb4aa7171583e014a616404e716bf326fabd438f0239b09fc118d0defdc9ef642a0b4
-
Filesize
2.6MB
MD594ae7d3b0e0ee6752c8befd9dfb4f566
SHA17063135a6aa1066f842857843913deaaa5e24ace
SHA2568a16a73de7dcbae0e1cf9fdacc0eef1c2b39e8a2540d6011553a05b8c1c586b4
SHA5121585789687df580c392eeea37699e61b3c30aa3257c80a97ae6a1d0ad817331d9cefbb48e275b6bff0d911467df7b404e178138309efe4da33e82f32c4a67d5e
-
Filesize
2.6MB
MD5fc9968f6e71cfd4f1fa06c0f9fe6a8be
SHA1e52b76a8e4fcc581716882e8ce58ae8a4d10218b
SHA256ebcbaa668fde0e6ed8aae8c532f86c68028fa6001e907922f43398df1cdb8c45
SHA51261bcaac7ed93b713f4bbf92960214f73f1de66518d2e7697878378f6d162d99ba8293d2cbfe08d0963a01d1be907437f8430e51572fd53122038a8d225b92118