3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe
Size

2.6MB
MD5

7f43e702314cf44035235486e870f2c0
SHA1

11d17ff50bccbcda964d01d2439bd3012256f7a0
SHA256

3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4
SHA512

19ab02b8003b9fc4f8009e5aa974da8f643f9bdde5bdae40540f6b283365a8a3a20822cd1cb82e5199ae8a1e1b74384856c180265a09b5c81a0cc38d17b9c5e0
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB3B/bSq:sxX7QnxrloE5dpUpQbV

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe

Executes dropped EXE 2 IoCs

pid	Process
4460	sysxopti.exe
1860	adobsys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesN7\\adobsys.exe"	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLW\\bodxec.exe"	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2340	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe
2340	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe
2340	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe
2340	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe
4460	sysxopti.exe
4460	sysxopti.exe
1860	adobsys.exe
1860	adobsys.exe
4460	sysxopti.exe
4460	sysxopti.exe
1860	adobsys.exe
1860	adobsys.exe
4460	sysxopti.exe
4460	sysxopti.exe
1860	adobsys.exe
1860	adobsys.exe
4460	sysxopti.exe
4460	sysxopti.exe
1860	adobsys.exe
1860	adobsys.exe
4460	sysxopti.exe
4460	sysxopti.exe
1860	adobsys.exe
1860	adobsys.exe
4460	sysxopti.exe
4460	sysxopti.exe
1860	adobsys.exe
1860	adobsys.exe
4460	sysxopti.exe
4460	sysxopti.exe
1860	adobsys.exe
1860	adobsys.exe
4460	sysxopti.exe
4460	sysxopti.exe
1860	adobsys.exe
1860	adobsys.exe
4460	sysxopti.exe
4460	sysxopti.exe
1860	adobsys.exe
1860	adobsys.exe
4460	sysxopti.exe
4460	sysxopti.exe
1860	adobsys.exe
1860	adobsys.exe
4460	sysxopti.exe
4460	sysxopti.exe
1860	adobsys.exe
1860	adobsys.exe
4460	sysxopti.exe
4460	sysxopti.exe
1860	adobsys.exe
1860	adobsys.exe
4460	sysxopti.exe
4460	sysxopti.exe
1860	adobsys.exe
1860	adobsys.exe
4460	sysxopti.exe
4460	sysxopti.exe
1860	adobsys.exe
1860	adobsys.exe
4460	sysxopti.exe
4460	sysxopti.exe
1860	adobsys.exe
1860	adobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 4460	2340	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe	83
PID 2340 wrote to memory of 4460	2340	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe	83
PID 2340 wrote to memory of 4460	2340	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe	83
PID 2340 wrote to memory of 1860	2340	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe	85
PID 2340 wrote to memory of 1860	2340	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe	85
PID 2340 wrote to memory of 1860	2340	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe	85

C:\Users\Admin\AppData\Local\Temp\3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe
"C:\Users\Admin\AppData\Local\Temp\3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4460
- C:\FilesN7\adobsys.exe
  C:\FilesN7\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesN7\adobsys.exe

Filesize
2.6MB

MD5
45918ccf05779d8e66c03e5899932fc0

SHA1
0a3c926f5eac105b650074973993cf9425e60398

SHA256
3d3ecdb313264c6b2fd22c4c2140577ee8863e26712c9919bbf0a9a48c3eda3d

SHA512
4729e99aa1484f92a44ce99982983eb1523bc9db19e2319b0e24adf0bfbf8bdf4018cc74729cd3db9d3f79bb70f9ea85a0b85e25610a9771249d97554384a656

Download Submit
C:\MintLW\bodxec.exe

Filesize
2.6MB

MD5
90907d863507d2c6f4c43eec0bb78bcf

SHA1
6b8eca6bfbb96445320f91fb608b133393b067f0

SHA256
72875506dfd989f5e09208673c30de706b544743bbab24eea21859551906dfca

SHA512
2fa789e66a082d2527a611fb0a22c8e7c6153375cac96a42abf4e333c5f231e76b2dd98dc4bca1a7c3655258e4a1eccb35354c58bf31c91c83f2bab6d0952481

Download Submit
C:\MintLW\bodxec.exe

Filesize
2.1MB

MD5
09ed121fde65f4a7bd17a162012c1e7c

SHA1
e55c7d5d1639d22d2641e1a561afb4d574d07e0f

SHA256
20df370b2c2e4f87dede50bed87836cccdf9a5438447494c9dca00edd6fd02f4

SHA512
7071e0f8fed87d122e44350bf7db6c4e9ae785ddf46cb4fc8f372c0506c0cc55c41a246894dd17f85f7526f825b5d3003cef1a2d6702049c27eeb0b939d1ce72

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
02aaf6fc7989e64a4ed21846c1701ddc

SHA1
cabbf557f9925d0bb3a7b2663a77712d9c8354a9

SHA256
32c427354c39efca95ef517f820f5ac08b29300f7b527668f512427632675ca2

SHA512
200cdd440ad71c11d22e11c3175840e35051b8fb3bd55c03a0a9efc982976f4fe7619b1fd77916174917de312e03e4b8e9a46728f754b22820ed1b6af7080e89

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
c128de168c5f2cf5e31b4e3b62c14dd2

SHA1
b00a622c459603208f70436bbd1b7663ed79b980

SHA256
d11032854f52954779bd086e1e16c74ebeb37fec00c354867b9548d29d9566d5

SHA512
3dd5622d7ddbb93b172ea3839d6a25e482300403a9d231606a72942366aa1e910b65d7ce9bbda38f38c5c61008f6327b63256ccd248c8bcfad84b99fbe930c4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

Filesize
2.6MB

MD5
42c14efabe3f8da1fdba2774a46cb8c9

SHA1
957fbb5da7ec2fd42eb6651349aab12df52b5d44

SHA256
b2cc03ae8526f99a9b52a74d4cff10590f292a8b316eae4d807499da25470e79

SHA512
1b5e3e531bbce48d89fbf01b91f27f8a4cd6f2ae4d2ef51005a698df89ef94b103ada29fdc2d5a00cb9941ce523b18220ef30093f8dd56b56da2a52c52b3aabe

Download Submit