bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 03:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe
Size

3.2MB
MD5

47517cc843ec405305007bd7b8ee8d50
SHA1

200a9924d70b4004f722a9d428b03f8d18ddf410
SHA256

bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31
SHA512

be8753e9bd43790f7619131ff7fe80450a327617e57fb65047303e82fbe573e3398ed46bdad135e82888e70ab49212963cdd69dd78762c892f0c74779f4061f3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpBbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe

Executes dropped EXE 2 IoCs

pid	Process
748	sysdevopti.exe
1356	xbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4F\\xbodsys.exe"	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZHG\\optixsys.exe"	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1384	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe
1384	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe
1384	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe
1384	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe
748	sysdevopti.exe
748	sysdevopti.exe
1356	xbodsys.exe
1356	xbodsys.exe
748	sysdevopti.exe
748	sysdevopti.exe
1356	xbodsys.exe
1356	xbodsys.exe
748	sysdevopti.exe
748	sysdevopti.exe
1356	xbodsys.exe
1356	xbodsys.exe
748	sysdevopti.exe
748	sysdevopti.exe
1356	xbodsys.exe
1356	xbodsys.exe
748	sysdevopti.exe
748	sysdevopti.exe
1356	xbodsys.exe
1356	xbodsys.exe
748	sysdevopti.exe
748	sysdevopti.exe
1356	xbodsys.exe
1356	xbodsys.exe
748	sysdevopti.exe
748	sysdevopti.exe
1356	xbodsys.exe
1356	xbodsys.exe
748	sysdevopti.exe
748	sysdevopti.exe
1356	xbodsys.exe
1356	xbodsys.exe
748	sysdevopti.exe
748	sysdevopti.exe
1356	xbodsys.exe
1356	xbodsys.exe
748	sysdevopti.exe
748	sysdevopti.exe
1356	xbodsys.exe
1356	xbodsys.exe
748	sysdevopti.exe
748	sysdevopti.exe
1356	xbodsys.exe
1356	xbodsys.exe
748	sysdevopti.exe
748	sysdevopti.exe
1356	xbodsys.exe
1356	xbodsys.exe
748	sysdevopti.exe
748	sysdevopti.exe
1356	xbodsys.exe
1356	xbodsys.exe
748	sysdevopti.exe
748	sysdevopti.exe
1356	xbodsys.exe
1356	xbodsys.exe
748	sysdevopti.exe
748	sysdevopti.exe
1356	xbodsys.exe
1356	xbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 748	1384	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe	87
PID 1384 wrote to memory of 748	1384	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe	87
PID 1384 wrote to memory of 748	1384	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe	87
PID 1384 wrote to memory of 1356	1384	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe	88
PID 1384 wrote to memory of 1356	1384	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe	88
PID 1384 wrote to memory of 1356	1384	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe	88

C:\Users\Admin\AppData\Local\Temp\bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe
"C:\Users\Admin\AppData\Local\Temp\bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:748
- C:\UserDot4F\xbodsys.exe
  C:\UserDot4F\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZHG\optixsys.exe

Filesize
3.2MB

MD5
8552ffd96767f124f0a008b6d088285d

SHA1
d4114b0020e542942092207f25fa6178473ff677

SHA256
b547e7f23b2e1edd9fe5b7cd834379dfb0695ad632b311d684d136a6564880f3

SHA512
cbb91e71b99c6954850035b15cf46ce3f51d75ddb7041442d5c5457dc081532f48f021dfa3372c2df56de5bb3a572fe20bdbcad8d76dde149b5055c9b3753ab8

Download Submit
C:\LabZHG\optixsys.exe

Filesize
3.2MB

MD5
7379e4e9ac9f23115b8879bb1d1a212c

SHA1
b31eea506b80256c54dfd5e4a8daf74dcae3bb12

SHA256
8fe5ad9b7dc8d131856a23ee08a00e44fa78f046121491896abad2d4a29c7b4d

SHA512
751e90e3112c09755b93a6b202a3dedc89609ff44493a19516eb45123d395bd19b34b3b69d2c0109b8420383fbc2d4caf48cbd2853af733b3d7fe2b417befaf6

Download Submit
C:\UserDot4F\xbodsys.exe

Filesize
3.2MB

MD5
e8db3001325f14a4a3a87539b6cc9b40

SHA1
eb2a50decbf9f1461bffad52bcfa7d142c07bd2c

SHA256
8b9e1388e252c96f7c3c7a0c6d8d7325ad2075e4bfde3df88bde835ae6694503

SHA512
9f1f6d45c687bc4221815b2b6e1359a8e5efa7344566bcc4608cd4d4915fbb44dcde8141ad20abc937cc6661a72266df7e5783232d1d189f546fb611e3a7470c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
b949d6710e25021346dd1a90caea2f8b

SHA1
54e41689ca4a4e7a7607b1bbb1257c10be012f95

SHA256
ebccb885c7cd3af5146fc5a4a3edd9f5588bdc119c49025a316dc2aa05813ea7

SHA512
30aa7b4c2172890ae52be320a4b0b0db213e4bd6a1c77906fb201890a3541ae7c6c61c88b173b6848e94539fdfa0a518a9bedb59226127aa57355df1ae0c99f6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
b286b9194b1ca9c8d05250be6700e720

SHA1
7fbb9f14fe6ee5ff0470c2f676b98aa7aa330860

SHA256
7cbe3e5b29fcb7e43b193cb518d7b96dc5194f9588a0384967f5c7eecfd53232

SHA512
473dec19c999fee68bb1e06b545a7af7301d99d20b7e6e5c5850cceaef335c54d1ee97f1506c4545bea20863c3858ff399f7208b309d6a31d2a51c91e1a917dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
3.2MB

MD5
df97639e3ad0b16d6c55fb905697e3e3

SHA1
42f367c4a6123ff5e8b40d963254d123d2190cbf

SHA256
c4487c695dc0bdf5b2b72e5f5a8f3db8483de1abdfff968d518ee58ce73c18d4

SHA512
ca0fd9d3ede55bdf8f7904decd892b58d8360e549ff290a4a11a422100d582449b0f5800fb27398f403e6a66fa47ff428f3df8ed73096c1143a3d13e08017e6d

Download Submit