8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed

Analysis

max time kernel
149s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe
Size

3.9MB
MD5

ed764b747155333b729aaac05d2cec86
SHA1

bdf9648877683043e5f3567f8858a813156ce184
SHA256

8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed
SHA512

3e1c9313024e211cac7838638e5a402a07a60f49db7e5d84182db2fb5181df8b559c500c89c99a092e1b3430055ffcde18992b5c922af669bef5b00ee9d3c958
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bSqz8:sxX7QnxrloE5dpUpybVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe

Executes dropped EXE 2 IoCs

pid	Process
3816	sysadob.exe
5056	xoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobePQ\\xoptiec.exe"	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB1K\\bodasys.exe"	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2012	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe
2012	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe
2012	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe
2012	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe
3816	sysadob.exe
3816	sysadob.exe
5056	xoptiec.exe
5056	xoptiec.exe
3816	sysadob.exe
3816	sysadob.exe
5056	xoptiec.exe
5056	xoptiec.exe
3816	sysadob.exe
3816	sysadob.exe
5056	xoptiec.exe
5056	xoptiec.exe
3816	sysadob.exe
3816	sysadob.exe
5056	xoptiec.exe
5056	xoptiec.exe
3816	sysadob.exe
3816	sysadob.exe
5056	xoptiec.exe
5056	xoptiec.exe
3816	sysadob.exe
3816	sysadob.exe
5056	xoptiec.exe
5056	xoptiec.exe
3816	sysadob.exe
3816	sysadob.exe
5056	xoptiec.exe
5056	xoptiec.exe
3816	sysadob.exe
3816	sysadob.exe
5056	xoptiec.exe
5056	xoptiec.exe
3816	sysadob.exe
3816	sysadob.exe
5056	xoptiec.exe
5056	xoptiec.exe
3816	sysadob.exe
3816	sysadob.exe
5056	xoptiec.exe
5056	xoptiec.exe
3816	sysadob.exe
3816	sysadob.exe
5056	xoptiec.exe
5056	xoptiec.exe
3816	sysadob.exe
3816	sysadob.exe
5056	xoptiec.exe
5056	xoptiec.exe
3816	sysadob.exe
3816	sysadob.exe
5056	xoptiec.exe
5056	xoptiec.exe
3816	sysadob.exe
3816	sysadob.exe
5056	xoptiec.exe
5056	xoptiec.exe
3816	sysadob.exe
3816	sysadob.exe
5056	xoptiec.exe
5056	xoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 3816	2012	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe	88
PID 2012 wrote to memory of 3816	2012	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe	88
PID 2012 wrote to memory of 3816	2012	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe	88
PID 2012 wrote to memory of 5056	2012	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe	90
PID 2012 wrote to memory of 5056	2012	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe	90
PID 2012 wrote to memory of 5056	2012	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe	90

C:\Users\Admin\AppData\Local\Temp\8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe
"C:\Users\Admin\AppData\Local\Temp\8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3816
- C:\AdobePQ\xoptiec.exe
  C:\AdobePQ\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobePQ\xoptiec.exe

Filesize
1.3MB

MD5
a75eb2bf52c078fbddac05ec38f0867a

SHA1
3790521f0d331c3fe796773d558d89e84ef62c75

SHA256
bc19b3078769892e0b00aa047425f90a2f805ab2b45848d2e91ed909cc4ccad8

SHA512
0593fceddd0dce9cc1e03b9c86c83e5c23d84ae0944b23acf2433ffb414df1d8ca1c65e7648841124313b6dc833708bcd726b83072a9bed46fdc7afe3ba1aea6

Download Submit
C:\AdobePQ\xoptiec.exe

Filesize
3.9MB

MD5
9c8ee1f8f92310effe3282121ca1a7b5

SHA1
c0ecbc1ae9e68460a404fbbcdb64bfcf7a2a6fb4

SHA256
7c37bd6332ba68e819951c324567ff07666b7688f54a0194740cbf9590a521c1

SHA512
1694bf94286b97100a55e043c868ecbb9fc5e4bccffec252646d62f42bb3216e015facff53d7b8b55d271aecdc08290409a91554127e147260de2da6bfcf1ff5

Download Submit
C:\KaVB1K\bodasys.exe

Filesize
2.4MB

MD5
b462ec64839c367ae5d1249dc5935a11

SHA1
03dee70ece1e1f7b2adcaf85750c58795fb8f12b

SHA256
f016f3de07b78854c78ac0f2df49f070e3efbcd1b5fe64a4fb8a75a89a97fdf1

SHA512
fd27d072ec1746899618fd5e3d1e925e19125f77f0e8c0bd37f7b912f9c2b0505140f49c74ee4780865da185dcf2c4757dc50adaf9b78e7cc46db8548b06b2d9

Download Submit
C:\KaVB1K\bodasys.exe

Filesize
3.9MB

MD5
b9972a51d2d311cde1d07f78d1e5d951

SHA1
080dfb63e4246e5d510ca3f5302a7d0f9fc0add1

SHA256
477d870c19bd8d1c1f7a7667c4fd84b41836cc515cca2a60435309c9f6d66aa3

SHA512
256b77a23764ce61b81965923d669275622bb1fd522a041f1b270af80de30ddeeb7b84172aabb6264ec80561e7b6f28e6145bdecacbd5ebc9f272d128d39e923

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
a08c31eb23308acb5094e84dd8cc47fe

SHA1
6776fc05ccc426dacec3e723418c2b48ab7e82d2

SHA256
f58d1b7c46c358ad0aeb3ad16199cd5f9c92302efb11919c4f4f63fe3be5333e

SHA512
da57783fb866a7600e2fef1314359dee04d6514b36cd4882a39f85c62677f738272c366779ce5e3ce3ca78848e0e8b9d7b52267e1a4798ed9ddb64c8fe40dc60

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
d9a007c1d0414084c38301f82c7dc334

SHA1
fa92021f53842fad27db4ef1b576d1baabe629a3

SHA256
0226c0a52f5f7c78ced69182cf4d35912eb45d33621de35223aae56d68cb7e44

SHA512
9f4a905370b53d886a0ef6b9b9c542b9129f25ef9f53191b3dc81936c7182b8c7eddd90de846c246ef768e1e7e0bd506d885fbfb4075f1cd4cd5bb03b4efc7ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
3.9MB

MD5
82b8ad8051c7d3f7fb35696951cd23e3

SHA1
38adddb4a4f06676a5135e0b713d6bebac1b56e9

SHA256
8b86552ccdebf9e56bd45084139d75cbbfcedea37f070642412afaa7099b99d7

SHA512
3b5d1954c061c731bca232083cdebc09dcf69a8fca794f35eaeffc36181a6c7793f47d18dac89fb69e2c4dd263d388cd627234290b6163d5054fd9db7348251e

Download Submit