Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 20:10
Static task
static1
Behavioral task
behavioral1
Sample
424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe
Resource
win10v2004-20241007-en
General
-
Target
424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe
-
Size
2.6MB
-
MD5
b7964b6f0b7d2d2e63446814b957a1e9
-
SHA1
664f2975d8b21db19df1ea3c9325da2852d7f14b
-
SHA256
424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d
-
SHA512
713e89f3c805348f667ced89466ba956422cbe4e0002594583bb103620a185235a18a8bded5ee1d1b95a846e29b0d8229c7623d861700af208b1894e71d9c263
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bSq1:sxX7QnxrloE5dpUpfbV1
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe 424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe -
Executes dropped EXE 2 IoCs
Processes:
sysxdob.exeaoptiec.exepid Process 1740 sysxdob.exe 2992 aoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvPF\\aoptiec.exe" 424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintKX\\dobaec.exe" 424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exesysxdob.exeaoptiec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exesysxdob.exeaoptiec.exepid Process 2836 424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe 2836 424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe 2836 424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe 2836 424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe 1740 sysxdob.exe 1740 sysxdob.exe 2992 aoptiec.exe 2992 aoptiec.exe 1740 sysxdob.exe 1740 sysxdob.exe 2992 aoptiec.exe 2992 aoptiec.exe 1740 sysxdob.exe 1740 sysxdob.exe 2992 aoptiec.exe 2992 aoptiec.exe 1740 sysxdob.exe 1740 sysxdob.exe 2992 aoptiec.exe 2992 aoptiec.exe 1740 sysxdob.exe 1740 sysxdob.exe 2992 aoptiec.exe 2992 aoptiec.exe 1740 sysxdob.exe 1740 sysxdob.exe 2992 aoptiec.exe 2992 aoptiec.exe 1740 sysxdob.exe 1740 sysxdob.exe 2992 aoptiec.exe 2992 aoptiec.exe 1740 sysxdob.exe 1740 sysxdob.exe 2992 aoptiec.exe 2992 aoptiec.exe 1740 sysxdob.exe 1740 sysxdob.exe 2992 aoptiec.exe 2992 aoptiec.exe 1740 sysxdob.exe 1740 sysxdob.exe 2992 aoptiec.exe 2992 aoptiec.exe 1740 sysxdob.exe 1740 sysxdob.exe 2992 aoptiec.exe 2992 aoptiec.exe 1740 sysxdob.exe 1740 sysxdob.exe 2992 aoptiec.exe 2992 aoptiec.exe 1740 sysxdob.exe 1740 sysxdob.exe 2992 aoptiec.exe 2992 aoptiec.exe 1740 sysxdob.exe 1740 sysxdob.exe 2992 aoptiec.exe 2992 aoptiec.exe 1740 sysxdob.exe 1740 sysxdob.exe 2992 aoptiec.exe 2992 aoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exedescription pid Process procid_target PID 2836 wrote to memory of 1740 2836 424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe 88 PID 2836 wrote to memory of 1740 2836 424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe 88 PID 2836 wrote to memory of 1740 2836 424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe 88 PID 2836 wrote to memory of 2992 2836 424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe 90 PID 2836 wrote to memory of 2992 2836 424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe 90 PID 2836 wrote to memory of 2992 2836 424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe"C:\Users\Admin\AppData\Local\Temp\424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1740
-
-
C:\SysDrvPF\aoptiec.exeC:\SysDrvPF\aoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2992
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5b54ad1712658017f59a83d6d1f5c7102
SHA1693b2a2c290128462afa4dbad07370a4b95fe61b
SHA256de15ed69019f61fe8006d2b577be4f5afabcf04df07ad96a369c468dce1562ab
SHA512fc5c005e84068a70076403891227ce95a819b8d08002660cd7031ab8fb596cc01bc13d891e8913bd29721d21c82a57bec183bc8eeeaae1de3e92eb29fa8f184d
-
Filesize
2.6MB
MD5116a1f0d2abd41d9560e0148f36289d4
SHA1ced11fe4f937e239a4ffdd373f94d553bf1c089a
SHA2560c386aada49c785f6f60a405e270feca7e6d422c95999dd4f7f7b1d228415cff
SHA5122caf9ac43db0963e1484d166bc10945536c6271206c345032f759c27ede1cc161bfc2d7bbe9b6b7142de96b7e22865e5f0b5f8074e85cd03e1c19e397117b28a
-
Filesize
2.6MB
MD5427207ebd81c4d7dd81ddb57cbdc84dd
SHA1d9fe2718a7c9352f5949b63ce4c35c67670b9768
SHA2564e0328cf1befc01047597ed2fef37cadd18683fc649e36cfe77580f07392ec05
SHA512b45b76b29e878a821405614e207c1f4c0989fe39cf919f8b0779f072664ae8e6529567ffe3e58bf735b34c3038c330f87325d68768f40838102a16c67cf6c9aa
-
Filesize
200B
MD58c13cb6caed88915bcba112219bd7a36
SHA153d5c92302680948ca402d18b092b639619e4340
SHA256b3950863393afd298b9c85e0d11dab42485ce33824e359c63782b89b7ac44156
SHA512107bd85ae483f58dba0d251bed14f22c7d0454a5237ea3a8702e6104e92a395a56df05b23c8f8dc843a47fbb49aa629a0665cb803c6d6ebbf65d8c70d2685215
-
Filesize
168B
MD51761073168f44ccd5dca8df7fed16b6f
SHA1dab49542349fbde04a67393418ccce9ab9121450
SHA256f2228763ac78e0518187b83cd5e03d04bbbdb062aaf133f8297833443386112e
SHA5124cfb9a3f507122e7dcde4e2f6cad21b2df3681a033eedf37cfa482115401fb07a0f461a0d89a53af7876e0fb619bb5904c6902cffdb3960c1beb9c66c28f98c2
-
Filesize
2.6MB
MD55f8cf35d0a1bd3fc809198263e9cbc37
SHA10c73f2ca5429189fd1f71d68302bbbac7e944709
SHA25603af1ecdf955906fcb3b3a8aac75857431419c6193c12c6107edf84752149030
SHA5121f17e4ca83f0755eda82bfade785836e2797b690083b3e5a0234700688988e2ae624345122c7840b1b08cbf60c7a4a93a804b64a45caf7600e972f77d8e6e0a7