Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 14:12

General

  • Target

    9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe

  • Size

    2.6MB

  • MD5

    f84e858ccabc63dd0f5f79eb455065db

  • SHA1

    a621c1cfe9238e5138a6bc1fc5f49f006d188382

  • SHA256

    9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8

  • SHA512

    b15d3cb494230583380f16f4e7dd2335d6a07afff3392321c71364a31ce501fdc12bfa06a4a3c404a86643d122cfac32b1e0831c61e6c4ce7ab688b361d03759

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSG:sxX7QnxrloE5dpUpPbv

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe
    "C:\Users\Admin\AppData\Local\Temp\9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1372
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4784
    • C:\Files0R\adobsys.exe
      C:\Files0R\adobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Files0R\adobsys.exe

    Filesize

    29KB

    MD5

    c2b58e7bd0d9d36929797d78aa1d3e51

    SHA1

    8fc011635fc3980b8429b2956954a84ef4f62f48

    SHA256

    d5277dd43fac6b920dc73e189c8ce3c2b5d25215f887f88a07155db345eeb18c

    SHA512

    78c62f3f40b38eb2f380b786661968a0da8840a04924336873b4f4aceba9dd3bd8652ebb78ce9ba2b6128880c6d2ac12c784def607e382a7ede8e458ed4932e0

  • C:\Files0R\adobsys.exe

    Filesize

    2.6MB

    MD5

    677e096abc8e82cce2a74a1ada368d92

    SHA1

    8b6e8e61957ef509e0240dc8f91c6424109a68e7

    SHA256

    8971bb77810412ddcfc1bfbe09c1d2453fe8f21ab85f9146a8690a15cdca0524

    SHA512

    8b317dcbf9cf0fdf31fcd4af49e5e06b804dcc24ec79a7d2cd3cf77e4b3aec0be27a595e7059908fded2f1102259530bf034eae49ccfea1388377913112fd6b0

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    200B

    MD5

    004371e12c948fec34974e95bd688d46

    SHA1

    3826df4de88709460340c4a47bbafbac6ac00f02

    SHA256

    95a16037791bd0f0ee3985f05eaf80482cf5f29d0c09e67daf091fab0c90f5df

    SHA512

    d14d4253a4a5137a9b03be50205456d5e2fe3ab93b2128eeaf764d9b753ce0301259c51848e0929b6b74e85bca502098173b72604d4c3b242d366aeba62e6767

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    168B

    MD5

    0c0dc5e12fafb304dcd76ccf4fcd7238

    SHA1

    c3333e6702751274de7ede790ab6d9c3e688f0d8

    SHA256

    5c3735d81ea829a5f3b933eabe2a998bf02e72d2b11a659bba3cf4898a02bc8a

    SHA512

    7fb5221d4a870276bd80c2e7db8463faf66de17ce0e54279d6056cc2c8681240c3aa61e8a0b7e548ba7e117a781f6419decb4c1f1e567849b34efc0464d037c3

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

    Filesize

    2.6MB

    MD5

    781c42328e2c2fed6f7470e97cba5943

    SHA1

    4f2387353191f2ece1fc67dfaf6121ebd746e0dd

    SHA256

    30676b9e8990db248e6ae094db842349630d542f8f6f2039ed0c146ba1153141

    SHA512

    8847457f185d993cb705b75b9bf86248824294c78efdf038bcea927a2d4fc59c6744307762750dd13bea45c2d8708fe3e87821e3741da224eb35206cf3717763

  • C:\VidL7\boddevec.exe

    Filesize

    279KB

    MD5

    fcac57f8ad53da02b17acc60d77dbb62

    SHA1

    4db37a2c0fecbddeb7e9c84e420bebfac4df31be

    SHA256

    05191c49a3161915c767653cf98b2693c5b920754bdcc7e12b7f57ef981f4eee

    SHA512

    584223c9cae89214c4b7dd3269b2849b0d3fd271f7d34336feb7815ae39de7ac264f098cc8c22c98edacf6312041b61a7443fdd61a75b2092c9257e59e443ea5

  • C:\VidL7\boddevec.exe

    Filesize

    2.6MB

    MD5

    1103a1233cf4354ab24809e2a75fb092

    SHA1

    53d1c1a8047a0e6df8ffcbd9a53f957425b38184

    SHA256

    5c266924b93a17be44cc534922f2331bfbd50c3c402b246533b08b42cda49e76

    SHA512

    fcea43e709eccc3941d258b142fca144a402aaab6ce5acbf0a58c7637c8c2ca8f45d21a6fdf808def9630e8d497a254c953af0a471a955eda7b8033ad85f9538