5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829

General

Target

5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe
Size

3.2MB
MD5

39413179a6127b7934c1ab92ada07e3e
SHA1

8c33ddd736a43f51fa7688042a4cb4023e9a4a4f
SHA256

5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829
SHA512

b8eb03c514efa123b5011b74fd11adbd5d421d9932fcfe96c5a81597809a28b760374737ecf308fb591813f344650aaf019d3073f561a3836dda84a43e7533db
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpZbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe

Executes dropped EXE 2 IoCs

Processes:

sysxdob.exexbodloc.exe

pid process

1268 sysxdob.exe
3044 xbodloc.exe

pid	process
1268	sysxdob.exe
3044	xbodloc.exe

Loads dropped DLL 2 IoCs

Processes:

5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe

pid	process
3012	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe
3012	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintGT\\optialoc.exe"	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7B\\xbodloc.exe"	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exesysxdob.exexbodloc.exe

pid	process
3012	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe
3012	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe
1268	sysxdob.exe
3044	xbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe

description	pid	process	target process
PID 3012 wrote to memory of 1268	3012	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe	sysxdob.exe
PID 3012 wrote to memory of 1268	3012	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe	sysxdob.exe
PID 3012 wrote to memory of 1268	3012	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe	sysxdob.exe
PID 3012 wrote to memory of 1268	3012	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe	sysxdob.exe
PID 3012 wrote to memory of 3044	3012	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe	xbodloc.exe
PID 3012 wrote to memory of 3044	3012	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe	xbodloc.exe
PID 3012 wrote to memory of 3044	3012	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe	xbodloc.exe
PID 3012 wrote to memory of 3044	3012	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe	xbodloc.exe

C:\Users\Admin\AppData\Local\Temp\5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe
"C:\Users\Admin\AppData\Local\Temp\5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1268

C:\Files7B\xbodloc.exe
C:\Files7B\xbodloc.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3044

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files7B\xbodloc.exe
Filesize
3.2MB

MD5
a4be61c1c82ca4d25dd5435e346e896d

SHA1
f763446deebbf826e0e2eec76cfd2a8dba6e902f

SHA256
f791108880225e51e9cdd1fe713e7fd9ee42c948e8d80adcf39c984a0511f097

SHA512
82f579f6591472e530f359f5c3601270a0eb075dba8436188c9f55388117138c9b76e670bcbe58c47a3badfa10b9d758eda6a4882a93338a84e2dd0e1db3112c

Download Submit
C:\MintGT\optialoc.exe
Filesize
3.2MB

MD5
12ebdf77a0578e457462489b1f1e852d

SHA1
8ed9fd0a91bf9a23c7d575ddd246e94f48467a80

SHA256
60e53848fb4519fa144ccf489e7caa565575196e203ff537af7d3328d85a7901

SHA512
27a71c1386810772626f5044b233f0e95f0b2d8baf39833d839dca2f8323404157afd58e22f903b3d009de9fc31c8f32037ef2e5080276a8095cd1f47155cf89

Download Submit
C:\MintGT\optialoc.exe
Filesize
32KB

MD5
b49076433c0bf84919c9872909ac9b4c

SHA1
62ccebdcdf26aab3095a02caf388459acba54554

SHA256
047965653df12ad8344f021b1f08bcf8f2c1d61ab509d61b8d166ad7b0aabb99

SHA512
13bf6e46756787aacb11302c4300040db7eb4fcb38e7f33accfd48dab2ec6ed3056a5caf7212b585485fd71396d534800f9bef245d814f3af4489df0ab3f07e7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
169B

MD5
3db0dacc5026820dca3a7a26411fe9d5

SHA1
444652313406ec6231a4421a651f8bfaf0a98dc0

SHA256
68c43b42ecae59a2afda7af6b855a72e56cce0a8b490b18e9672721866c2aadb

SHA512
70f8af51fed2bf0c7a7e76028768cc51e2ac21a15a10437059187ba2ee4c8ce4554df8015a49c5cac10bf6f9e90e792cd65e93eb600d4364c5ad1bebe8ea6686

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
201B

MD5
6746513937495e54e7c473a395ce71da

SHA1
6e513973ff043cf4836689e4f6a1aa9eb145770c

SHA256
34beb71b6e7067b23939cc08477ec763d3a487fde3bcc7af6e80efbcc6e57550

SHA512
f2601dd67fe8d1b7324da7eceeb69349fcfbcff125ea81de769318d2edb1bb34be0a734c55c4b9f6cf71fcf117424a333507d771c5e08f7ec1f160e0fedf3190

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
Filesize
3.2MB

MD5
4e4d3b168fa8fbc2d6e0dbfd599e51ed

SHA1
f64a3cfba1faf3ce4c701249b6304ca30aadaac9

SHA256
1311016f5b9cb9ba7541a3d1e5d7ed1d961948eeb51db6e75959f8e724ff03cc

SHA512
764597840c97ea1067c27252a205a8f11b8be1b0ebaecace22687da54836fb8f0d019b307a83d444b2f152b5b166527b07d748a51fe78205644c0929964a786d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads