dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe
Size

3.2MB
MD5

8213a9258de910ac54e809856cf29c3e
SHA1

49b0e82b0c44929666852484033c2d3f08db4095
SHA256

dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa
SHA512

3d2a8a344fb56ad9f66f4918723ba54f402085410c4dfa553ccf353010d4e166c582084fdec74cd3321c21874825925b5c80320361bde3f3362888a8cd0f2e35
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBsB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp7bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe

Executes dropped EXE 2 IoCs

pid	Process
5008	sysxbod.exe
3112	xoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocPA\\xoptisys.exe"	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBFN\\boddevec.exe"	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3004	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe
3004	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe
3004	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe
3004	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe
5008	sysxbod.exe
5008	sysxbod.exe
3112	xoptisys.exe
3112	xoptisys.exe
5008	sysxbod.exe
5008	sysxbod.exe
3112	xoptisys.exe
3112	xoptisys.exe
5008	sysxbod.exe
5008	sysxbod.exe
3112	xoptisys.exe
3112	xoptisys.exe
5008	sysxbod.exe
5008	sysxbod.exe
3112	xoptisys.exe
3112	xoptisys.exe
5008	sysxbod.exe
5008	sysxbod.exe
3112	xoptisys.exe
3112	xoptisys.exe
5008	sysxbod.exe
5008	sysxbod.exe
3112	xoptisys.exe
3112	xoptisys.exe
5008	sysxbod.exe
5008	sysxbod.exe
3112	xoptisys.exe
3112	xoptisys.exe
5008	sysxbod.exe
5008	sysxbod.exe
3112	xoptisys.exe
3112	xoptisys.exe
5008	sysxbod.exe
5008	sysxbod.exe
3112	xoptisys.exe
3112	xoptisys.exe
5008	sysxbod.exe
5008	sysxbod.exe
3112	xoptisys.exe
3112	xoptisys.exe
5008	sysxbod.exe
5008	sysxbod.exe
3112	xoptisys.exe
3112	xoptisys.exe
5008	sysxbod.exe
5008	sysxbod.exe
3112	xoptisys.exe
3112	xoptisys.exe
5008	sysxbod.exe
5008	sysxbod.exe
3112	xoptisys.exe
3112	xoptisys.exe
5008	sysxbod.exe
5008	sysxbod.exe
3112	xoptisys.exe
3112	xoptisys.exe
5008	sysxbod.exe
5008	sysxbod.exe
3112	xoptisys.exe
3112	xoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 5008	3004	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe	89
PID 3004 wrote to memory of 5008	3004	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe	89
PID 3004 wrote to memory of 5008	3004	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe	89
PID 3004 wrote to memory of 3112	3004	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe	90
PID 3004 wrote to memory of 3112	3004	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe	90
PID 3004 wrote to memory of 3112	3004	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe	90

C:\Users\Admin\AppData\Local\Temp\dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe
"C:\Users\Admin\AppData\Local\Temp\dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5008
- C:\IntelprocPA\xoptisys.exe
  C:\IntelprocPA\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocPA\xoptisys.exe

Filesize
3.2MB

MD5
953020cc9463346a7e98aebde3b807e5

SHA1
7ea851a8794022a7ac43fabef2141108bad82346

SHA256
0c3d632672cbae06fcc5812011147c3fe2eb448ff354821fcb6ae524cb93a012

SHA512
ffb698167c76fd1a25422024c09f86d65a241b092318c205e200e565dbc9ef6cf9b16ec650819ce943be8ae9382b2506f83ae9fcc350dc7cbb87bcc1dbf192b7

Download Submit
C:\KaVBFN\boddevec.exe

Filesize
4KB

MD5
b61f1c7ad73efe910c92dd7a7c9a7a0e

SHA1
da9ddf3e1877afc7efd9c8d203fc7f7be3458ddd

SHA256
b362504c75e4817110ee35bd9d522710e988aa3feb5cfb08054cbe0cfa6e45f0

SHA512
224073e4b1011e45541352166fffbcb47dc06282baa16dc5279ee78e858f642e1495bf79dc1ee547b1db3adc2c1a1fbb08ea75a50ef49d2a238000e931ebc155

Download Submit
C:\KaVBFN\boddevec.exe

Filesize
3.2MB

MD5
eb796be35930db00d265ad06675bdb2a

SHA1
b21d607d6e8aa4c9707917b3a77424ca46cc0e62

SHA256
827d1948a11495b78b972f66175b08217e4b4961e131e9ea98cfe57b884d7d7a

SHA512
86484b7e65cf421be80d7182e630fdc7024d70ac17915ae01680b462aafdba91c4619fc5dc9efdc48fd97fa8c3d25df9a4036ee3dc5e3d0383a3859742f32501

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
3337ec598e6cbc6312f61bfa8a66281e

SHA1
93dfbc1f9b624242d7bb0ee090217d4c71279971

SHA256
1109a53c85ed620fd884e8fd445b59a184d71b6d037a5e2d22b03c6c3912f887

SHA512
bf0545cc6e534dd9e472ba9b17fb7c7c22e5b3544b6809857d3f200c3b8fa2bd13646200a0d9dfbd86b434e1436fecf7c92ac8b7779a14146c1b4068e165d960

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
f4b7adb303ed185cc0c307e7e3b2adb7

SHA1
d953076b2d04f4b0f2535c33d741f1e645cc346c

SHA256
141db3f72a42bc509b45f69e59958f88bff1db0007532e2cc24f382594847588

SHA512
a3c5444d0a1a1e047943c9c8c24682dce4b9cd971e2b229b7028c903c25bcc495e069e30ffd59be4b8382227af5921edc974a1dce2f346bc057f0c558938eee7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
3.2MB

MD5
3964de7d80cbd1ff0492f3b2915afa7e

SHA1
a4faea0a60a96946887904e426e7089bdb963b81

SHA256
802ac0f13f9647f9e8b81260e7600cd758d2852f595d1a1b35125da668f0ba75

SHA512
576948e693a127776cc9bcf0217f72bebc3b1e68177567615dfe11839a2ad587260108d3f0f90e730fe8c5f0afaa4fca7cdf6063b352db22135a9e2291fe7bb7

Download Submit