39058ed40edb3f306fb6b5dc609088c545d581b8015e496ca57cb13e10876a20

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 20:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

39058ed40edb3f306fb6b5dc609088c545d581b8015e496ca57cb13e10876a20.exe
Size

2.6MB
MD5

cf89246098350850975b3e7c3efc920e
SHA1

816676018f64aa91e553a959b2dea3aeb31b437d
SHA256

39058ed40edb3f306fb6b5dc609088c545d581b8015e496ca57cb13e10876a20
SHA512

5eddd5e836ad68b2f0ad4177daec87d5d1be358155c823593f8217edbb414d4633b4b9a301011c2ed3c20178b121106aa30dc8c09da1c9be6d548df53fc65a84
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUpXb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	39058ed40edb3f306fb6b5dc609088c545d581b8015e496ca57cb13e10876a20.exe

Executes dropped EXE 2 IoCs

pid	Process
4312	sysaopti.exe
3740	xdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesAJ\\xdobec.exe"	39058ed40edb3f306fb6b5dc609088c545d581b8015e496ca57cb13e10876a20.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidNG\\boddevec.exe"	39058ed40edb3f306fb6b5dc609088c545d581b8015e496ca57cb13e10876a20.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4596	39058ed40edb3f306fb6b5dc609088c545d581b8015e496ca57cb13e10876a20.exe
4596	39058ed40edb3f306fb6b5dc609088c545d581b8015e496ca57cb13e10876a20.exe
4596	39058ed40edb3f306fb6b5dc609088c545d581b8015e496ca57cb13e10876a20.exe
4596	39058ed40edb3f306fb6b5dc609088c545d581b8015e496ca57cb13e10876a20.exe
4312	sysaopti.exe
4312	sysaopti.exe
3740	xdobec.exe
3740	xdobec.exe
4312	sysaopti.exe
4312	sysaopti.exe
3740	xdobec.exe
3740	xdobec.exe
4312	sysaopti.exe
4312	sysaopti.exe
3740	xdobec.exe
3740	xdobec.exe
4312	sysaopti.exe
4312	sysaopti.exe
3740	xdobec.exe
3740	xdobec.exe
4312	sysaopti.exe
4312	sysaopti.exe
3740	xdobec.exe
3740	xdobec.exe
4312	sysaopti.exe
4312	sysaopti.exe
3740	xdobec.exe
3740	xdobec.exe
4312	sysaopti.exe
4312	sysaopti.exe
3740	xdobec.exe
3740	xdobec.exe
4312	sysaopti.exe
4312	sysaopti.exe
3740	xdobec.exe
3740	xdobec.exe
4312	sysaopti.exe
4312	sysaopti.exe
3740	xdobec.exe
3740	xdobec.exe
4312	sysaopti.exe
4312	sysaopti.exe
3740	xdobec.exe
3740	xdobec.exe
4312	sysaopti.exe
4312	sysaopti.exe
3740	xdobec.exe
3740	xdobec.exe
4312	sysaopti.exe
4312	sysaopti.exe
3740	xdobec.exe
3740	xdobec.exe
4312	sysaopti.exe
4312	sysaopti.exe
3740	xdobec.exe
3740	xdobec.exe
4312	sysaopti.exe
4312	sysaopti.exe
3740	xdobec.exe
3740	xdobec.exe
4312	sysaopti.exe
4312	sysaopti.exe
3740	xdobec.exe
3740	xdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 4312	4596	39058ed40edb3f306fb6b5dc609088c545d581b8015e496ca57cb13e10876a20.exe	91
PID 4596 wrote to memory of 4312	4596	39058ed40edb3f306fb6b5dc609088c545d581b8015e496ca57cb13e10876a20.exe	91
PID 4596 wrote to memory of 4312	4596	39058ed40edb3f306fb6b5dc609088c545d581b8015e496ca57cb13e10876a20.exe	91
PID 4596 wrote to memory of 3740	4596	39058ed40edb3f306fb6b5dc609088c545d581b8015e496ca57cb13e10876a20.exe	92
PID 4596 wrote to memory of 3740	4596	39058ed40edb3f306fb6b5dc609088c545d581b8015e496ca57cb13e10876a20.exe	92
PID 4596 wrote to memory of 3740	4596	39058ed40edb3f306fb6b5dc609088c545d581b8015e496ca57cb13e10876a20.exe	92

