434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe
Size

3.2MB
MD5

4c8cb99a8004e60e900e4564dd8ab3fb
SHA1

02132229ff03029fbf20b2f4bc8d1e940855e1f0
SHA256

434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315
SHA512

c3e97e95bd6c405281527dfb3fc9fa7bbab51594d9db0cf0b95075e597a9df643181946bd52cc55006dffb322bcf3a513abb8253b6ba90f27b259411483b0dc1
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpIbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe

Executes dropped EXE 2 IoCs

pid	Process
1084	sysxopti.exe
5056	xdobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeMG\\xdobloc.exe"	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBY8\\boddevec.exe"	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3432	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe
3432	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe
3432	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe
3432	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe
1084	sysxopti.exe
1084	sysxopti.exe
5056	xdobloc.exe
5056	xdobloc.exe
1084	sysxopti.exe
1084	sysxopti.exe
5056	xdobloc.exe
5056	xdobloc.exe
1084	sysxopti.exe
1084	sysxopti.exe
5056	xdobloc.exe
5056	xdobloc.exe
1084	sysxopti.exe
1084	sysxopti.exe
5056	xdobloc.exe
5056	xdobloc.exe
1084	sysxopti.exe
1084	sysxopti.exe
5056	xdobloc.exe
5056	xdobloc.exe
1084	sysxopti.exe
1084	sysxopti.exe
5056	xdobloc.exe
5056	xdobloc.exe
1084	sysxopti.exe
1084	sysxopti.exe
5056	xdobloc.exe
5056	xdobloc.exe
1084	sysxopti.exe
1084	sysxopti.exe
5056	xdobloc.exe
5056	xdobloc.exe
1084	sysxopti.exe
1084	sysxopti.exe
5056	xdobloc.exe
5056	xdobloc.exe
1084	sysxopti.exe
1084	sysxopti.exe
5056	xdobloc.exe
5056	xdobloc.exe
1084	sysxopti.exe
1084	sysxopti.exe
5056	xdobloc.exe
5056	xdobloc.exe
1084	sysxopti.exe
1084	sysxopti.exe
5056	xdobloc.exe
5056	xdobloc.exe
1084	sysxopti.exe
1084	sysxopti.exe
5056	xdobloc.exe
5056	xdobloc.exe
1084	sysxopti.exe
1084	sysxopti.exe
5056	xdobloc.exe
5056	xdobloc.exe
1084	sysxopti.exe
1084	sysxopti.exe
5056	xdobloc.exe
5056	xdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 1084	3432	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe	82
PID 3432 wrote to memory of 1084	3432	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe	82
PID 3432 wrote to memory of 1084	3432	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe	82
PID 3432 wrote to memory of 5056	3432	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe	83
PID 3432 wrote to memory of 5056	3432	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe	83
PID 3432 wrote to memory of 5056	3432	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe	83

C:\Users\Admin\AppData\Local\Temp\434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe
"C:\Users\Admin\AppData\Local\Temp\434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1084
- C:\AdobeMG\xdobloc.exe
  C:\AdobeMG\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeMG\xdobloc.exe

Filesize
26KB

MD5
fd22ff16faa670189ad5472d046eefc3

SHA1
af5985a64f7b062d09005a38866558d03e8c9187

SHA256
eaeda1f937ebcde5091367ec243ec949046efb5fda41d977e79a7d193cdf98c4

SHA512
1fb354379abd6b0096371230a45f04facee9b7148001672781feff0301ab5c94b65f8f0b2e4f8b440530e07677939477ac83217e35e55b1944305bafcda71e72

Download Submit
C:\AdobeMG\xdobloc.exe

Filesize
3.2MB

MD5
85f751423be40a929b0657c5572545f1

SHA1
f79d9af05cf5f88b0e281c0c12bcd2d2e9eec446

SHA256
d041e62c53dc2a9b0b337548e7eb46df77020cfa808d782d2024c211518039c2

SHA512
9275c0ddbfabf2a3f66f26f914291d9a98475d668effc71afb0701e34a7f48214a25b1d076ecf73b5d7dcd9b04aabacf0ed153eea18792758bf2ac77e27f3fdd

Download Submit
C:\KaVBY8\boddevec.exe

Filesize
1.1MB

MD5
7d060d99b99d2ded26f2657e6b3b8cc8

SHA1
9781151e5cf3e6d8dba069cd781e2ed153faf531

SHA256
d48f94d9caa72c014d90c1cacd98ac07c23be72df5935df3ff552519b1789da7

SHA512
2baa07d46f3e0d05d59ad2d1fa2eb7c99f915634e855478538fba3af3b1749eb8dc450f4202d35b1d3458d2283404c23ddf816fbe439f7ed95ec7e972e431827

Download Submit
C:\KaVBY8\boddevec.exe

Filesize
363KB

MD5
c6a2a9ae79030c90c48540a0a125c829

SHA1
710c3bf20fbbf59de66af2fa9ce4269c3ede35e9

SHA256
b1856dd18384cdb330f1f8fadbf447d3747e3685dfe7bf961180fc7a4632d674

SHA512
fcfed1f3b19b4a5586bb4e19c5345c8591c453e482c91b8dc87f1be7714231441ef01869c7e8e420f567e374b4c64fb7bece494498f09557d43ac6ecf3eb9d93

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
a2c87f686f9744e3b83f3b58a1018695

SHA1
56813509a826510727680efdb975f29f269c7b2d

SHA256
7f3cc011ec4818162cc3645f23bee94eb04f5464c8041a1ae505bb94e4c5af27

SHA512
b7d71323835902481439e0391950141a2c5fb36da5076f5a0085a77760621d54eb46ec1a3d9ee88e931fa54b3548e44a9516864c76417122c68b74fa67b9cd55

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
97469603cd45fe2871146a1530991575

SHA1
3c7c648a9bce2d4ff94450d16d04eda9c9551d18

SHA256
e29594b46945fbffef7a07d1c29dbb596d56a3dc752f900166dc116649521077

SHA512
1f5d16c6b1e2bed1d7cbef32e840d0cdecc250aa94df1fb5076f0855592ee4bb7085a5710c7868a887487f00c965a1e7b6179a76a38c5415ceb25bc7d34e7faf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

Filesize
3.2MB

MD5
113f103f0fffac7a59bc312d9cb63780

SHA1
06c6ed28aeac696ea278de5ec52502a4292e779c

SHA256
f7837a7a2596be8d2a199f71f4758b83f66df3cf6e3830940f91eaea8214224a

SHA512
5af13b9296b93ad01fb4fd002090e55f9b74fff83b3db0a4bec9c3f756093a244074bca1564a7d978338f74d56c47de2685449fc814a938a6cefc1441e74816c

Download Submit