14ed98800c55644cce03597ad4d0969343ef45034cc8f3835eac37755654616e

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 18:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

14ed98800c55644cce03597ad4d0969343ef45034cc8f3835eac37755654616e.exe
Size

3.0MB
MD5

335061095dc0f7aa6db81282dcfaa051
SHA1

a1526657a5177b127ed45f25bf8a8f4282d96149
SHA256

14ed98800c55644cce03597ad4d0969343ef45034cc8f3835eac37755654616e
SHA512

b5fa89f67a0b4fd0ba2e1be9595f702ec0d3b173d45e2af3f5087c6ca36da8bf8fc42aa6f7eecaa8944de8ec7850fc635c5d3b420ef88b6345d93c0042ea1b35
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSqz8b6LNX:sxX7QnxrloE5dpUpubVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe	14ed98800c55644cce03597ad4d0969343ef45034cc8f3835eac37755654616e.exe

Executes dropped EXE 2 IoCs

pid	Process
2212	sysxopti.exe
2912	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2824	14ed98800c55644cce03597ad4d0969343ef45034cc8f3835eac37755654616e.exe
2824	14ed98800c55644cce03597ad4d0969343ef45034cc8f3835eac37755654616e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotED\\xdobsys.exe"	14ed98800c55644cce03597ad4d0969343ef45034cc8f3835eac37755654616e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintH4\\dobaloc.exe"	14ed98800c55644cce03597ad4d0969343ef45034cc8f3835eac37755654616e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2824	14ed98800c55644cce03597ad4d0969343ef45034cc8f3835eac37755654616e.exe
2824	14ed98800c55644cce03597ad4d0969343ef45034cc8f3835eac37755654616e.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe
2212	sysxopti.exe
2912	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2212	2824	14ed98800c55644cce03597ad4d0969343ef45034cc8f3835eac37755654616e.exe	28
PID 2824 wrote to memory of 2212	2824	14ed98800c55644cce03597ad4d0969343ef45034cc8f3835eac37755654616e.exe	28
PID 2824 wrote to memory of 2212	2824	14ed98800c55644cce03597ad4d0969343ef45034cc8f3835eac37755654616e.exe	28
PID 2824 wrote to memory of 2212	2824	14ed98800c55644cce03597ad4d0969343ef45034cc8f3835eac37755654616e.exe	28
PID 2824 wrote to memory of 2912	2824	14ed98800c55644cce03597ad4d0969343ef45034cc8f3835eac37755654616e.exe	29
PID 2824 wrote to memory of 2912	2824	14ed98800c55644cce03597ad4d0969343ef45034cc8f3835eac37755654616e.exe	29
PID 2824 wrote to memory of 2912	2824	14ed98800c55644cce03597ad4d0969343ef45034cc8f3835eac37755654616e.exe	29
PID 2824 wrote to memory of 2912	2824	14ed98800c55644cce03597ad4d0969343ef45034cc8f3835eac37755654616e.exe	29

C:\Users\Admin\AppData\Local\Temp\14ed98800c55644cce03597ad4d0969343ef45034cc8f3835eac37755654616e.exe
"C:\Users\Admin\AppData\Local\Temp\14ed98800c55644cce03597ad4d0969343ef45034cc8f3835eac37755654616e.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2212
- C:\UserDotED\xdobsys.exe
  C:\UserDotED\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintH4\dobaloc.exe

Filesize
2.7MB

MD5
1e77a6fe9a9d14e8b9c8f9ab4d2d93b2

SHA1
8be3a53741e3fced95c49b8677754ff1e247df32

SHA256
db0272686fe82e97d80d9433cd60eb5278985abc2d6467782f79b8396f94bad0

SHA512
b656c3acfd9c59658235d709ea86f31557a013521faabdf8d2f0c4eea8c70a290ee783e172a9b111c9075cb04e0af0f2cdb048f09e9386a63d4d0ddccc9bf620

Download Submit
C:\MintH4\dobaloc.exe

Filesize
3.0MB

MD5
b72ccbf83e01eb869e2797a71d294cb2

SHA1
45dafa9968e56f708970cc42ae11d55a203bbc41

SHA256
d136172a0a4e0e94c3a35abf39b03cdc8f5f014a55b8f733ff236700a3ef8bf6

SHA512
60b99eea0d34a001b34f62c5f68bea245ec263125cb458156e322166812689326b574628b43736b72468d00b16bc5a935b3fa5ef482fd5630f14d7e7947ba95b

Download Submit
C:\UserDotED\xdobsys.exe

Filesize
3.0MB

MD5
6c071ab176d778cba30cfa2ebb4d916c

SHA1
3c4ebb92888c329ea3c345ae0960db1e02607c62

SHA256
77773037b86936aca97edb0662f16102dfc4456a3bd721c4e09734fb10d4b3d9

SHA512
c5f062e31e14e7273b96fe4b09cf454b66b4ccf8f8e295a634da5704e77bd1fe281d6419c377f4cf1718a1dd6ae15de0fc6d68a117ee364f2bb31df2807ade56

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
86b34112d93c7b5750b03ae84587ca56

SHA1
f25dc4a04abd86cb2f2a6a549c870e3e316bed46

SHA256
d14446269b36e7c0275a34943b210096c3ac2ef578fe5c1cae03454f56d230e5

SHA512
74b8911911b4bb1557ddd233f6f91c83bb4b0b464375806364c228957e878243a98efad505ff8e742266be3fda9fef82293301e553f6c27ccbfd3da1b237836e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
c21cef209b75e40062952a934c5f1413

SHA1
a9872ce24f2126a3caf81526cda389d7bcecfed1

SHA256
ea1f441ed02ffae2bb29d3eeb5dd6d1ebae1f7b8b73076024230f04c31ad30a3

SHA512
11279827c5d82cfd04cd877086aa322e696aac54bb8465267a740db4e459bb4fd75dfe1fe190036c12e1d2984d247427bf7ad443f34beca11b9cfd91e7419bc5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

Filesize
3.0MB

MD5
c21db60cca74aa087634125c6324aab9

SHA1
2067e5fbf9f78f0b03eda991d6b45e149652dfb2

SHA256
24300394f563025b5a458e0a3777a424672235ca0ff514adcb849aa3f2f8f690

SHA512
92264f1af8c41ee0041e0a626448f331c80292304e9609fbb8f90d986be7759b2a22a50ac1f3f05d7ac81c3908c452e3f3e19285048cfbf38abd3c297d7add09

Download Submit