7230c3d9a9b62cf38cc78bcb4805ba92962280fbbee509900828eebdf329fb4c

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7230c3d9a9b62cf38cc78bcb4805ba92962280fbbee509900828eebdf329fb4c.exe
Size

3.9MB
MD5

2cfc2e9a741655742abdcea269f27f16
SHA1

81ed7959e5928da469885282a4067cb036eada14
SHA256

7230c3d9a9b62cf38cc78bcb4805ba92962280fbbee509900828eebdf329fb4c
SHA512

8fef6bdfb437c022e4f0e976c1aa7ea7f8ad5f39586a7a505f8e7d86c90687d33b1c754c7c2829802b25a54151461eae6199cc86f058461a12c7d17113492dbe
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bSqz8:sxX7QnxrloE5dpUpBbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	7230c3d9a9b62cf38cc78bcb4805ba92962280fbbee509900828eebdf329fb4c.exe

Executes dropped EXE 2 IoCs

pid	Process
2980	sysaopti.exe
2556	xoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2496	7230c3d9a9b62cf38cc78bcb4805ba92962280fbbee509900828eebdf329fb4c.exe
2496	7230c3d9a9b62cf38cc78bcb4805ba92962280fbbee509900828eebdf329fb4c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesFM\\xoptisys.exe"	7230c3d9a9b62cf38cc78bcb4805ba92962280fbbee509900828eebdf329fb4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidS0\\bodxloc.exe"	7230c3d9a9b62cf38cc78bcb4805ba92962280fbbee509900828eebdf329fb4c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2496	7230c3d9a9b62cf38cc78bcb4805ba92962280fbbee509900828eebdf329fb4c.exe
2496	7230c3d9a9b62cf38cc78bcb4805ba92962280fbbee509900828eebdf329fb4c.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe
2980	sysaopti.exe
2556	xoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2980	2496	7230c3d9a9b62cf38cc78bcb4805ba92962280fbbee509900828eebdf329fb4c.exe	28
PID 2496 wrote to memory of 2980	2496	7230c3d9a9b62cf38cc78bcb4805ba92962280fbbee509900828eebdf329fb4c.exe	28
PID 2496 wrote to memory of 2980	2496	7230c3d9a9b62cf38cc78bcb4805ba92962280fbbee509900828eebdf329fb4c.exe	28
PID 2496 wrote to memory of 2980	2496	7230c3d9a9b62cf38cc78bcb4805ba92962280fbbee509900828eebdf329fb4c.exe	28
PID 2496 wrote to memory of 2556	2496	7230c3d9a9b62cf38cc78bcb4805ba92962280fbbee509900828eebdf329fb4c.exe	29
PID 2496 wrote to memory of 2556	2496	7230c3d9a9b62cf38cc78bcb4805ba92962280fbbee509900828eebdf329fb4c.exe	29
PID 2496 wrote to memory of 2556	2496	7230c3d9a9b62cf38cc78bcb4805ba92962280fbbee509900828eebdf329fb4c.exe	29
PID 2496 wrote to memory of 2556	2496	7230c3d9a9b62cf38cc78bcb4805ba92962280fbbee509900828eebdf329fb4c.exe	29

C:\Users\Admin\AppData\Local\Temp\7230c3d9a9b62cf38cc78bcb4805ba92962280fbbee509900828eebdf329fb4c.exe
"C:\Users\Admin\AppData\Local\Temp\7230c3d9a9b62cf38cc78bcb4805ba92962280fbbee509900828eebdf329fb4c.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2980
- C:\FilesFM\xoptisys.exe
  C:\FilesFM\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesFM\xoptisys.exe

Filesize
3.9MB

MD5
ab9c2a7ec4b6182f072435c652d95d12

SHA1
a83b31f3b80b7d01401ad2bd4dd574732bbfcedd

SHA256
0d1886863dcceed81e9c9983a8655cb848c2cac459bdd58347f82143431aecbe

SHA512
76ad69178aeb7d0eacfe6ed81ee4ff349bf043138eaa81554a07e0f176a2d0deb563570d7977f06f0303211d1127ddde5dbbf1bc21ff80354c3677a0a1067cd1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
a19e12f415e3ac39ed80649c1134b78e

SHA1
7384f215aa9bc5c57317d0c3060d773c711c2ae0

SHA256
4b0b1324b4480a04c959dce9e1df68086586e30895ba3a2b435bda57e0fe113e

SHA512
eb67a6dc6430d62b6859e354d675992ddbd30798e38de671f19b673a192701a557abaa1a40007826032fa81bbf0a94f5c0c94225803c2153641a674d935db76f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
02f21068bcb1bca318c0fb7c983d87ae

SHA1
c123caf8cd8419f04107416e8bb5dc266aab77dd

SHA256
e09a72c0dc587cd0fb597844b26eede2d9057c0a9f59a5a5448c1ce258a93317

SHA512
4af37bc1c41f28ffcc4def3d71832ff9610727dd75f4b188477b6c8387a8bcff159506800f3b69fef18ea13537e14bf043ce043fb6b5f67efbef2c115021613d

Download Submit
C:\VidS0\bodxloc.exe

Filesize
3.9MB

MD5
170c7532a9d30e6deed23f3936af5224

SHA1
27d9b98be71b4c73dca44b6561c8d1c3c4c53332

SHA256
85d6c1a857a956819d8af3575be5be7ed551954d80d6b4a07a7222b59c18c368

SHA512
9c5a8026b0ec42fdb7cac487782a896e8dbe16d2aee3dde7ffc7c91fbde9f6ef576fa1fcf3912e45410d262e956b33dd1d200d6f30afb56a03de8058eef9c7ef

Download Submit
C:\VidS0\bodxloc.exe

Filesize
3.9MB

MD5
af38b2f03d6233a4895b002226ba5437

SHA1
20f384d992331811a32726067410c96a35e21b88

SHA256
bb6ff3ed7eb12485172227805e5c5e6740544bb39cbbf043e3df225adc7cb7c6

SHA512
09824edf2e0b7d239064dd7a612cfa80f6803bb4aa262eb96dd8271e08c5b8660b05aa89e1e6291c6251a4e0bcb318f567b7a1fa51e3024c0a7eaf2bba98a59b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.9MB

MD5
a352635214828dcbdf9b56f4f3524e66

SHA1
dbf5ab393d5b3c501597e3fd0dcd22aa12d93cde

SHA256
97ec2c3dbc48fd7292fa33b810720f7016a3bc22a29447a1e3fe8835cdf47781

SHA512
057aff37ba2de2b8968c7bd58741435cc2289b95d8bdaf79b25fdcf069ee07bff78a85c382f1ace5887537b3907a383b4d8312e589aac415adc3aac8976dd37a

Download Submit