Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 14:12
Static task
static1
Behavioral task
behavioral1
Sample
9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe
Resource
win10v2004-20241007-en
General
-
Target
9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe
-
Size
2.6MB
-
MD5
f84e858ccabc63dd0f5f79eb455065db
-
SHA1
a621c1cfe9238e5138a6bc1fc5f49f006d188382
-
SHA256
9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8
-
SHA512
b15d3cb494230583380f16f4e7dd2335d6a07afff3392321c71364a31ce501fdc12bfa06a4a3c404a86643d122cfac32b1e0831c61e6c4ce7ab688b361d03759
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSG:sxX7QnxrloE5dpUpPbv
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe -
Executes dropped EXE 2 IoCs
Processes:
sysaopti.exeabodloc.exepid Process 2236 sysaopti.exe 2420 abodloc.exe -
Loads dropped DLL 2 IoCs
Processes:
9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exepid Process 1716 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe 1716 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvD6\\abodloc.exe" 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid26\\dobasys.exe" 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exesysaopti.exeabodloc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exesysaopti.exeabodloc.exepid Process 1716 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe 1716 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe 2236 sysaopti.exe 2420 abodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exedescription pid Process procid_target PID 1716 wrote to memory of 2236 1716 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe 28 PID 1716 wrote to memory of 2236 1716 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe 28 PID 1716 wrote to memory of 2236 1716 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe 28 PID 1716 wrote to memory of 2236 1716 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe 28 PID 1716 wrote to memory of 2420 1716 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe 29 PID 1716 wrote to memory of 2420 1716 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe 29 PID 1716 wrote to memory of 2420 1716 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe 29 PID 1716 wrote to memory of 2420 1716 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe"C:\Users\Admin\AppData\Local\Temp\9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2236
-
-
C:\SysDrvD6\abodloc.exeC:\SysDrvD6\abodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2420
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5cf485e8f2dfbbcdc727649b814ce6009
SHA1be25bf08941b727811b3c3869724ffe6559b6784
SHA256e65bd37d9e10694914b984aba11237f2c81ac295d2376c7c9d367d353a668201
SHA5128713baff7ddc0c7bf215ab2f688541ab163be755964daf625b03e4987ef99ca39ac301c180584d41e21f6fc34bd529c644d3c377aeff18b9b02b8166830898c3
-
Filesize
169B
MD514ddf585d2326b219ca483194e186d24
SHA10dcca9af7bd1e356efd1cb2a47b17094bfb26bf0
SHA256e866141ec4c79f9694641116f0b9a7718334b29efe831dbd569308f94138c5ce
SHA512fb83205bd3b1c0b95ee78e0d5b97b2c61973a39f48e0a0b16fa0a83313de61f305efa19bb0d8b29f8291aa1583782a3bda1e12c4c777e765c9df408fcf098391
-
Filesize
201B
MD50c95a78b46278919aacf185c0a858b0f
SHA1c2d8832181787e1b99dcb91b750ee260007cf3e2
SHA256f0eb09bac52799129d955c2219ba21ad8d9472c28b4ea71d690b92d357fb4544
SHA512eafe67739e42014e3a356485a4dcffd42b491e74e662db4c427e04c027c1648a6e88712ab1476b39d3fcdf92668a7e52b1fbd53f8b107ecf0d490c34da991e13
-
Filesize
1.7MB
MD5cdd97b53b5ff1c4c91ddadde33a72d19
SHA1e874795b48a2225d7a2708576fd4d0606378c736
SHA256438c7c7dea5c73e6703f67772e6ae3226277177616fe6469e4a85d7a37eb1fde
SHA512e74bbb0f1a6c70a85e4a19f9210eb0a23ba0e66948a6e4ed7d84876eb2015b382eddbad1ef6992eb2581bd54de559a61e47b322cd032e848d367ac45a3f59cc0
-
Filesize
2.6MB
MD5f2ede176433b9afe7462d3dc28be0984
SHA1ebc2199e4be45295205040763d322b96b79b1468
SHA2562551163c11631adf2f126b8cf1b63781a1dcdb3e8dfdb67af0495bcf883e6061
SHA512088e4b7cfb59dd6a90dad69cd2719578d328f76d9ff64406692a519873883c494754bd95e94808f24f68506a52df4f9e948ae4242a54082ede2bfd4415d637bb
-
Filesize
2.6MB
MD5feab632b01632bd5a299bee40d2a721f
SHA14e48fce3e61aa5c9dd0b2c4a18d7506f72dd9fec
SHA2568e9c76dc56465b32585952e351352025d432ad1fe9401ee1975e9462ef6e44b1
SHA512a0381625f37786a94634956afa44a7d46e7d79c7992a5b76513354584a374304aca27c47f59fa9b7c0130bb7caae4c8e63fd8d7d75b1c8d5de65998e4042ba4d