6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe
Size

3.0MB
MD5

5e6ce16ce37d802d8a0a0c1b4f6484fc
SHA1

967c73724d5be7496bde1204ab585e9e3af51824
SHA256

6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588
SHA512

a374ff050da7297c66254ba87ce86b82aff416e424776af13f19b76c52786fde820883833558b94d11379e4d22d142ffcfb464fe4099a59da2edd877fd893520
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bSqz8b6LNX:sxX7QnxrloE5dpUpKbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe

Executes dropped EXE 2 IoCs

pid	Process
1548	sysxdob.exe
3588	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesKM\\devoptisys.exe"	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidMM\\optialoc.exe"	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4236	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe
4236	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe
4236	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe
4236	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe
1548	sysxdob.exe
1548	sysxdob.exe
3588	devoptisys.exe
3588	devoptisys.exe
1548	sysxdob.exe
1548	sysxdob.exe
3588	devoptisys.exe
3588	devoptisys.exe
1548	sysxdob.exe
1548	sysxdob.exe
3588	devoptisys.exe
3588	devoptisys.exe
1548	sysxdob.exe
1548	sysxdob.exe
3588	devoptisys.exe
3588	devoptisys.exe
1548	sysxdob.exe
1548	sysxdob.exe
3588	devoptisys.exe
3588	devoptisys.exe
1548	sysxdob.exe
1548	sysxdob.exe
3588	devoptisys.exe
3588	devoptisys.exe
1548	sysxdob.exe
1548	sysxdob.exe
3588	devoptisys.exe
3588	devoptisys.exe
1548	sysxdob.exe
1548	sysxdob.exe
3588	devoptisys.exe
3588	devoptisys.exe
1548	sysxdob.exe
1548	sysxdob.exe
3588	devoptisys.exe
3588	devoptisys.exe
1548	sysxdob.exe
1548	sysxdob.exe
3588	devoptisys.exe
3588	devoptisys.exe
1548	sysxdob.exe
1548	sysxdob.exe
3588	devoptisys.exe
3588	devoptisys.exe
1548	sysxdob.exe
1548	sysxdob.exe
3588	devoptisys.exe
3588	devoptisys.exe
1548	sysxdob.exe
1548	sysxdob.exe
3588	devoptisys.exe
3588	devoptisys.exe
1548	sysxdob.exe
1548	sysxdob.exe
3588	devoptisys.exe
3588	devoptisys.exe
1548	sysxdob.exe
1548	sysxdob.exe
3588	devoptisys.exe
3588	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 1548	4236	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe	98
PID 4236 wrote to memory of 1548	4236	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe	98
PID 4236 wrote to memory of 1548	4236	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe	98
PID 4236 wrote to memory of 3588	4236	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe	101
PID 4236 wrote to memory of 3588	4236	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe	101
PID 4236 wrote to memory of 3588	4236	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe	101

C:\Users\Admin\AppData\Local\Temp\6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe
"C:\Users\Admin\AppData\Local\Temp\6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1548
- C:\FilesKM\devoptisys.exe
  C:\FilesKM\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4036,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=1960 /prefetch:8
1⤵
PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesKM\devoptisys.exe

Filesize
3.0MB

MD5
f4fc4103ef83d4f3931ff2a5ddbb1901

SHA1
9da9ffb81ea5ed1a48695e44b1282fdd5e43c6f8

SHA256
515f09dd4ff7b828460706a41d805b88fad43b00a5fe3738be485ec843e84919

SHA512
d5a9d23e654cdf80728eba1cea2862e2f87619a8d257233f69efbf7abf120b8dcdbf8565e866be56c21ff31ecd824c7ba10e21a259a7054a4dc881a1eebdec12

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
2c2ae640e754b926cd7eb02accb45bbc

SHA1
e78f3dda18d6aa3dfa628696381f735e98920c3c

SHA256
b048252a7e98e6ed9ddf1f76477b511537574c9331542abb6b4eedbf9f55cba5

SHA512
70ea90569cddeb093106de02f34a4bf0e719b880c178908d11335abde3f52189cc648bdada487bcf7efdfbdfbb7bb188d18506f9eef5d90445594cb58bb63753

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
4120d9b1cb5159a1973958fc6d6d4cc0

SHA1
f03a2fd4e3df3010ce39f3198b90289d437cb7fe

SHA256
084f131e3f6a9815450262799dbde3d2fe96e7c0d90671779bb7eff0ddf04d60

SHA512
b353ffc590ae98e747932a8a4d2048573519987abd0215fe66878658d8b16c5b52fef22bc4fb69deedd536626693dac0c95f70e6a27b909547771c7b318e7841

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
3.0MB

MD5
2eedeb4400a3ebb0e886793a8aaa3494

SHA1
e2bd54a3adfe23e195826cc69ff166c945516871

SHA256
a53d09182c4bb59230bba5f6771edabc0a28aaba0ca810d281d5cd36e9efa15f

SHA512
17925723154026fc85248dc7e975ba0e1c93430e27ea3823861c2cacf6b68d61f8a6f6c867c6e7bb29e422d560a2c16d83db2ed680e9c9f8d253b0859cebe4a8

Download Submit
C:\VidMM\optialoc.exe

Filesize
3.0MB

MD5
77f12d631231af6428f3e25dd1045307

SHA1
4915f22563ae5f761a29158e0f59d0075843f635

SHA256
9d609009a347e1d1f551fb44a57ab20d409b60165f54977f37b5aff8a5fecabc

SHA512
ed728643b4461fbfc911b1495fb0a55b04fc3a167475c76d21869bac3dcbbcccd80151050a87c0701fcf2d99ccf76a2d7265f94d8dde5d6772cfaef034282542

Download Submit
C:\VidMM\optialoc.exe

Filesize
3.0MB

MD5
a7e223698eb304ecd2ce219ad5f1fade

SHA1
0688f50730176c9882ed6072668c195c6ae44c71

SHA256
d9fdbe5779991b313a680fa38d803e61a96d6278ae4d43beb59ecfeabc518bf6

SHA512
0f3885b48dd96385d587338865fe5881ebc16d61781155d162310317d4e0e92d6c3f88e9c7bd20aee788b79b09d84c28e7578d5b74c19553092da9d911bd228f

Download Submit