12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569

General

Target

12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569.exe
Size

3.0MB
MD5

0d25425ed53c5a0f1d81abac488d4e9f
SHA1

215499048aca81000e98a40fb05e3e76aed30203
SHA256

12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569
SHA512

8fb9436d552ce40ee8608688253605cc45340d51a7179216c39093cf23107bb7ddb0bbc137dcf5341c2f9e1d39f31ae226e3ec43763a913baa4be22489f053b4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bSqz8b6LNX:sxX7QnxrloE5dpUpsbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569.exe

Executes dropped EXE 2 IoCs

Processes:

sysdevdob.exexbodec.exe

pid process

3480 sysdevdob.exe
4788 xbodec.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3480	sysdevdob.exe
4788	xbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocXX\\xbodec.exe"	12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZVJ\\optixsys.exe"	12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569.exesysdevdob.exexbodec.exe

pid	process
4068	12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569.exe
4068	12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569.exe
4068	12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569.exe
4068	12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569.exe
3480	sysdevdob.exe
3480	sysdevdob.exe
4788	xbodec.exe
4788	xbodec.exe
3480	sysdevdob.exe
3480	sysdevdob.exe
4788	xbodec.exe
4788	xbodec.exe
3480	sysdevdob.exe
3480	sysdevdob.exe
4788	xbodec.exe
4788	xbodec.exe
3480	sysdevdob.exe
3480	sysdevdob.exe
3480	sysdevdob.exe
4788	xbodec.exe
4788	xbodec.exe
3480	sysdevdob.exe
3480	sysdevdob.exe
4788	xbodec.exe
3480	sysdevdob.exe
4788	xbodec.exe
4788	xbodec.exe
3480	sysdevdob.exe
3480	sysdevdob.exe
4788	xbodec.exe
4788	xbodec.exe
3480	sysdevdob.exe
3480	sysdevdob.exe
4788	xbodec.exe
3480	sysdevdob.exe
4788	xbodec.exe
3480	sysdevdob.exe
4788	xbodec.exe
4788	xbodec.exe
3480	sysdevdob.exe
4788	xbodec.exe
3480	sysdevdob.exe
4788	xbodec.exe
3480	sysdevdob.exe
4788	xbodec.exe
3480	sysdevdob.exe
4788	xbodec.exe
3480	sysdevdob.exe
3480	sysdevdob.exe
4788	xbodec.exe
3480	sysdevdob.exe
4788	xbodec.exe
3480	sysdevdob.exe
4788	xbodec.exe
3480	sysdevdob.exe
4788	xbodec.exe
4788	xbodec.exe
3480	sysdevdob.exe
4788	xbodec.exe
3480	sysdevdob.exe
3480	sysdevdob.exe
4788	xbodec.exe
3480	sysdevdob.exe
4788	xbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569.exe

description	pid	process	target process
PID 4068 wrote to memory of 3480	4068	12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569.exe	sysdevdob.exe
PID 4068 wrote to memory of 3480	4068	12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569.exe	sysdevdob.exe
PID 4068 wrote to memory of 3480	4068	12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569.exe	sysdevdob.exe
PID 4068 wrote to memory of 4788	4068	12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569.exe	xbodec.exe
PID 4068 wrote to memory of 4788	4068	12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569.exe	xbodec.exe
PID 4068 wrote to memory of 4788	4068	12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569.exe	xbodec.exe

C:\Users\Admin\AppData\Local\Temp\12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569.exe
"C:\Users\Admin\AppData\Local\Temp\12e6cd12afeb90eb49a83a97bded8848d5a9e838009656e7312d868af7cec569.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4068

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3480

C:\IntelprocXX\xbodec.exe
C:\IntelprocXX\xbodec.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2268 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:3124

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocXX\xbodec.exe
Filesize
298KB

MD5
42f7ad7849214974541e099cf5031b02

SHA1
21aebace0943c4b075a8df08167986dc35400171

SHA256
d69c1a6ea6cc7312fbd9c2e832accb7101939859b0328252f23db2d2892e88b2

SHA512
30fbed2d4605145d98706340c7d0b7469a5be814bea6434bda004a4ab69813974f2d1cecfe6af9de018b77eb51ca19e60994f7e5655f8a49f0b4fce4cee71063

Download Submit
C:\IntelprocXX\xbodec.exe
Filesize
3.0MB

MD5
cc7ab26dbcf184741d9d95aba827acd7

SHA1
e32e2bc930e3bd1aa2efe5348161a6bdf7b078bb

SHA256
984dd1afb1cc2ceadceb09a97fcf5bec5e8cf485fba6b6ed1191115daff82ca6

SHA512
1b53fa426fe5e75baf0156a0e0eec761c914d1236ab856e4b40b33f7dd1cdea6e2e08273788f540b2ec186539f996523a6345befd608c92aeda18e9b48fa820c

Download Submit
C:\LabZVJ\optixsys.exe
Filesize
3.0MB

MD5
46db56093514d6c4a735f824630cd87f

SHA1
9c6e3423e89ddf9c1ee5ae73c60bda167d179030

SHA256
d4bf415859bcddef8ccba785ccf3952d71392ba7346121aaa7447bf7e20eba51

SHA512
a743697350d201093ba3336c8b2b5fe73c576e587249c25a0d8e315867eec1da59e85255dca0c92f73e3a94809a701f8737fcec457e67eb91e70d58db2b3cc57

Download Submit
C:\LabZVJ\optixsys.exe
Filesize
286KB

MD5
d5c6a5be7cbf1aafefd9d98798007aa3

SHA1
fdb5332baa26e3058b1349a649f9592fcb9c2e9c

SHA256
a4fdcd2516d8d9b69b32dc4eba64cd68bcaefa24c90889045e1d9e49736726d2

SHA512
d2b00385f6c21a2fd436e778f96e8ce92e91a1e4b16a84beaf2cdadfa6f28f96dae325df0269fc4fb3f24864a6e8c5cb848889c78647ccbd53ba1bc8eab86931

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
206B

MD5
3430989866af363001dfc0a23b58af39

SHA1
cb151b745ab4647dacbafba71468d6f905e88376

SHA256
00e41b67d24c199180e3324274195d8fab06864a7a307216fd6a057234681f34

SHA512
e5e3461172987bf262f0ed7b0c25b9dc89345e71e500d3b1bacfb83b3c696434f2dad2605dbdc4df6f4373d75100ccf0fbf0886ac6b6cd691b3d66726093f4e6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
174B

MD5
9765d171c7580ca428bf6f542fe03657

SHA1
7b819dbffe942cb29a4fb839778061f6d213ce4e

SHA256
5d6bc7b04a7d3f3b66f5a44da3197c9285a592754c29404cd2d3d823d60c1f9d

SHA512
a11d4f078aa25b773da6bea4f1e61e1cee84e7c52bc28db9ca35587513778df402ec79b155456b44b62e92846f96df3c18e103e60e83ce733244c3921d11af07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
Filesize
3.0MB

MD5
c3955a1efadb63f0a846998b5f8fe19f

SHA1
003ca25e717c7ede8ba876433afb841b545bd897

SHA256
367f4f1c7f004de6c4243583b22c46de5d48252ceff9fa8a2371c380bf2fd3e6

SHA512
25a4f92aab5b729102b5c1ec286c252cdf7fd4a49516991fce8f6a9a6a8908513f0bb196d26420067b34f0f5d870a1a1f620f1611872476b090973a4b733ae4e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads