1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/06/2024, 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe
Size

2.6MB
MD5

0f313eb860c87f6747ffb89aaef74c64
SHA1

4aee1be53cf5853337445a419d65b13621bf25a1
SHA256

1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747
SHA512

b35da1b690d99b4ae944a024b7755039dfef3ecff2c60bd594cb1dab06e58fd34105e8795318069ebd0f36b72ae51ed1d95a7da881f5ac0169306ab32359c673
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bS:sxX7QnxrloE5dpUpYb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe

Executes dropped EXE 2 IoCs

pid	Process
2368	sysaopti.exe
3044	xdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2148	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe
2148	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesDF\\xdobec.exe"	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintW9\\dobaec.exe"	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2148	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe
2148	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe
2368	sysaopti.exe
3044	xdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2368	2148	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe	28
PID 2148 wrote to memory of 2368	2148	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe	28
PID 2148 wrote to memory of 2368	2148	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe	28
PID 2148 wrote to memory of 2368	2148	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe	28
PID 2148 wrote to memory of 3044	2148	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe	29
PID 2148 wrote to memory of 3044	2148	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe	29
PID 2148 wrote to memory of 3044	2148	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe	29
PID 2148 wrote to memory of 3044	2148	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe	29

C:\Users\Admin\AppData\Local\Temp\1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe
"C:\Users\Admin\AppData\Local\Temp\1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2368
- C:\FilesDF\xdobec.exe
  C:\FilesDF\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesDF\xdobec.exe

Filesize
2.6MB

MD5
1052328e5393b9cb0cf5f20e6e77049b

SHA1
550259645c01216d4707219cec2c57bc539d60d9

SHA256
0be54aa6a4cce604d3e0669059f3fcc4ba5ea26376b9e8d53d59620895de0317

SHA512
cea677a0ca86d64fcc10675ae3e4d27fa4bbca0c9e6b1674cb15528089c60ff7ed97dcf0f9b80c00abec0980a63042e65f7ac8cff91959a2120a986753a985e3

Download Submit
C:\MintW9\dobaec.exe

Filesize
2.6MB

MD5
d5373b6b858fcb4477f510c7e39dc2e7

SHA1
5bd8751a26a04bdb4e24ca31c787b5676400df45

SHA256
e5e742519f0d00d700622c09fa3b70b11147cbe81cbe9008d1e0c8465d2722a7

SHA512
d67c06df821d541cbebc97f688419825d03a5e1e0c31f07a06eaaeb86df51620e76f3b900b448105e2f19ca01d0afd258ad68e3b507427f78cf0d3cfde5a4daf

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
167B

MD5
6087d80a6d89107f6bcde01f05f8bb85

SHA1
2a90d790fdd285d8100020d72fd7fd318126edb9

SHA256
f70f2c145bb7c534c6b5d0552bc0247cec628e5c730b1281f3daa4db73085fe3

SHA512
faef0a6e0ed4eb506ce2cc5745d455bb813a0dc48f8280361c8ee3ac19b8629fe2677734352d5df4fd4b4cfbcde81bea0da27bd764c7443d7e366fd1a07f398e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
199B

MD5
0febc8c2757c2cdf7d7a06f119707a4b

SHA1
d51f64aee36d074244c57d166b5a374df6f1d68a

SHA256
76669eaa7508dca7c444aaa8ea77ebbaa944b9203205a9eab99bca4daca32a81

SHA512
d99e17bb5d6d8004e1a5d4b67b54aecf63e1c1e6666a89b8457e2b7532e7134a3f76f7677c744784843c6fadf92ddf29801bf54e31598dd81e58c19218ce0e08

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
2.6MB

MD5
f4c10deb12c050cf2ed08963da3631f7

SHA1
1a3ba56cb24f2bc19a75e8a152888a16f7b2a5e2

SHA256
ab75a92f460cb69707c683d6089c27b674aef3c82eb7d54b85005ec8b452566f

SHA512
8390f99394309e2b803c40573d02e759e7b14689b011c57ec3719c2858f9ea5ec3af122793d556214c4dbdfec8126027096afaea2ca796fcd02588a4918a0740

Download Submit