d3bbf25e5244d5b0040ef5d88c20b141e63ec24811802a55a36b9e2879423698

Analysis

max time kernel
148s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10-01-2024 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97e5aa7dd600e756436350f7e27dbff1.exe
Size

3.0MB
MD5

97e5aa7dd600e756436350f7e27dbff1
SHA1

861d7d26ca1d25cc202ed24c253afff3166607b9
SHA256

d3bbf25e5244d5b0040ef5d88c20b141e63ec24811802a55a36b9e2879423698
SHA512

9a211832866375cf68d06b771959585afb19b3004440f7e618433b3d746ccbc28cba47a4624e30d1c51f140ef8bc102b28cb2ddbfc0c44dd90a8f8a23f9aadb3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bSqz8b6LNX:sxX7QnxrloE5dpUpNbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	97e5aa7dd600e756436350f7e27dbff1.exe

Executes dropped EXE 2 IoCs

pid	Process
1692	sysxbod.exe
2352	xoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2540	97e5aa7dd600e756436350f7e27dbff1.exe
2540	97e5aa7dd600e756436350f7e27dbff1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvQB\\xoptiloc.exe"	97e5aa7dd600e756436350f7e27dbff1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidFX\\dobxsys.exe"	97e5aa7dd600e756436350f7e27dbff1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2540	97e5aa7dd600e756436350f7e27dbff1.exe
2540	97e5aa7dd600e756436350f7e27dbff1.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe
1692	sysxbod.exe
2352	xoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 1692	2540	97e5aa7dd600e756436350f7e27dbff1.exe	28
PID 2540 wrote to memory of 1692	2540	97e5aa7dd600e756436350f7e27dbff1.exe	28
PID 2540 wrote to memory of 1692	2540	97e5aa7dd600e756436350f7e27dbff1.exe	28
PID 2540 wrote to memory of 1692	2540	97e5aa7dd600e756436350f7e27dbff1.exe	28
PID 2540 wrote to memory of 2352	2540	97e5aa7dd600e756436350f7e27dbff1.exe	29
PID 2540 wrote to memory of 2352	2540	97e5aa7dd600e756436350f7e27dbff1.exe	29
PID 2540 wrote to memory of 2352	2540	97e5aa7dd600e756436350f7e27dbff1.exe	29
PID 2540 wrote to memory of 2352	2540	97e5aa7dd600e756436350f7e27dbff1.exe	29

C:\Users\Admin\AppData\Local\Temp\97e5aa7dd600e756436350f7e27dbff1.exe
"C:\Users\Admin\AppData\Local\Temp\97e5aa7dd600e756436350f7e27dbff1.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1692
- C:\SysDrvQB\xoptiloc.exe
  C:\SysDrvQB\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
6ceff2815cd5d156d60476b0aef7a14a

SHA1
6530536859692a60c2787c90b754e485a6822e82

SHA256
502fb04fb76f0a14aa388c45cc5882a5d11e51433d8ce515b1b615733a492bee

SHA512
7b71c8016e7a3c56f1f46b5e8c7b23059e2437bd51ddbb0dd1241272767222fafdba2e35a6d55466f635ec07dbf949fa7bdd2a94d8eb17947efda72d82fd2204

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
314a197554cd02b4c818f3765d3cc3bb

SHA1
7174cc9dc114bc71528b37a0c6458a9495cbf29c

SHA256
ea433389ee95c7de3ce35852dba904a7fa5c22bdbba4b952a3d13d4e28a76fcf

SHA512
a011918fec2f79dec37b256021710c1e3c12b8c091244f7d163a4411e94a75342137b50f806931c30b08cd4b3202137b02138ad8246edbb06ceae84aee7d64b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
14KB

MD5
abb2ca32218fcbc2392cc75592e86043

SHA1
458bff49ff1b601a3ab79319617d25fb50666927

SHA256
187623cd50d1d97ef7ae6e650593b2f4189a3b87849e7698057debec04286703

SHA512
cd919402324c608adc8eab55339417752f9465f75b805da55ea00c4f52828df5d2a5bab130b6eb122b440a17d4b969bd09ced6b7d1fae88ae42cb602499dbca0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
1KB

MD5
9d1c132c56b4c87e8e1b7fc60179f104

SHA1
d8b886e79d9823ea8c9ca57409bfe2a1f30919ad

SHA256
6604646ca5a3444943740f5a8b8a46c0f881f8a9f30f4f3552d68c0bb3cdf735

SHA512
210708ed38a0fca4727fbbd70ba39fe003f14c78a5f8b672776edd8eeaa7fe253fa74f0648e9908b185bd067f43eb4e51418be0c631aa36fe50d1091b9e67991

Download Submit
C:\VidFX\dobxsys.exe

Filesize
7KB

MD5
1096856d5bc5d81883e872e4d791c491

SHA1
e53e8ba17d351b76482549ed552b312da2721941

SHA256
ffa5f5e2ea2dec035f0010ecb6adaa0475363e6590fb8fbf22f24976e160c808

SHA512
b1737fea0fd35ad0d6e9bfd01e0638ccc2421877728206e6f4854e050bd41f01420a0ac9ce02744eb1d592ed6698bd3c01baf786824de756f096d3ae4ebf5cb9

Download Submit
C:\VidFX\dobxsys.exe

Filesize
11KB

MD5
6b82ef94eb1b34cddfcc3ab129546d29

SHA1
3305e6d6cb1e24f7dff5381b737d95e96cf3ffb7

SHA256
7faf56e8b156e444c1f428fa04579e2bcd3ef7444fafaebcc2bac5ac22929045

SHA512
0f7c4811e87d5e6da657a15f3cca58fe9e189431767809fa0144adbecafc423b17c25c81ad5ac65c590a22d85c1f25e2ebff282cca560f0b2ae4ebbb45f0105a

Download Submit
\SysDrvQB\xoptiloc.exe

Filesize
11KB

MD5
7d013c85367e5ef615ac960d41b6c487

SHA1
5524c4d88ab8f09cca1b18057c6bb7d8575fae91

SHA256
199f91afe22371b854395bfd5149343c27c0a355e54aa16badd508b631274b2c

SHA512
6a1026eeafbe63ecdaa26a2e7032105d56625949359eaa7ad77956486702c671d72cb9c989eb6de5817809fce6ef49a7d8cb538e1362ec3c66bd4df5598dff54

Download Submit