4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe

General

Target

4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe
Size

3.1MB
MD5

432cecdbedae53868e0630af844f1117
SHA1

447638357e4d19e379b13ab347eb08160ac35393
SHA256

4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe
SHA512

123e6a83ed996e24421cadd24fc4fe9d45e8c3a0a04ed21241e6799879f36787a9d5f18cea2d8dd8b91fb829687669422a88976aaedd934c22a6b22f4d08da03
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bSqz8:sxX7QnxrloE5dpUpObVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe

Executes dropped EXE 2 IoCs

Processes:

sysdevopti.exexdobloc.exe

pid process

2856 sysdevopti.exe
4076 xdobloc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2856	sysdevopti.exe
4076	xdobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc6T\\xdobloc.exe"	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid14\\boddevloc.exe"	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exesysdevopti.exexdobloc.exe

pid	process
3268	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe
3268	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe
3268	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe
3268	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe
2856	sysdevopti.exe
2856	sysdevopti.exe
4076	xdobloc.exe
4076	xdobloc.exe
2856	sysdevopti.exe
2856	sysdevopti.exe
4076	xdobloc.exe
4076	xdobloc.exe
2856	sysdevopti.exe
2856	sysdevopti.exe
4076	xdobloc.exe
4076	xdobloc.exe
2856	sysdevopti.exe
2856	sysdevopti.exe
4076	xdobloc.exe
4076	xdobloc.exe
2856	sysdevopti.exe
2856	sysdevopti.exe
4076	xdobloc.exe
4076	xdobloc.exe
2856	sysdevopti.exe
2856	sysdevopti.exe
4076	xdobloc.exe
4076	xdobloc.exe
2856	sysdevopti.exe
2856	sysdevopti.exe
4076	xdobloc.exe
4076	xdobloc.exe
2856	sysdevopti.exe
2856	sysdevopti.exe
4076	xdobloc.exe
4076	xdobloc.exe
2856	sysdevopti.exe
2856	sysdevopti.exe
4076	xdobloc.exe
4076	xdobloc.exe
2856	sysdevopti.exe
2856	sysdevopti.exe
4076	xdobloc.exe
4076	xdobloc.exe
2856	sysdevopti.exe
2856	sysdevopti.exe
4076	xdobloc.exe
4076	xdobloc.exe
2856	sysdevopti.exe
2856	sysdevopti.exe
4076	xdobloc.exe
4076	xdobloc.exe
2856	sysdevopti.exe
2856	sysdevopti.exe
4076	xdobloc.exe
4076	xdobloc.exe
2856	sysdevopti.exe
2856	sysdevopti.exe
4076	xdobloc.exe
4076	xdobloc.exe
2856	sysdevopti.exe
2856	sysdevopti.exe
4076	xdobloc.exe
4076	xdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe

description	pid	process	target process
PID 3268 wrote to memory of 2856	3268	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe	sysdevopti.exe
PID 3268 wrote to memory of 2856	3268	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe	sysdevopti.exe
PID 3268 wrote to memory of 2856	3268	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe	sysdevopti.exe
PID 3268 wrote to memory of 4076	3268	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe	xdobloc.exe
PID 3268 wrote to memory of 4076	3268	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe	xdobloc.exe
PID 3268 wrote to memory of 4076	3268	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe	xdobloc.exe

C:\Users\Admin\AppData\Local\Temp\4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe
"C:\Users\Admin\AppData\Local\Temp\4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3268

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2856

C:\Intelproc6T\xdobloc.exe
C:\Intelproc6T\xdobloc.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4076

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc6T\xdobloc.exe
Filesize
3.1MB

MD5
d6d4bdaa76908e6416e38dfd5474476e

SHA1
cc2bfba704edfa569e289ab355a5dffe98d4fefb

SHA256
2860b3614ba6134ce65c4f5bd4e7bbb2a17257e2b163012d2558e0c0722c81f9

SHA512
9ee5f7a0a682a867af207b62d6e3fafc513981d47b3dbb60bd53441418bb62249d66e8e41cdfdfd10be79bd81a308955bcbf971a858fa7c2eff1a348229ff856

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
208B

MD5
472853cfdd1f29a5ea641e95bc21e1cc

SHA1
c3a65719d2bdbfda03ed9e08f06a2af21c69b150

SHA256
e7728c87389167f9b0b9d82c8215818b13ff59f15a9bc7d8d6ee4b671a85a8e2

SHA512
fdc317502cc28e3f10e58e4cdace6ea25f283f02da29b9bf6faa0bc985145864f20995a3301a67899f55087bed4300ba8ffac15d2dab128f8330bd19c6c70a48

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
176B

MD5
f6e4f179dd53bae5fe74e6ce002e07a4

SHA1
04a5e92bbacc766d4ec6fa994e66cd377b0bfa41

SHA256
36270514fcd3dbeb00d5e0d768db23a029f516abafb9e65c5e794f8c6387674f

SHA512
920185723d022b377d5acaa640d84c148fdd4aad90bb556f0c10f037033cffea76d022721443b13584d6db7e4359713f8600f9ac1e3add4b3143415de53d2f86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
Filesize
3.1MB

MD5
16fa94aa38f85c396e5552a0aaee6a46

SHA1
b218927a155096dab8a1f2217958e0f8faf49577

SHA256
3c5d5e91fe4617a1472775a3d8903179636c5227ed87c255da8bc5317119259d

SHA512
97c391c765ec867de33e1466d70eeb792332a7b3eadfbbc2b054f2d62e7f13a5bf34f352a7b1a25e15336179589528699a1f3e79c3fe6ad8a6d5f0d6d5e45a1d

Download Submit
C:\Vid14\boddevloc.exe
Filesize
1.2MB

MD5
82e5c3f0916f0c3d419b59c389d9d501

SHA1
cb63dc4330e7feb52d38f1e3f4f3def39389a137

SHA256
56fc6d29dfd532bfb41d224bed921ade1f0a1aef2ce50cfcdb5c438f54802167

SHA512
3b2f0ce914967b3f3959e68aee79d38fd18701ef969a07f346cbf41e99e50fe90e12d85bb4ff0c1bb4fa34af687755784c513edbbadade84ee87d3755b484dd4

Download Submit
C:\Vid14\boddevloc.exe
Filesize
3.1MB

MD5
9c0fe4dcc6bfd682af0f2ffa9c82ce45

SHA1
10e1b49fef2080bbf6a0fe258bfe0e8ac8997a5f

SHA256
6880458f9a761ad4e400995fc9f57f2e632869e13bb1430613e21c15564794b8

SHA512
a7281f00e242bc306a5f27d083782558712072e23cc5b823588e7d79c237dbb65f7be81bd43cb7344f2dae137e142e949c5ec86a21f19991f7681aab848da78f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads