8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe
Size

3.9MB
MD5

2bb714fbf84ca158443dd603b4688470
SHA1

81d65b87d7ae36884eb77d11eb969ae899f81b44
SHA256

8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf
SHA512

e070a4fed1c22c047a30797ed950f0e4c941699dc2bcf8e47eeb45152a6c9c08ee18488034d79a384f2e3ebe04ea3731508ccd7a2a77df077fb89de5875c4566
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp8bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe

Executes dropped EXE 2 IoCs

pid	Process
4936	sysxdob.exe
4236	devoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesBQ\\devoptiec.exe"	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB28\\optidevloc.exe"	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe
2280	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe
2280	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe
2280	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe
4936	sysxdob.exe
4936	sysxdob.exe
4236	devoptiec.exe
4236	devoptiec.exe
4936	sysxdob.exe
4936	sysxdob.exe
4236	devoptiec.exe
4236	devoptiec.exe
4936	sysxdob.exe
4936	sysxdob.exe
4236	devoptiec.exe
4236	devoptiec.exe
4936	sysxdob.exe
4936	sysxdob.exe
4236	devoptiec.exe
4236	devoptiec.exe
4936	sysxdob.exe
4936	sysxdob.exe
4236	devoptiec.exe
4236	devoptiec.exe
4936	sysxdob.exe
4936	sysxdob.exe
4236	devoptiec.exe
4236	devoptiec.exe
4936	sysxdob.exe
4936	sysxdob.exe
4236	devoptiec.exe
4236	devoptiec.exe
4936	sysxdob.exe
4936	sysxdob.exe
4236	devoptiec.exe
4236	devoptiec.exe
4936	sysxdob.exe
4936	sysxdob.exe
4236	devoptiec.exe
4236	devoptiec.exe
4936	sysxdob.exe
4936	sysxdob.exe
4236	devoptiec.exe
4236	devoptiec.exe
4936	sysxdob.exe
4936	sysxdob.exe
4236	devoptiec.exe
4236	devoptiec.exe
4936	sysxdob.exe
4936	sysxdob.exe
4236	devoptiec.exe
4236	devoptiec.exe
4936	sysxdob.exe
4936	sysxdob.exe
4236	devoptiec.exe
4236	devoptiec.exe
4936	sysxdob.exe
4936	sysxdob.exe
4236	devoptiec.exe
4236	devoptiec.exe
4936	sysxdob.exe
4936	sysxdob.exe
4236	devoptiec.exe
4236	devoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 4936	2280	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe	85
PID 2280 wrote to memory of 4936	2280	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe	85
PID 2280 wrote to memory of 4936	2280	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe	85
PID 2280 wrote to memory of 4236	2280	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe	86
PID 2280 wrote to memory of 4236	2280	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe	86
PID 2280 wrote to memory of 4236	2280	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe	86

C:\Users\Admin\AppData\Local\Temp\8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe
"C:\Users\Admin\AppData\Local\Temp\8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4936
- C:\FilesBQ\devoptiec.exe
  C:\FilesBQ\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesBQ\devoptiec.exe

Filesize
3.9MB

MD5
aad80d4ff4709e849837457bf6d8d234

SHA1
2ecdc72e0da99aa38b00afa0dd8147906bcfc39d

SHA256
c0c8baf46df6d5950fd7a2d1d90b937bf126c7b2cca8c9e014c6f63a77931f02

SHA512
2c8847f066ad4728b2613f31b8692c6cc5680ca589728ece38243793fb8c52050a3729dccd05731f36710d6be2d3324a4519e32533a11b94b0eae0fa5ad07aaf

Download Submit
C:\KaVB28\optidevloc.exe

Filesize
3.9MB

MD5
d4b51f647a1238d852ccb4ccb83c9699

SHA1
49c2bd39212574640b6f14ceac988f23bd4f8235

SHA256
553fb82df09278eaca46255385cd64bab3e131e868b71015193ef243c009920d

SHA512
e29260408f034a963e902560e9228588706d589de569ae75f5779f481c2eaefe461240da48c3a157d50b7c192bf5ed9c021d4b0d710ae6860dbc14d9bac9a1f7

Download Submit
C:\KaVB28\optidevloc.exe

Filesize
1.1MB

MD5
bf04fa63bb070dd2845042a04154d8a5

SHA1
3e199415a13f2ec61be39ab9ebb7850128187d9c

SHA256
3fe58b002e3811a783bc9a694b1d3d35cb18e27f7bd5398f2c803dfe9585aa5b

SHA512
18d5b0bce56c1b66cf437e27aaecdf00800356bfa9bf5716be626ca9d436d8e4d9f99cf6066e08d5f4d7b91caebf27dcae4cb46a3c86e051d75f56bdd844a991

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
9982d859634a867c7b65b827e5c191ef

SHA1
86d7ab402de579aa3ff15c998da18d470fafbea9

SHA256
da1798b87a83e06b54d6898c7558ac3e33eb1446513c4b76c946cf94b9961760

SHA512
c634d30c5942cdc1c0e7ca124d72a927c3c333919cbcf109c37ee932b0d1e9fd824f52d2ca56e1591e04b4333e80a0b9cd15d7d445387df496b3deb879594dd9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
9c7c813c679c2b7d501677fdaca4f7d8

SHA1
eb9b8636552c435f6ff04499e735b5dc7cee9e93

SHA256
2285587a624567251ba5783de26922528d6b1127c435fb12a25ebf759bcae7fe

SHA512
9495122d34f50209d665c377dee05a6d0b9c4e463caf3d9ad0118808c7b0ba3cb0b10c30e9e330da80814a1cbf9d42959db5d287fc636cb2dacd8c4c1896e886

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
3.9MB

MD5
81a194de700311ddad835b0fe10a0944

SHA1
f5be3dbdfac4e65d04dd0f51b92eacc9a9fad731

SHA256
3c5415ef2b6915a06c80425b1baf3131d0b404989b4e2f10803e692bbb37b9f5

SHA512
0008b281301192adc3e5d337aea22ad6a6e262de48ea2d252f3bdf2ec1a5aed1f3629a0448002736ee294fc2e6acf36d8fd1c823baa6e068d97060aeb1dfb412

Download Submit