3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9

General

Target

3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe
Size

3.9MB
MD5

3303d48d7c9e208b2a472cdfbedb92e6
SHA1

4af1ca5dd9e7e2706b3413b15253b54ece573086
SHA256

3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9
SHA512

c9820dc4209ea43cc65a915531c1b42ff759b56f94af9bbd7185e109d2634f03caa1d0c269c2295e7d6b493aa12fc04a4f37fb18f3ab4152a1aa6ede7727df57
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bSqz8:sxX7QnxrloE5dpUp7bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe

Executes dropped EXE 2 IoCs

Processes:

sysaopti.exexdobsys.exe

pid process

3012 sysaopti.exe
2644 xdobsys.exe

pid	process
3012	sysaopti.exe
2644	xdobsys.exe

Loads dropped DLL 2 IoCs

Processes:

3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe

pid	process
1972	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe
1972	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocVW\\xdobsys.exe"	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBG7\\bodxec.exe"	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exesysaopti.exexdobsys.exe

pid	process
1972	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe
1972	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe
3012	sysaopti.exe
2644	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe

description	pid	process	target process
PID 1972 wrote to memory of 3012	1972	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe	sysaopti.exe
PID 1972 wrote to memory of 3012	1972	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe	sysaopti.exe
PID 1972 wrote to memory of 3012	1972	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe	sysaopti.exe
PID 1972 wrote to memory of 3012	1972	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe	sysaopti.exe
PID 1972 wrote to memory of 2644	1972	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe	xdobsys.exe
PID 1972 wrote to memory of 2644	1972	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe	xdobsys.exe
PID 1972 wrote to memory of 2644	1972	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe	xdobsys.exe
PID 1972 wrote to memory of 2644	1972	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe	xdobsys.exe

C:\Users\Admin\AppData\Local\Temp\3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe
"C:\Users\Admin\AppData\Local\Temp\3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3012

C:\IntelprocVW\xdobsys.exe
C:\IntelprocVW\xdobsys.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2644

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocVW\xdobsys.exe
Filesize
3.9MB

MD5
0ee41f8e28d3bc692a9dd8ae19dd6fbf

SHA1
bd561438d44eaa2f8e4c5b5756825d2fa5290de3

SHA256
0d68ab8385ee0d5883f0118f8e7373d0d71377a9968c93db9e69601a617139f9

SHA512
0f5e003a63f70f5e272570a25c91890a6bf6c27e42be2271eaa651f8e6b9e23292f890b948abb68dc3356724f10008571a66c1a3e99df19d8798e5e672e2916e

Download Submit
C:\KaVBG7\bodxec.exe
Filesize
3.9MB

MD5
45eabdde7c08483ed9255f737bc058ab

SHA1
705306de0dd06c45f2e9f4cb9300581a3f016490

SHA256
6e3336e95aed06b63669ac00c31fd057109d2fa0fe751d47c427aa3f57370486

SHA512
1365f67af273c95a15d1ee452cbbbf2b3938103304ef43cde95641a8da7660b71bb16d8d48ccffcf8ef2d487540852653cc86c7b18a55291917b300f13140f36

Download Submit
C:\KaVBG7\bodxec.exe
Filesize
3.9MB

MD5
94087ae3dccf5f1b405f2c91cc1e0a36

SHA1
c9c4bda8343d151e43d3742fc48ad41337b70ee6

SHA256
ad42dc66c3237d42f3fc4cb8c877c3faa3732229103bea47ea67e2fc62f4b248

SHA512
e8f021f6afb8ea5ba73fe89c746404641b74e0cd1230539876d4d018165fcf193417ad8bbf0df9bec0b91632d1a00a86eca4c2cef8f5a532cf49f90f4fb0d819

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
172B

MD5
ebe29f07ff0801a08af0c8b6385f1b8b

SHA1
f1428342f1369934931161002c3abbbfac381f5b

SHA256
2110ab9a31788909f6ddc2ffab5e5c379d1ae97a11431c2da8724b203019b798

SHA512
28fd8221351f600cdac542a7ebf843a388bcfc04372d8178c43df23ff2d50d9aaad9468b2cbd7d9501c88d017a24e8721df48ed3bcf2138c7dc689a402e07034

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
204B

MD5
e1e6fc7feb21903854d9cafb1ada1656

SHA1
2fa11644984aa8fcb8684e5b730139a478874602

SHA256
e7fb2d775a924c20a977190c85241208eb6f7009add65a25fd85bfb9a259abdc

SHA512
8ed97b87d10e60510b6ca9aac65964989260aec472972003f2fd39a428a77dea3a46a5f830f4e4ba2c7fc6709789182842f1692400092907573f46ca15402fbb

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
Filesize
3.9MB

MD5
d6b3e766b3faab896b56bcb521c92cc6

SHA1
4fc6b4110c9c6f9843246ed4e6a56b52275790fe

SHA256
a9c60a63da7fe3601967d61739847ea1f94626c7378596fed579de9dd5e508d7

SHA512
089c2c83488518d2aebe8881359c22cd9b31dcfff685fc9a183ac80074e009e0742341c4ece6c1c29e2a1c3e5a12ff5ec735f3fefd6316588b7b946ce59dd550

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads