Overview

overview

7

Static

static

3

12e6cd12af...69.exe

windows7-x64

7

12e6cd12af...69.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 18:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569.exe

  • Size

    3.0MB

  • MD5

    0d25425ed53c5a0f1d81abac488d4e9f

  • SHA1

    215499048aca81000e98a40fb05e3e76aed30203

  • SHA256

    12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569

  • SHA512

    8fb9436d552ce40ee8608688253605cc45340d51a7179216c39093cf23107bb7ddb0bbc137dcf5341c2f9e1d39f31ae226e3ec43763a913baa4be22489f053b4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bSqz8b6LNX:sxX7QnxrloE5dpUpsbVz8eLF

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569.exe
    "C:\Users\Admin\AppData\Local\Temp\12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2632
    • C:\Files2X\xdobsys.exe
      C:\Files2X\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Files2X\xdobsys.exe
    Filesize

    3.0MB

    MD5

    482287deacfb271f1da8fe7b546d5b10

    SHA1

    de0aa82df0ba626b0a6ef8a655bb5957d30d84b9

    SHA256

    41f2da0f979f113abb352726f0650e8cdc318b53b59b54dfbfca0f91cf11e40d

    SHA512

    3bb7261144b6c794c3087841f6a0eaa24b1b7e985fb73df2ef73fcee73f0139d281561c902fbd3842d0137f36c06c33264655352c19f3df4218ca6fa16e95067

    Download Submit

  • C:\MintX6\bodasys.exe
    Filesize

    2.0MB

    MD5

    2456e825ceeedb20f71206165d49e947

    SHA1

    890f9632fef2a6bf43a9dfd735746c09de658961

    SHA256

    bed445e013cfb98c10918a7d597b299d1361eedd9c130606df15e64bf7cc7606

    SHA512

    970e403d499e2e6ce89292e5e79ed790e0a90bd1db7ff84e7bb8662441954b77395552a9eff23069355d32fb3163ba55b4761c48c45bc8f4ad37465dad63e20e

    Download Submit

  • C:\MintX6\bodasys.exe
    Filesize

    3.0MB

    MD5

    f5c01f8af0e1bc5bf4176db9eda5131e

    SHA1

    64345ed27e057e3944efa562073cf48607a33942

    SHA256

    d950b0f9303469410f566d10ae48f5944aaa2cfbbdad1fbb5210d53d946b4b26

    SHA512

    3c457b2e97f0f137f0f521a4b5593af16724d6e4a31dc0be609855569ed2064b02eafea14089b145e60b32b44285aa554e59981ca57febf6299ff645bdf53b6c

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    169B

    MD5

    9646fb6fd171914079a28bceab26d077

    SHA1

    7623ac9a5a344fb0a9ccf8319c83cd41aa046de7

    SHA256

    985356b5da3290fe5255580078b9cbdffbfd62d39494195e3ea42e78329e1111

    SHA512

    148db41e618f67e79de2ecd1b028701f78885137542d805f8073e3864061433d65ef45859ce5f828776ccc3d31614a6f42c13f473fa224314bbe282bac1a5c4a

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    201B

    MD5

    48dab163c6c1175875a595ddfd621317

    SHA1

    6ab051e5d8bbcd34af60b27e7f79803c14cebd1b

    SHA256

    d7eaeac8624e5625c81a7d793731970cc5d998f04fb035568d1da525a23cd4d2

    SHA512

    7499198ff734f2212b9c411595283fcb60cbbb538739bda6c276f2fc89a34a6d76b8e5a3feb1f07c14e902a5d8a867c2db3b33e849e5e0989033602e44bc5d20

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
    Filesize

    3.0MB

    MD5

    e1aca2f8a7eb3e5d33757b3f20e6ac1b

    SHA1

    037a048b0341df35b90680d6d641a5881527f6aa

    SHA256

    7fbd57c9a3d250d4cc4020a68f3e02a816765aee6edb6f956584ae32e285a823

    SHA512

    fbb4edf34c9a89e9cafecfd2d686177870e8ad7c0acb714c26c7dde98b767bc23464fe634d1728c86c91e1e67b2abf230df021f35a1d51bd849b88e990abc2e1

    Download Submit