C:\Users\Admin\AppData\Local\Temp\39058ed40edb3f306fb6b5dc609088c545d581b8015e496ca57cb13e10876a20.exe
"C:\Users\Admin\AppData\Local\Temp\39058ed40edb3f306fb6b5dc609088c545d581b8015e496ca57cb13e10876a20.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4312
- C:\FilesAJ\xdobec.exe
  C:\FilesAJ\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3952 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesAJ\xdobec.exe

Filesize
295KB

MD5
2d6ccb431baa98e0c43d8f4be46d71a4

SHA1
0e1df97e0835f4d14993e7ca1cfaadb179165f90

SHA256
bf34cdede089b25e761747f32647e994fe6473d256aebca6a2b27c49dae598e5

SHA512
7eae41541f71b6794c198563d776a4e598b943083a4724f161104cd1e13945a20509f27b79fa517dd2a0aad7be1413803c32bcd358c66ee6fe131413b1d72832

Download Submit
C:\FilesAJ\xdobec.exe

Filesize
2.6MB

MD5
e835fd50d2e95610207829d0973bfcb2

SHA1
77bb7c85f73d349da01b376794f77969b85ba243

SHA256
ab1ac8a15dd7c210fd95e1b22a53300df0c6f44d3a41d1b60e3e76afea480113

SHA512
862ac13fe8dc1cdb24d4e7ce324d6581c7847a0b68a5c10186cba0045cb442765d9051f5d2a1b8029150bcc0ae66c3611e8bab74141758c3e246eca85b8640d6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
b71f06eea8e79984764fd85f65969ce2

SHA1
d2fcad37d549b5836e976d9ff715b7a2e44d204c

SHA256
77b2702746f7a6605391239a8cae9f6fa80617a156f9002946bd19b72159a18a

SHA512
9341fd285a90e024b26268c531156445eb892735549e0cf3f59f4fa720ddc6222b88441e61dcce5ec90a52bc624c363ee784def4a260811dff0f958daf5e27a0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
cc56ac054f5467806ef5670078c5376e

SHA1
a7eaf9c9214bf5fe9bc49dbfa534136dfed2126d

SHA256
23ec21bee81daf793703383630d3335ab2086ea78027df33df31ac1a60a31b5d

SHA512
6d7fd9019d4539021471a8fb439614bf2d858322e53ced133e95cb076ed386f0d9a5b5c943999ab5387e675af455fc68cd0220eceeb00556d44b22764eb373f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
2.6MB

MD5
1fc6a795f108e4e2bf439a86d8fd1bff

SHA1
3903b099040d9ac47c954a7629cab1b1b617bd59

SHA256
b8c750c3b580812452466321be1708d87fe09e8e9e0c9f9b74d215cae6c0dac2

SHA512
47eba481008dd3c2bf8c6356d77ad644ebc3a6c3ca268316f19902a18fd6826e2b647cb183472dde5b4d3a6f2898e542186ada755f20148f9bf8db2d519d8af4

Download Submit
C:\VidNG\boddevec.exe

Filesize
1.6MB

MD5
d4956a7313daa16272d6d16b727b580e

SHA1
33801e39a70b3e6a3c05ead1439fe363779293fb

SHA256
a8e546fa70a01b37677087b253af3335b092c6b93e916da2171f0c47243b8fd8

SHA512
22466213e59de01c6c8b479f9f8b00b43dd00ddaad935fa987088a3818a829f0d7f1dcb2aba46256f0a1fc09f8e1396013f6169836e7b2f3e71812390d55f98f

Download Submit
C:\VidNG\boddevec.exe

Filesize
2.6MB

MD5
1c9d92ee22c30ea64437547b12d05d05

SHA1
54f8859d4aa2c0c1e17c42dd5914e985d32c314b

SHA256
a300649be367463308c8514f948916091d0557afe3427ec1eec2a807a2f185a7

SHA512
64605db8d758729ce6fe235dff27d4aceec1d4bbc9b2a427fc13205e2e91238e8e985e6a46b945125889fcddacb10993900fe5e9a43f554505f5d9d30f3c1954

Download Submit