Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 13:53
Static task
static1
Behavioral task
behavioral1
Sample
a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe
Resource
win10v2004-20241007-en
General
-
Target
a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe
-
Size
2.6MB
-
MD5
de0b5782de12cab93f8325f9473888ee
-
SHA1
83b4ba6493642200f175d76bb53659eeedd6dba6
-
SHA256
a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7
-
SHA512
21012aefb971bf05b5090f74375bb436d1294f227662efe661dededd5355d381f7f26195abc28db6f96b5d0dfbf27206aca5383b54c6111ffd225a3992f04341
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCzB/bSm:sxX7QnxrloE5dpUpfNb3
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe -
Executes dropped EXE 2 IoCs
Processes:
sysadob.exeaoptiec.exepid Process 2340 sysadob.exe 3976 aoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeZ8\\aoptiec.exe" a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidY7\\optidevsys.exe" a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exesysadob.exeaoptiec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exesysadob.exeaoptiec.exepid Process 856 a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe 856 a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe 856 a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe 856 a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe 2340 sysadob.exe 2340 sysadob.exe 3976 aoptiec.exe 3976 aoptiec.exe 2340 sysadob.exe 2340 sysadob.exe 3976 aoptiec.exe 3976 aoptiec.exe 2340 sysadob.exe 2340 sysadob.exe 3976 aoptiec.exe 3976 aoptiec.exe 2340 sysadob.exe 2340 sysadob.exe 3976 aoptiec.exe 3976 aoptiec.exe 2340 sysadob.exe 2340 sysadob.exe 3976 aoptiec.exe 3976 aoptiec.exe 2340 sysadob.exe 2340 sysadob.exe 3976 aoptiec.exe 3976 aoptiec.exe 2340 sysadob.exe 2340 sysadob.exe 3976 aoptiec.exe 3976 aoptiec.exe 2340 sysadob.exe 2340 sysadob.exe 3976 aoptiec.exe 3976 aoptiec.exe 2340 sysadob.exe 2340 sysadob.exe 3976 aoptiec.exe 3976 aoptiec.exe 2340 sysadob.exe 2340 sysadob.exe 3976 aoptiec.exe 3976 aoptiec.exe 2340 sysadob.exe 2340 sysadob.exe 3976 aoptiec.exe 3976 aoptiec.exe 2340 sysadob.exe 2340 sysadob.exe 3976 aoptiec.exe 3976 aoptiec.exe 2340 sysadob.exe 2340 sysadob.exe 3976 aoptiec.exe 3976 aoptiec.exe 2340 sysadob.exe 2340 sysadob.exe 3976 aoptiec.exe 3976 aoptiec.exe 2340 sysadob.exe 2340 sysadob.exe 3976 aoptiec.exe 3976 aoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exedescription pid Process procid_target PID 856 wrote to memory of 2340 856 a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe 86 PID 856 wrote to memory of 2340 856 a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe 86 PID 856 wrote to memory of 2340 856 a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe 86 PID 856 wrote to memory of 3976 856 a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe 89 PID 856 wrote to memory of 3976 856 a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe 89 PID 856 wrote to memory of 3976 856 a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe"C:\Users\Admin\AppData\Local\Temp\a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2340
-
-
C:\AdobeZ8\aoptiec.exeC:\AdobeZ8\aoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3976
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD557d83120f986ca9db08459517b2ec14b
SHA17f0549bca047c32d241e8a88b92fb3ed21c6ca9e
SHA25606d9affc0cc0cae90248361fed1694f6468e4191f6e976196d6dc55371ba4f9c
SHA51223b8a6342f365916d086291a01f6956c45ab44f3ec3776dd8e678061a5f05740fc5b2c3c95787a39642913ecd4f8ab467cf50165ea3c3ae6c25a78d41ab74191
-
Filesize
202B
MD579ded9a225e5edd59586437c91705a83
SHA100927bbf3b312deb041294619a0ccc9f3a261b84
SHA25607652b862ce06b991990bd2ab8a6aa7dfe41013b7012b22c4ad76c68fa4dec64
SHA512b8342ed13cc81aa04cccc92924fd868161b7d9e329fc82e744d181ae8e5ec377798456f86e60a8f3c1ca6872d37af44cd6f3f32b75489181114d91649d47a4f5
-
Filesize
170B
MD5735b4c1bcf04ef7b3323004f295a1c6b
SHA1abdc828f6118b8e54d88f9224089c44a51a208e3
SHA256320c2bfcbeb829195d7ab157ced953b631e0a6c5d396ce26a52fcf70717f0ed3
SHA5120c73f0088abbe809ec161c54ad8dce624affe04816e2535dbaabb6fbcfc726b9ec5cdcc7d6112bb81c1eae96cf39f9ef49317d967892a4bd72099714f644847d
-
Filesize
2.6MB
MD5eb17d93a7576dc57780dae8b2d83809b
SHA1489bf164d26a985968c59bbe134a1b69ccddc243
SHA256086edbba1d636aa7bd2ded459f11126af8f294506f24082fade630de62c9eb4c
SHA5126ffc3f104b1aa30bcf52d7372177aa31e24f0d182b0d988076cf4570eb157ac29cae74e24ac36dc8ea09d1e1f9368554c8b765742ad14c16e5ff2a281b633f37
-
Filesize
828KB
MD5a67608901df8317d8feb584893809d39
SHA10095f03dc9fe59910ee0ccdc5de8fa5938b95ba6
SHA25602bec78a0ad5d331fb9b1a7cf5670debc725ee154e5b0943d3279b51ae7e9efa
SHA512a28445d1a34cb592b6da9171f285fa63e91e785ef543bb8c1623535d1b5a088021c0bad62dd39e5d833a8327255edeb2cfc76b63c877cef1e7510e0f0e86af27
-
Filesize
2.6MB
MD5af5578b726edee5612a9b2bcb9b6a54c
SHA10ac385a233e5a40d00a8f6753c3705c05dd55c3f
SHA256025d5e9378bd62d46c115e16239c85643bf1619c564f344fd90dff0743a13f30
SHA512f63a1ef166ece21b2376518f434c4f3497a4e8cd162cff1530457a93ed88b5cc3571cbb68705175ed14c2934881a5c3956d571c640f9f913c9528dc7a226369b