Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 13:51
Static task
static1
Behavioral task
behavioral1
Sample
d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe
Resource
win10v2004-20241007-en
General
-
Target
d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe
-
Size
2.6MB
-
MD5
f39e661293c6eb02e1ecfe75608533cc
-
SHA1
b3ed1e1afdc8d065fdec6be89fd2de7ffb865377
-
SHA256
d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa
-
SHA512
c69121d43574de34b9babfabaf6ae3eeba9b62b54f216cea56ae9a1c318c14e9fe71affac306061ab6dd319e10b3bc371a5848a92a32b50097ca6c9947da0a7b
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bSy:sxX7QnxrloE5dpUpKb1
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe -
Executes dropped EXE 2 IoCs
Processes:
sysadob.exedevoptiec.exepid Process 1468 sysadob.exe 4360 devoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot28\\devoptiec.exe" d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintU0\\dobxloc.exe" d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exesysadob.exedevoptiec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exesysadob.exedevoptiec.exepid Process 2324 d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe 2324 d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe 2324 d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe 2324 d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe 1468 sysadob.exe 1468 sysadob.exe 4360 devoptiec.exe 4360 devoptiec.exe 1468 sysadob.exe 1468 sysadob.exe 4360 devoptiec.exe 4360 devoptiec.exe 1468 sysadob.exe 1468 sysadob.exe 4360 devoptiec.exe 4360 devoptiec.exe 1468 sysadob.exe 1468 sysadob.exe 4360 devoptiec.exe 4360 devoptiec.exe 1468 sysadob.exe 1468 sysadob.exe 4360 devoptiec.exe 4360 devoptiec.exe 1468 sysadob.exe 1468 sysadob.exe 4360 devoptiec.exe 4360 devoptiec.exe 1468 sysadob.exe 1468 sysadob.exe 4360 devoptiec.exe 4360 devoptiec.exe 1468 sysadob.exe 1468 sysadob.exe 4360 devoptiec.exe 4360 devoptiec.exe 1468 sysadob.exe 1468 sysadob.exe 4360 devoptiec.exe 4360 devoptiec.exe 1468 sysadob.exe 1468 sysadob.exe 4360 devoptiec.exe 4360 devoptiec.exe 1468 sysadob.exe 1468 sysadob.exe 4360 devoptiec.exe 4360 devoptiec.exe 1468 sysadob.exe 1468 sysadob.exe 4360 devoptiec.exe 4360 devoptiec.exe 1468 sysadob.exe 1468 sysadob.exe 4360 devoptiec.exe 4360 devoptiec.exe 1468 sysadob.exe 1468 sysadob.exe 4360 devoptiec.exe 4360 devoptiec.exe 1468 sysadob.exe 1468 sysadob.exe 4360 devoptiec.exe 4360 devoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exedescription pid Process procid_target PID 2324 wrote to memory of 1468 2324 d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe 88 PID 2324 wrote to memory of 1468 2324 d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe 88 PID 2324 wrote to memory of 1468 2324 d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe 88 PID 2324 wrote to memory of 4360 2324 d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe 91 PID 2324 wrote to memory of 4360 2324 d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe 91 PID 2324 wrote to memory of 4360 2324 d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe"C:\Users\Admin\AppData\Local\Temp\d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1468
-
-
C:\UserDot28\devoptiec.exeC:\UserDot28\devoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4360
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD532bbcbab3419e834435d02c0275fd37f
SHA198e418dd90c189398b5924e334eac4015c15faef
SHA256d728d4abb6b71bc517348f4add2f8461986a657d58be8a825ab3850c40eb0b16
SHA512b4f3c39a75f864d351e8a58232e203c1d06c2d32d0c94608d5ca27e9c93aafff543bf2530cc2d31226aaaf5a0f97bdcc00e104f58401714e65617241d601ffe1
-
Filesize
2.6MB
MD5db46af80db043749659c82918a3334b5
SHA165c7052a6b7d8fca322ecb61c9ece95246068ee9
SHA2560adb23abd425fc6794de9cfe6a3cf74d43e37279cae6f134782bcd51c0068313
SHA5125160e51941d2f0a098e98ed4303537654458434fc6fefa670104ea82a8c03f3faf8572179b71bc2bdc763551d50476f13007bb590ac491a0a97a927695817645
-
Filesize
2.6MB
MD5b736750331a9edf63fe4c708b80662c5
SHA1f5b3761b33bb51f28c30ee598f44afa419f678fa
SHA256f7985d64f9f8b4884c89453da59ed970d1583ce1c0b69b7f25e9a78414ce58c0
SHA51215648e88d4aa83d23a534c8223ddc6fb97653534704d42393f2519d488e63ac68f655fdc2182f91de15924f89b811bc7369efc1cf96b7c038f12eece37a70a53
-
Filesize
204B
MD59b3030154a2365989dd732c4b03c3fda
SHA16ddc70be610b9f14839d826db01fe84ebcbf5d86
SHA25669e2c0c4e04a281a68a4a1e4662722825619ec1f37291b233ffa73b1872854ac
SHA5127738221275bafc102c68ddde9cd3dafc870e7f0999c916e079b388516c1670ad1d3783f5df4a08af06d9d8151a1385ebf0394e3e16334e20bea5aca1fd416930
-
Filesize
172B
MD50189ea19fb1d2ecf1120e2f93e29b0c6
SHA1318163923f0fe19a34b86c4d5528b8c5583a3d6f
SHA256eabd56d9aa0d41130cf70db02c0304aca8f633d894cb3464196b408208ea56c2
SHA512638634df4ad370fdb2dd3f657945ca35f01df649fbeded605c26c1418dd56819b1fb44c26f06cea93d3f0b2142df2cb3d1e4da0ce337c0155756dec50eba015e
-
Filesize
2.6MB
MD502ad932016415ae33db41793b5de29d4
SHA1580c7abeb0e3ac7caaa0abc8e8751682d44c4771
SHA256e3f043f681ccf49edadf2ee4b765611bd5f4846e358c8ba0976f5c28c819d16f
SHA5122a11be83d5339f5a7281f4918b695dc3cf7fb273474596c82d96f93de70ca74c8f5dbea569d51383a794c825fc3e058c1a1648ba46cbab247dbfac2ed0da7f69