Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 13:30
Static task
static1
Behavioral task
behavioral1
Sample
1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe
Resource
win10v2004-20241007-en
General
-
Target
1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe
-
Size
3.0MB
-
MD5
05b94f0a6f5415b0a78b17374bcd81b3
-
SHA1
8733cbeabdc5cd57665c2733c4f4b60c34972006
-
SHA256
1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc
-
SHA512
7e5252f68867543e2ab382de72a844ef039d77bc6e00f4cde38c2986f50d8f0fb49d219ad5f33d820eb375e451825fe097c0c21323b9c30ad5a271774459c7c7
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bSqz8b6LNX+:sxX7QnxrloE5dpUpPbVz8eLF+
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe 1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe -
Executes dropped EXE 2 IoCs
Processes:
sysadob.exeabodsys.exepid Process 2344 sysadob.exe 2580 abodsys.exe -
Loads dropped DLL 2 IoCs
Processes:
1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exepid Process 2092 1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe 2092 1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc2K\\abodsys.exe" 1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBQC\\dobaloc.exe" 1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exesysadob.exeabodsys.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exesysadob.exeabodsys.exepid Process 2092 1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe 2092 1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe 2344 sysadob.exe 2580 abodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exedescription pid Process procid_target PID 2092 wrote to memory of 2344 2092 1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe 30 PID 2092 wrote to memory of 2344 2092 1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe 30 PID 2092 wrote to memory of 2344 2092 1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe 30 PID 2092 wrote to memory of 2344 2092 1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe 30 PID 2092 wrote to memory of 2580 2092 1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe 32 PID 2092 wrote to memory of 2580 2092 1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe 32 PID 2092 wrote to memory of 2580 2092 1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe 32 PID 2092 wrote to memory of 2580 2092 1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe"C:\Users\Admin\AppData\Local\Temp\1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2344
-
-
C:\Intelproc2K\abodsys.exeC:\Intelproc2K\abodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2580
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD53d45b0eaee6cd60ad4f5568ac16ef258
SHA1d7e11caa9a67cadd55724afe2d1d84adab824cea
SHA256ea6a4772229675d6d0144ac1cf4f7831259b4edd25d7706903c3f2e2e3ca7243
SHA5122d25a653389ee60d4d1a922b31cda5d7dac66d70cb6b72b1e60925b039a1066d16fe93dd478af6cc0fe4eb3b73c7cab86c4cc39eb4f0fb4da694adef8999708b
-
Filesize
3.0MB
MD548e2bc270b37941c5f79c121c0547fc3
SHA1e2b6cd60094087690a755eb095f71032ad983fb6
SHA2564aa1660b4fdc54dcd210d80597773349e80f6988d65e0d330db6c8a37df97ff1
SHA512db528a4cba8e8d9864d4cb4914c2d7399f6a9b3dec7617f6d80b553ca9715588e67a96c17349e1cb6e64ef50e82857faae782ec7966b55127e0d1d388740afc2
-
Filesize
3.0MB
MD5e29e0121f0682f53e3e8fc1782038fa4
SHA10f1cf27b969c8e591f60e5c71adfbf7a15d3f477
SHA256bc4b66e9bf658f072df4cf4309aab1f49e5cf585187b17693acd10f8ffdc939e
SHA5121b16c62cd8bce222b62ca3a193f27dff26289fbf563be95990002f7d0c6e6f97d11104ff195447e6529f3a5e50157e223d054a3eb2b776be27ecf4a6ebe74111
-
Filesize
20KB
MD52873fb57ea06e0913c9b5dde7bd73c2d
SHA1c2794b886d0f3c44e805ffe343756fd81b5c87ec
SHA25608bfacea5ca3a11f935a3a68ac2abceac42a731bd3c8bbb834bb6471d43f4587
SHA5129db7ab2c48ad7fd8125df8c24bb1613169cdf1b762ad2552a31ad27ecfb1c9fca9350c4a31f167fa663450d181ba96804fc03f9938c7eea125d4b5efde338d76
-
Filesize
172B
MD515227b891bc37a79788fd0999d0cc670
SHA1d0b663c28a51ea37e8c2e1b5f51270e0ac10031b
SHA256e78720b0afd818a1a1fd4a7779892bf1099b35be146f1dc5ab2e97a1993c931a
SHA51215f5d7dce82991d5c948d5e2c9c83e5c112ac3e689429f4ab6da1af7f6d6b2ea7acfd0c93523cb1bced5f02267ca58f9ab7164044ec60aa4c7776735ab557a98
-
Filesize
204B
MD5c6992354d2fb73eb86148f192569c7ee
SHA1fa212fc9c3d595bb5e3ad3c4415ae8142859a12a
SHA2560e39d9a2dffbac1b93a90d32470ee707f3617396638058ab65a5ba5b40d4625d
SHA512f8dfc436f72421895e69750aec20828b04b4459ec3876431179d8f4629046766807e692e93ccfc728c2d8c939a7492b461a4d3eebb8a876b6684cd7453601fca
-
Filesize
3.0MB
MD5728bdcea688eeeebaa17592ed50d65d8
SHA125f56ca18d8fbf4dffdee00309998b8e36d7312a
SHA256ab662da369ca17d5a6058a25c6c922c898276275076a15ed50a5dc5626fdd7cd
SHA512ea13cff3149f11a3f6dd64fc2997f561277ecfb67113de5252d0f895a167ff2ea0ef3698f83296bb757f4edcc0888fc02713a4cce92a9acddd2d88b0baa39931