Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 14:12
Static task
static1
Behavioral task
behavioral1
Sample
9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe
Resource
win10v2004-20241007-en
General
-
Target
9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe
-
Size
2.6MB
-
MD5
f84e858ccabc63dd0f5f79eb455065db
-
SHA1
a621c1cfe9238e5138a6bc1fc5f49f006d188382
-
SHA256
9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8
-
SHA512
b15d3cb494230583380f16f4e7dd2335d6a07afff3392321c71364a31ce501fdc12bfa06a4a3c404a86643d122cfac32b1e0831c61e6c4ce7ab688b361d03759
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSG:sxX7QnxrloE5dpUpPbv
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe -
Executes dropped EXE 2 IoCs
Processes:
sysabod.exeadobsys.exepid Process 4784 sysabod.exe 3612 adobsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files0R\\adobsys.exe" 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidL7\\boddevec.exe" 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exesysabod.exeadobsys.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exesysabod.exeadobsys.exepid Process 1372 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe 1372 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe 1372 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe 1372 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe 4784 sysabod.exe 4784 sysabod.exe 3612 adobsys.exe 3612 adobsys.exe 4784 sysabod.exe 4784 sysabod.exe 3612 adobsys.exe 3612 adobsys.exe 4784 sysabod.exe 4784 sysabod.exe 3612 adobsys.exe 3612 adobsys.exe 4784 sysabod.exe 4784 sysabod.exe 3612 adobsys.exe 3612 adobsys.exe 4784 sysabod.exe 4784 sysabod.exe 3612 adobsys.exe 3612 adobsys.exe 4784 sysabod.exe 4784 sysabod.exe 3612 adobsys.exe 3612 adobsys.exe 4784 sysabod.exe 4784 sysabod.exe 3612 adobsys.exe 3612 adobsys.exe 4784 sysabod.exe 4784 sysabod.exe 3612 adobsys.exe 3612 adobsys.exe 4784 sysabod.exe 4784 sysabod.exe 3612 adobsys.exe 3612 adobsys.exe 4784 sysabod.exe 4784 sysabod.exe 3612 adobsys.exe 3612 adobsys.exe 4784 sysabod.exe 4784 sysabod.exe 3612 adobsys.exe 3612 adobsys.exe 4784 sysabod.exe 4784 sysabod.exe 3612 adobsys.exe 3612 adobsys.exe 4784 sysabod.exe 4784 sysabod.exe 3612 adobsys.exe 3612 adobsys.exe 4784 sysabod.exe 4784 sysabod.exe 3612 adobsys.exe 3612 adobsys.exe 4784 sysabod.exe 4784 sysabod.exe 3612 adobsys.exe 3612 adobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exedescription pid Process procid_target PID 1372 wrote to memory of 4784 1372 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe 86 PID 1372 wrote to memory of 4784 1372 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe 86 PID 1372 wrote to memory of 4784 1372 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe 86 PID 1372 wrote to memory of 3612 1372 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe 87 PID 1372 wrote to memory of 3612 1372 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe 87 PID 1372 wrote to memory of 3612 1372 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe"C:\Users\Admin\AppData\Local\Temp\9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4784
-
-
C:\Files0R\adobsys.exeC:\Files0R\adobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5c2b58e7bd0d9d36929797d78aa1d3e51
SHA18fc011635fc3980b8429b2956954a84ef4f62f48
SHA256d5277dd43fac6b920dc73e189c8ce3c2b5d25215f887f88a07155db345eeb18c
SHA51278c62f3f40b38eb2f380b786661968a0da8840a04924336873b4f4aceba9dd3bd8652ebb78ce9ba2b6128880c6d2ac12c784def607e382a7ede8e458ed4932e0
-
Filesize
2.6MB
MD5677e096abc8e82cce2a74a1ada368d92
SHA18b6e8e61957ef509e0240dc8f91c6424109a68e7
SHA2568971bb77810412ddcfc1bfbe09c1d2453fe8f21ab85f9146a8690a15cdca0524
SHA5128b317dcbf9cf0fdf31fcd4af49e5e06b804dcc24ec79a7d2cd3cf77e4b3aec0be27a595e7059908fded2f1102259530bf034eae49ccfea1388377913112fd6b0
-
Filesize
200B
MD5004371e12c948fec34974e95bd688d46
SHA13826df4de88709460340c4a47bbafbac6ac00f02
SHA25695a16037791bd0f0ee3985f05eaf80482cf5f29d0c09e67daf091fab0c90f5df
SHA512d14d4253a4a5137a9b03be50205456d5e2fe3ab93b2128eeaf764d9b753ce0301259c51848e0929b6b74e85bca502098173b72604d4c3b242d366aeba62e6767
-
Filesize
168B
MD50c0dc5e12fafb304dcd76ccf4fcd7238
SHA1c3333e6702751274de7ede790ab6d9c3e688f0d8
SHA2565c3735d81ea829a5f3b933eabe2a998bf02e72d2b11a659bba3cf4898a02bc8a
SHA5127fb5221d4a870276bd80c2e7db8463faf66de17ce0e54279d6056cc2c8681240c3aa61e8a0b7e548ba7e117a781f6419decb4c1f1e567849b34efc0464d037c3
-
Filesize
2.6MB
MD5781c42328e2c2fed6f7470e97cba5943
SHA14f2387353191f2ece1fc67dfaf6121ebd746e0dd
SHA25630676b9e8990db248e6ae094db842349630d542f8f6f2039ed0c146ba1153141
SHA5128847457f185d993cb705b75b9bf86248824294c78efdf038bcea927a2d4fc59c6744307762750dd13bea45c2d8708fe3e87821e3741da224eb35206cf3717763
-
Filesize
279KB
MD5fcac57f8ad53da02b17acc60d77dbb62
SHA14db37a2c0fecbddeb7e9c84e420bebfac4df31be
SHA25605191c49a3161915c767653cf98b2693c5b920754bdcc7e12b7f57ef981f4eee
SHA512584223c9cae89214c4b7dd3269b2849b0d3fd271f7d34336feb7815ae39de7ac264f098cc8c22c98edacf6312041b61a7443fdd61a75b2092c9257e59e443ea5
-
Filesize
2.6MB
MD51103a1233cf4354ab24809e2a75fb092
SHA153d1c1a8047a0e6df8ffcbd9a53f957425b38184
SHA2565c266924b93a17be44cc534922f2331bfbd50c3c402b246533b08b42cda49e76
SHA512fcea43e709eccc3941d258b142fca144a402aaab6ce5acbf0a58c7637c8c2ca8f45d21a6fdf808def9630e8d497a254c953af0a471a955eda7b8033ad85f9538