8e120a5462cf866f81d818c184fe1a0e539d4fed68debc779cea49307e5676c7

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 00:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8e120a5462cf866f81d818c184fe1a0e539d4fed68debc779cea49307e5676c7.exe
Size

3.1MB
MD5

3a600d5b18f835eb5fd31d64536b784c
SHA1

2c2501d20b979c641cb6927b8128153bce98076c
SHA256

8e120a5462cf866f81d818c184fe1a0e539d4fed68debc779cea49307e5676c7
SHA512

0e57ef930596e244a5cc91eb5dd992f6a91b67223c9a12d6b92a525e430bbcff27e7a4257ede4019e27dcf99075be3a9d4d811fa1e787b32963782df51ded605
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpebVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	8e120a5462cf866f81d818c184fe1a0e539d4fed68debc779cea49307e5676c7.exe

Executes dropped EXE 2 IoCs

pid	Process
2260	sysxdob.exe
2596	xbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2916	8e120a5462cf866f81d818c184fe1a0e539d4fed68debc779cea49307e5676c7.exe
2916	8e120a5462cf866f81d818c184fe1a0e539d4fed68debc779cea49307e5676c7.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesX2\\xbodec.exe"	8e120a5462cf866f81d818c184fe1a0e539d4fed68debc779cea49307e5676c7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidIH\\optixec.exe"	8e120a5462cf866f81d818c184fe1a0e539d4fed68debc779cea49307e5676c7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2916	8e120a5462cf866f81d818c184fe1a0e539d4fed68debc779cea49307e5676c7.exe
2916	8e120a5462cf866f81d818c184fe1a0e539d4fed68debc779cea49307e5676c7.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe
2260	sysxdob.exe
2596	xbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2260	2916	8e120a5462cf866f81d818c184fe1a0e539d4fed68debc779cea49307e5676c7.exe	28
PID 2916 wrote to memory of 2260	2916	8e120a5462cf866f81d818c184fe1a0e539d4fed68debc779cea49307e5676c7.exe	28
PID 2916 wrote to memory of 2260	2916	8e120a5462cf866f81d818c184fe1a0e539d4fed68debc779cea49307e5676c7.exe	28
PID 2916 wrote to memory of 2260	2916	8e120a5462cf866f81d818c184fe1a0e539d4fed68debc779cea49307e5676c7.exe	28
PID 2916 wrote to memory of 2596	2916	8e120a5462cf866f81d818c184fe1a0e539d4fed68debc779cea49307e5676c7.exe	29
PID 2916 wrote to memory of 2596	2916	8e120a5462cf866f81d818c184fe1a0e539d4fed68debc779cea49307e5676c7.exe	29
PID 2916 wrote to memory of 2596	2916	8e120a5462cf866f81d818c184fe1a0e539d4fed68debc779cea49307e5676c7.exe	29
PID 2916 wrote to memory of 2596	2916	8e120a5462cf866f81d818c184fe1a0e539d4fed68debc779cea49307e5676c7.exe	29

C:\Users\Admin\AppData\Local\Temp\8e120a5462cf866f81d818c184fe1a0e539d4fed68debc779cea49307e5676c7.exe
"C:\Users\Admin\AppData\Local\Temp\8e120a5462cf866f81d818c184fe1a0e539d4fed68debc779cea49307e5676c7.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2260
- C:\FilesX2\xbodec.exe
  C:\FilesX2\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesX2\xbodec.exe

Filesize
3.1MB

MD5
41564f15a6b6954d325cc73dc3484322

SHA1
ab996ab7611bc80ff1dcd8666d5a079e8418d3a7

SHA256
7d14aed94fd90f1b6b86eaf0d991f19e9dbeb0a22b3f9f9c79b4c2cfe14cdce1

SHA512
c0f736617f432ab7a360cf79888aeb65dc293bbf676b86fb6b441b273ca314c9ddeccd49f0bea805a44b136e1844824ee6409bb2096f4f34192a82bcbd129af7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
166B

MD5
22885dd01486d1dea91a2ab413d91cf6

SHA1
4d5ee97debb4b700312fa07be9f8abdad9e86528

SHA256
19e744b043e8ffc4c0469829cefda2bf1a76cb33d9045b72367f2015d3c67ac9

SHA512
a31d89f632b2df7ca0dd557d58892bce5eff63cddae20c587a200ecb7d434ab5973c55c1d1c3791b54c48ee67b703a75db59f2849003219de92b50ec1ff55623

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
198B

MD5
9c218ed8f55ab016c5b37e1fcd495693

SHA1
c71aa3b792dbd4e2cf2497081441e0d0eab108ff

SHA256
a7daea5640684aff66b75e9be684204c90cd1b45e8220be7c82f71792850ece9

SHA512
59e603d2309c812ade9cf5d05490035e52a991aeb594da232b2481f2e2bdb5bd043926345791f8255e7d3a3cf15d5887278177d047f9083ac17692606cf30f31

Download Submit
C:\VidIH\optixec.exe

Filesize
3.1MB

MD5
43363c9f5cd183fe650e94b7bf4b1561

SHA1
aa512403f2466cfea87264c40030c06e1e1e15c7

SHA256
5031198d08d73b4209493704fc46ab3ca4cccb6d42102036d0ac9851413e93b6

SHA512
e4b1349e28775747f039720e26c8a96156432a72439245e21863a94c0c286d576e4c02dfbb773bf3cc2a88313f842af9d9bffe1a00def5effcbef09762790ef9

Download Submit
C:\VidIH\optixec.exe

Filesize
14KB

MD5
eea4aa3d13cff294fb9de101050d3b95

SHA1
8be9253d0215e54c585f56eadb2280278a3ef3fa

SHA256
4bfbd1374923be20f98b58ddc780be3cd5a3714124580ccf4631700f056077a5

SHA512
8793ab23bc508ea67a7d382f851f692b10c6141d6a08aea34676af615c93c597ab6a7bab354d52cfa7c84c568a31eee4521a37ed280aa9a5c1a200be1d176b44

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
3.1MB

MD5
06dd74fbb4c55d74bc1028bcf0d3ebc0

SHA1
66b4afbf46a3cf9ece18534d50943edd5bdd229d

SHA256
3b91f66f26cb56e12603f8b71158838cdfaf0c301704f854fe5fbec675bce487

SHA512
a0f1da51c401ac340bbcf7100b7789fa5aa9982d34a8110f890d2c00d482cced2a1a53fb055c3e6a90143a301587af8881e26e55cbb94373429bfdd1a08a5843

Download Submit