8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe
Size

3.6MB
MD5

1b465683b99a9a059afa5892b0e58220
SHA1

6df1d43c168027e0a22feca76427aa49028f8a9e
SHA256

8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24
SHA512

a1f197898b45681e2729f13d3a936e771765c14a5e1cfc7c5817136d9be0fc6eeeea3270526bde74523e838303c83cfed1751bcfdd770859343671901f6899f6
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bSqz8:sxX7QnxrloE5dpUpmbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe

Executes dropped EXE 2 IoCs

pid	Process
1172	sysxopti.exe
2160	devdobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesQF\\devdobloc.exe"	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidN2\\bodxloc.exe"	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5104	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe
5104	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe
5104	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe
5104	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe
1172	sysxopti.exe
1172	sysxopti.exe
2160	devdobloc.exe
2160	devdobloc.exe
1172	sysxopti.exe
1172	sysxopti.exe
2160	devdobloc.exe
2160	devdobloc.exe
1172	sysxopti.exe
1172	sysxopti.exe
2160	devdobloc.exe
2160	devdobloc.exe
1172	sysxopti.exe
1172	sysxopti.exe
2160	devdobloc.exe
2160	devdobloc.exe
1172	sysxopti.exe
1172	sysxopti.exe
2160	devdobloc.exe
2160	devdobloc.exe
1172	sysxopti.exe
1172	sysxopti.exe
2160	devdobloc.exe
2160	devdobloc.exe
1172	sysxopti.exe
1172	sysxopti.exe
2160	devdobloc.exe
2160	devdobloc.exe
1172	sysxopti.exe
1172	sysxopti.exe
2160	devdobloc.exe
2160	devdobloc.exe
1172	sysxopti.exe
1172	sysxopti.exe
2160	devdobloc.exe
2160	devdobloc.exe
1172	sysxopti.exe
1172	sysxopti.exe
2160	devdobloc.exe
2160	devdobloc.exe
1172	sysxopti.exe
1172	sysxopti.exe
2160	devdobloc.exe
2160	devdobloc.exe
1172	sysxopti.exe
1172	sysxopti.exe
2160	devdobloc.exe
2160	devdobloc.exe
1172	sysxopti.exe
1172	sysxopti.exe
2160	devdobloc.exe
2160	devdobloc.exe
1172	sysxopti.exe
1172	sysxopti.exe
2160	devdobloc.exe
2160	devdobloc.exe
1172	sysxopti.exe
1172	sysxopti.exe
2160	devdobloc.exe
2160	devdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 1172	5104	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe	87
PID 5104 wrote to memory of 1172	5104	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe	87
PID 5104 wrote to memory of 1172	5104	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe	87
PID 5104 wrote to memory of 2160	5104	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe	88
PID 5104 wrote to memory of 2160	5104	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe	88
PID 5104 wrote to memory of 2160	5104	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe	88

C:\Users\Admin\AppData\Local\Temp\8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe
"C:\Users\Admin\AppData\Local\Temp\8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1172
- C:\FilesQF\devdobloc.exe
  C:\FilesQF\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesQF\devdobloc.exe

Filesize
3.6MB

MD5
96436e55c8444dab12465a0bb3722b02

SHA1
6d4dfb8a8bcee413e8cf688fd4e249ec8b4a05c0

SHA256
cbe923113db68ab807ea56c405b284e80fcb1251f42bcbdcd07bc6f72476da17

SHA512
dfb03e245d23adc918b5f39b2e10325d1c48da4b19db018738997c2294247b318bd935ffce18bd51f43d6da3bdeeb68549368897b117d6df3b11f2a02056802e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
ee43af2ed1e650ade25082d54304481e

SHA1
0bdaec59726357875570c29e3a352756d9418f1c

SHA256
76c28f040d4bfc0f61f605d9713c1be4a8c1b794d3e74324c8825b310f29b12b

SHA512
a20f835df8fa16d13d8514b4e9f002017bd3a7c735f69751bf9a2c3ff0123398350f38b4437271f6b32631d84ab41123df4dd4f8811024d960b0b70df4d4456a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
986d514b27c14219013fdb4ee917b97e

SHA1
b2c5de21f4c49a710a9834df60e0ebae75416ee7

SHA256
93e07aa3e827faea5277068e5284b69585787b96a50819ba17dde18c4d300d29

SHA512
dd0802423eee32693433abbf86d6be629c0491fb8b10807e6ef65e0816286400c4df0abb46895cff6c0df537d12fd19b6eb53ab86a0b3ba4334e4e362972f420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

Filesize
3.6MB

MD5
d5b02e41d254f8515d652ee79ad24b6f

SHA1
f4df6efef12212414edf33d000c06426ceac1868

SHA256
9b99b977d9459e8398d3bf31b09f3e88c1fedab2333ad391788bd758b7775ae2

SHA512
f3cb4a87a12c7d185cdba126a188bb3471257793b59cfebad60429ebd80f12d7a363f9bc5e5d649e4547470fa0c29d5bc87fc1d34e8f08ae451ab97f260e4077

Download Submit
C:\VidN2\bodxloc.exe

Filesize
606KB

MD5
391ec43b5eec11edd0ce4ac8c7871ffb

SHA1
872d5c470d74a825e3f8531b0eea94936d9b61d0

SHA256
d6fb416a3cf118599aa5ee8e82fcd918b99c36a3c7babdfa97b7e7200657c932

SHA512
91fd6bfd960f14ca8dfb558d895daf33061997efa6e068c3dd35f6263a9fdb26b94d7671a0c390c4f8c668f77d95adfb5fcdc61d2d9b73b33d5c125b5183422b

Download Submit
C:\VidN2\bodxloc.exe

Filesize
3.6MB

MD5
d5349187ff6712f00b74977213f3a09f

SHA1
081120b76a19e4b2be222934c7bdf4406febb804

SHA256
0251bbd97df6da6986fdd60b7252c09e061147b77da0551c169c383571de27ed

SHA512
f7221892dc1eb54a84e6eb50f9f5f9d82f2359cc532ea6a77a05077101cf7a872da01cb199208594c4d10ea40cc853b6188631f8dd750a97ff6e184b3211a7bb

Download Submit