Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 13:57
Static task
static1
Behavioral task
behavioral1
Sample
943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe
Resource
win10v2004-20241007-en
General
-
Target
943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe
-
Size
2.6MB
-
MD5
32d09059b14cc49fe68b1141fee20360
-
SHA1
626d63ca2ce2096c6be7b8f185c5d0522109618a
-
SHA256
943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353
-
SHA512
793ac641b029d1050513d84c579b3d61bfeafb69fe34907be709ec5f4d132115cb097d046a96f1e52ac301cee6b2d31be988c25f55fdc88127d06c62e30b1a61
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSq:sxX7QnxrloE5dpUpKbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe -
Executes dropped EXE 2 IoCs
Processes:
sysabod.exeaoptiec.exepid Process 1904 sysabod.exe 2956 aoptiec.exe -
Loads dropped DLL 2 IoCs
Processes:
943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exepid Process 2288 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe 2288 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc6V\\aoptiec.exe" 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxQI\\bodxec.exe" 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exesysabod.exeaoptiec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exesysabod.exeaoptiec.exepid Process 2288 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe 2288 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe 1904 sysabod.exe 2956 aoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exedescription pid Process procid_target PID 2288 wrote to memory of 1904 2288 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe 28 PID 2288 wrote to memory of 1904 2288 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe 28 PID 2288 wrote to memory of 1904 2288 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe 28 PID 2288 wrote to memory of 1904 2288 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe 28 PID 2288 wrote to memory of 2956 2288 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe 29 PID 2288 wrote to memory of 2956 2288 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe 29 PID 2288 wrote to memory of 2956 2288 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe 29 PID 2288 wrote to memory of 2956 2288 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe"C:\Users\Admin\AppData\Local\Temp\943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1904
-
-
C:\Intelproc6V\aoptiec.exeC:\Intelproc6V\aoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2956
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD587ab0b020aded2d0bfce4ab0a9da2292
SHA17bf0c19e7588737ad424a4c472653c2fa17c36bd
SHA2561c920b36ab3e2286cdaeaf468a23e7f2a21aaec85f424031d742b443fc300693
SHA5125e51e18d71e5e16aeec15a6d42dc28a66a8cfa8f3ee07dbc88f5bb5915b0aa0e64975647351b4e87dfa9aaf3afd2e882292e1c559dffb65302cca6c94e8af067
-
Filesize
2.6MB
MD5e80ade7701d3be3a1f00c21fa282a787
SHA12d2bf04e9e64d43cc9c8fe5630b21e3836cef37f
SHA2565015b552a359213dcfa148b09249e8f164afb93327ca5b796feb7b32498b18ba
SHA5124034af83235b22e9dffee7fbc8d2ee978103ba600228c7d821059c9a877cadfafa3661aed2540d42230c4f54afafc542d8eb538a91b6726a6475f78109ea5b0e
-
Filesize
9KB
MD5bceeb783568178019cfa9ce19da30a69
SHA13918c6d01f7a27b2a71133015ea935c5555085ff
SHA25641737594ceef89e9d4d0389deb11f042ea5d02e903e1359b3110a565e7c0b1bd
SHA5127f5f1ad508c1398430e588ab45f558d602b62af4ef7015ce011fe61ef27edee18de0252583558376c713ddc3fdba30604a1b0746cd79acd745c19075f7a1bbf0
-
Filesize
2.6MB
MD5c3bdba2be798e539dd11f214b2a1162a
SHA134eb55a22d8bd869abe8f9f080f7a2ccbd3c23df
SHA25614dc162ae13b4322b3689c94cfe65848dd07f810518af9bc3be5598d52f897ed
SHA5129663ea9f93cbec70dcb9db0d811916888ce98c45f9e9c15b2c10103c81829f28c8d8390abc6849df0f449857208754e8da807ee21f531eb417cbfc31c619d037
-
Filesize
172B
MD52b81e6884cfe14868ed208e3d77e0c88
SHA12cba0f09c4948f7c59eeacc478396d493b1e9c96
SHA256050040fce147c64f2022bd74e8034ab61ca365bf56154bface0ab9bd5f763a6a
SHA512789bb07ac79e5d094b36d7aa0eb76b476763b1fab690fc1c73aa192a2a8baa37fe708fe1d923a6ae568aa7936d6da3f1a9b0f953efdcc8b2f04848eface12caa
-
Filesize
204B
MD5477c9dc0ccdd7be4ad3d4433ea7b8807
SHA103c32efbe585c089c882e1adc3586eed68c9197a
SHA25613a9ab85cacd1572eed87984b3ac55081512389da82e243887d470a4523d17f5
SHA51262c9df1e8c47f54a529318f6249a73d445f4242ca35f1a039ad3e15d0e2b48ee5f070c10f27cf29031dbefc1788a9af1e0964f5e20f09c245ad21617d652e0aa
-
Filesize
2.6MB
MD53a62edcc6030bd85a4099ca4dd80450d
SHA1a12a072143806fb9fc192705cc1ebd7a564133da
SHA25666ee382ea500f237b55e5497cc9938b6c1a33d0d3efdb33aabe458c735d98029
SHA51284c86d43981a2c75add25e9c9e08c45f410064794bfaac64eca7fbef9526eff2ef1d61fb06a45888fb344648cd52065570b847a297a43667b43cdbfbe4ec59b7