fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09/06/2024, 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe
Size

4.1MB
MD5

16fd6ba11f5a978707f41235767b1eeb
SHA1

1733f76d7d616659c6d9374f501df8c1a20b2385
SHA256

fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293
SHA512

4538b8c1a652859096ad8fcf605799e081ea90f283bb6bb20ba6737428d9be8cd65a26fa5dc0880d6133d0ae61112c3b22b7bb4d89b3b075adcab0480d04f99a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpDbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe

Executes dropped EXE 2 IoCs

pid	Process
2028	sysxdob.exe
2796	aoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1688	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe
1688	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeGC\\aoptiec.exe"	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidI0\\bodaec.exe"	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1688	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe
1688	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe
2028	sysxdob.exe
2796	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2028	1688	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe	28
PID 1688 wrote to memory of 2028	1688	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe	28
PID 1688 wrote to memory of 2028	1688	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe	28
PID 1688 wrote to memory of 2028	1688	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe	28
PID 1688 wrote to memory of 2796	1688	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe	29
PID 1688 wrote to memory of 2796	1688	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe	29
PID 1688 wrote to memory of 2796	1688	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe	29
PID 1688 wrote to memory of 2796	1688	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe	29

C:\Users\Admin\AppData\Local\Temp\fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe
"C:\Users\Admin\AppData\Local\Temp\fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2028
- C:\AdobeGC\aoptiec.exe
  C:\AdobeGC\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeGC\aoptiec.exe

Filesize
4.1MB

MD5
233e2f8d53e9b695927951cd9289b7e6

SHA1
67d1fbb53202726246acc5de17595b33b0477d1c

SHA256
1d01bd1e4016842a4eb2f08992f04770467f4a8e7fc43e94dff2b4deb3ae501d

SHA512
accfc3ee8a6dfb436787a3dce9bed0cdf548fc50442693da50bca20fd58f38ff9a593fdcab4505affd2bd2e037b33cbec0050f60e54fa73cb9d65704269a63e5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
166B

MD5
f559a6865de503f09e957c1abfd0801a

SHA1
b9ea127eb08636f45ac631b5390bf872260dafa3

SHA256
a9b66b12a5e47fd131f6de40132de7f729a72c1c246a3db42a42331ff2dc4d1e

SHA512
de6b731def9e1e6fc2582a989b101afe2eee9900876a18307491f664a22e3495a82178d8ded84f2716d1fae52ff24273f1b1f6e1daeacc2778785f8be9967d25

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
198B

MD5
7b389d802e11f6704d5f6ce99aca4c04

SHA1
9085690ba5ec4c6c2df642aeb5ecc1eb9a487e78

SHA256
062c54fdf4929935b1b4040209c9afbebe93932b84b1720800d072e07e9179a9

SHA512
a70cfdd0b54956665c9f1787dc83594f534b3db6f89f970d17f6f85161e1bfec9c82cd845dd97c0d8687455619d33e45eee9bf90dd8161f68448faf0e1ab6333

Download Submit
C:\VidI0\bodaec.exe

Filesize
4.1MB

MD5
d9d791c9290fcbe33c526e4b5fa1c045

SHA1
c46f1552080419c665ba141a6808ed503e54059d

SHA256
64a9fa3cfbb8c23066e26568660ef652299f9a007496cbeae8ec8fbfe2637ae0

SHA512
129aafe2a46d83c1e808ce11d1dc82f37b6b17b785554f8853f0cdae77efdb7712033d1f707539b89b8f27dee8dac5ffed26e00c09c93f878e51a09b1e09cf12

Download Submit
C:\VidI0\bodaec.exe

Filesize
4.1MB

MD5
722c18e6d761436291aae9bd6493ddbd

SHA1
7665e2a5ab900819f073fc154685476bbab69fc9

SHA256
108d5ce161b910cf58d779bc53ba3d6bfdb90119ac6ec17dd6df727962eb9b92

SHA512
a0ee7fc940648b0337c670e08ffded1b4c9ecde05a313c4c1b567339814ae67242db69525aa707119e919be29e77afb6d8ee9bd9be7348c855a46a485f6012e1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
4.1MB

MD5
99b301d6f28f2644955a404ddfda2a7d

SHA1
e335ca1bee980179eb429719ee48ab2542784c08

SHA256
5c25eab890cb722babd1435407f4c2377d7eb92949738e0ab1dc4fe4eaa4fc48

SHA512
57bb9a90985d38fe7e90aa68daba4860f0883dc2f8c068fb3c1a2b5f4c8e1086dcef7e191c9124f4a3be2bca1498f464270c3467f887ad68742860073455487a

Download Submit