Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 02:39
Static task
static1
Behavioral task
behavioral1
Sample
ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe
Resource
win10v2004-20240611-en
General
-
Target
ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe
-
Size
3.9MB
-
MD5
913cbc7960bb52b182613064a135b7ad
-
SHA1
474902ce8d516b979bf4d6159421d593ddc06e4b
-
SHA256
ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8
-
SHA512
e8811cc8146fa9adb304cb2eb149d0b009e7b413a05585eb91ef91d35d5155cb46eef0bb28d3b4b1253f058e01f23d8da48a2f0d38f2f85c979cbffed437cec4
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBtB/bSqz8:sxX7QnxrloE5dpUpibVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe -
Executes dropped EXE 2 IoCs
Processes:
sysxopti.exexdobec.exepid process 1956 sysxopti.exe 3996 xdobec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFS\\optixloc.exe" ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeDC\\xdobec.exe" ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exesysxopti.exexdobec.exepid process 2232 ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe 2232 ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe 2232 ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe 2232 ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe 1956 sysxopti.exe 1956 sysxopti.exe 3996 xdobec.exe 3996 xdobec.exe 1956 sysxopti.exe 1956 sysxopti.exe 3996 xdobec.exe 3996 xdobec.exe 1956 sysxopti.exe 1956 sysxopti.exe 3996 xdobec.exe 3996 xdobec.exe 1956 sysxopti.exe 1956 sysxopti.exe 3996 xdobec.exe 3996 xdobec.exe 1956 sysxopti.exe 1956 sysxopti.exe 3996 xdobec.exe 3996 xdobec.exe 1956 sysxopti.exe 1956 sysxopti.exe 3996 xdobec.exe 3996 xdobec.exe 1956 sysxopti.exe 1956 sysxopti.exe 3996 xdobec.exe 3996 xdobec.exe 1956 sysxopti.exe 1956 sysxopti.exe 3996 xdobec.exe 3996 xdobec.exe 1956 sysxopti.exe 1956 sysxopti.exe 3996 xdobec.exe 3996 xdobec.exe 1956 sysxopti.exe 1956 sysxopti.exe 3996 xdobec.exe 3996 xdobec.exe 1956 sysxopti.exe 1956 sysxopti.exe 3996 xdobec.exe 3996 xdobec.exe 1956 sysxopti.exe 1956 sysxopti.exe 3996 xdobec.exe 3996 xdobec.exe 1956 sysxopti.exe 1956 sysxopti.exe 3996 xdobec.exe 3996 xdobec.exe 1956 sysxopti.exe 1956 sysxopti.exe 3996 xdobec.exe 3996 xdobec.exe 1956 sysxopti.exe 1956 sysxopti.exe 3996 xdobec.exe 3996 xdobec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exedescription pid process target process PID 2232 wrote to memory of 1956 2232 ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe sysxopti.exe PID 2232 wrote to memory of 1956 2232 ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe sysxopti.exe PID 2232 wrote to memory of 1956 2232 ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe sysxopti.exe PID 2232 wrote to memory of 3996 2232 ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe xdobec.exe PID 2232 wrote to memory of 3996 2232 ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe xdobec.exe PID 2232 wrote to memory of 3996 2232 ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe xdobec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe"C:\Users\Admin\AppData\Local\Temp\ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1956
-
-
C:\AdobeDC\xdobec.exeC:\AdobeDC\xdobec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3996
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD5ac8b84de2ef02c209b5d436897654144
SHA190217544818199d5acb207cab48505761046e6aa
SHA256bb8ecc3b20baee42891bb30c9a29ba745e684d3fe6317dddee036252c67d470b
SHA5122c905b904f5a7ff51bb73ccee85288a9ff7cc5b6c6c62a5dd7f124ee4912357708d3020a69262db33410bd781d508daf4bb47938d3bb97aff9d194a7edaa0979
-
Filesize
3.9MB
MD5911718cf9fd68249fa72550c9a0367ba
SHA1b7a5d5d83ad4e744a42fabc2fa997abf818816bd
SHA256444a7cecaec95ce5f3c2e860928284efc3636f5deab7d8d502946d46b2287fef
SHA512add8f482a578cdecfde134dd0bba51f4518ce4cbdf588271fae780907bd10db82121aa1250deda8239013f16d683d82eba80d26960935e9bc31a313a5335242f
-
Filesize
3.9MB
MD50cf8f7a32b36373a305e984ab116b9f8
SHA1f27519d66f8049af865a4c89dd91fc2c13c5d1b8
SHA25616db583900ad18d9db4a39ffd0ee8e799dd50c2e6b0835c2dfe56096dfded6a3
SHA51237033de9a9efeb58f5554c66370600de78fdd47f26e4c335e7dda1e04bec71486465c55d6e946decfb266ed2ef9561a116595c22a35521ba2a28726d7b8bb9c2
-
Filesize
201B
MD5ba81e38dd0e9cff3aa09a79b0246d276
SHA199bf7941e257a5dab1da1fddb383bc9a117aaf3d
SHA256ff24410626a87b464f8c8b3c5feac1d28fb898d2b1688934a0f9435271522d08
SHA5124dd4f0e95fd36fa2cc174ffad3638b12467678bb3a42cfd4a01b830cf379f5c70269a3a289c918403151f8b95839bbf9e2fbf006f31a6ab24d61e675adecf9af
-
Filesize
169B
MD58d5aa016941f66628f1f1802f90c9e02
SHA1b99cfe0c86bd8d3d8cb3054c34f411932e45acc4
SHA256a9c2aec5e0acaf2fc4b7f1df598fdfed89a1aa1461ac898dd67e26cbdfedfe7b
SHA5128a862ed6ed84d8b3051f877e8a943789c9f2d5489c1e7afb1d17cd2c1fe3fcb8c5c568e3ef01475a6b30ca3765d728cb2cd7e324d2e9377466e54e818942451e
-
Filesize
3.9MB
MD54e3efe2b0794cea687e6b97bd9e09a17
SHA15fad11be672baf5a40d8e41ee3cfd1cd0aa88d3b
SHA25629e223ef13cd55d79cb3c5f8a044e43f117d0eca37c6e1b4d1bff8cf60e783f9
SHA5128e8b3f8c42976077c6bcd295c9ebebaebc774dac6eed7d799d2d7b6465354de9e060beec2c4554aa5134de82452af3efdabedcb98691645bd9352eebac3cc01a