2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a

General

Target

2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a.exe
Size

2.6MB
MD5

411a3af6ac95d7f3f0308f29bb40fffd
SHA1

bd87d2b0d738afe5ac4af9d5b17d58a73446f7a4
SHA256

2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a
SHA512

fb95f50b3188d87b1ee87073e4c3cf976dbe43fce311d4976be2055f813a85c53cb7a695bf36bcd49a5d4b1d3168055713c34780d406b05d6c9802216dd7c088
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bS:sxX7QnxrloE5dpUpVb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a.exe

Executes dropped EXE 2 IoCs

Processes:

sysxbod.exeaoptiloc.exe

pid process

2328 sysxbod.exe
3064 aoptiloc.exe

pid	process
2328	sysxbod.exe
3064	aoptiloc.exe

Loads dropped DLL 2 IoCs

Processes:

2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a.exe

pid	process
2188	2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a.exe
2188	2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesGF\\aoptiloc.exe"	2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid77\\dobaec.exe"	2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a.exesysxbod.exeaoptiloc.exe

pid	process
2188	2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a.exe
2188	2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe
2328	sysxbod.exe
3064	aoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a.exe

description	pid	process	target process
PID 2188 wrote to memory of 2328	2188	2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a.exe	sysxbod.exe
PID 2188 wrote to memory of 2328	2188	2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a.exe	sysxbod.exe
PID 2188 wrote to memory of 2328	2188	2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a.exe	sysxbod.exe
PID 2188 wrote to memory of 2328	2188	2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a.exe	sysxbod.exe
PID 2188 wrote to memory of 3064	2188	2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a.exe	aoptiloc.exe
PID 2188 wrote to memory of 3064	2188	2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a.exe	aoptiloc.exe
PID 2188 wrote to memory of 3064	2188	2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a.exe	aoptiloc.exe
PID 2188 wrote to memory of 3064	2188	2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a.exe	aoptiloc.exe

C:\Users\Admin\AppData\Local\Temp\2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a.exe
"C:\Users\Admin\AppData\Local\Temp\2846487118e6d529062049e8d73daed5c1650249661faf4d2b4bf9fce3c23d2a.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2328
- C:\FilesGF\aoptiloc.exe
  C:\FilesGF\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesGF\aoptiloc.exe

Filesize
2.6MB

MD5
dd8b226dc6f859c29d8769954f6952bb

SHA1
f4c3bad0619de4f794f56c206ea5a9e6810f6f6f

SHA256
3d6eca275c601ef050491859bd1cfd4c31493f9d66f4bf1d85fe088be648b917

SHA512
7eae31fe010d96e7f5dd9e2c7c3b52a978050129d6b1124b4c526e574ccd04d25a971ff7ebcfa9989b56bb8e8d32abfe1d6c782be6aec003c2e8872ccfd58932

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
167B

MD5
cef325acf14160e0e8fccefc916c2919

SHA1
5c69de49cdd7cf3efcd9066234fabda03143fa72

SHA256
91427ec5a8d3508797554ed806389ffad8f795201f748e831f193673d5708494

SHA512
24d8cbb1efef5d0d5a9c221450ac8522013cbd9f5b1e68a1d6c64389013b6a059a7ba33f11334a62286bdb957ebfe4039b1c5f10efabdc9719f6e267391208ce

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
199B

MD5
cdcda40e9ad1c316e9e699aa44ddedf0

SHA1
2e8ea6f32894703b2556d6eec2754fa63f55a0c8

SHA256
29628148aee6dbefcce9f2ba6b747427860dfc84859b7bd2cdbbeed87d54b7ab

SHA512
8f7bd596dfc184568befff5227e6a77434c914208c336ff94514421c277a884dadc540057a757c258d2bdc02e52d75fe2c41052a1d4327dc209932799caa288f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
2.6MB

MD5
d59b88a8b79b1f99bf518a50a96443e9

SHA1
deb95e13132d6c00ffb80ff8cb071bd9f684ec57

SHA256
852b94c6612b02c35b63d7e8ec5561499484c70b402e9b394c4b0461dea002a5

SHA512
bff50a0af427e0691b72efdf362b84b8a47c074a8babab44872730e6925e0c717434cc47e3397213351499d6b952febec08285c53b44283c5505f9b767ea6ae0

Download Submit
C:\Vid77\dobaec.exe

Filesize
2.6MB

MD5
0779c2418c28a22f01bee15309169593

SHA1
1009d7c73c4bc5ed48429cc085514de268920e01

SHA256
6dfccdb6bed325dbeb3cf26089f03e906d8e36c0bdfae3fb43e84c4efa50dbc2

SHA512
e9bd272f199d890b2da089f890296c0a4c5758202ad5f644ee8c310460756736a56fa059e70833f75c4ec644646d6da0e6b2c829fc31d0613047127b7ae97d40

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads