3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19/06/2024, 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe
Size

4.1MB
MD5

6dfef0960942fdbe4855fa92f26df56f
SHA1

fdb3c82bdcd84bea803f3a219b0b858f0379f3c8
SHA256

3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360
SHA512

76a40a3063c6afae8458626a716d671b43d7b6f569bbe1510f85e7c6675a62655b3a0ea0839936c0a888041e897e55acf4fb5786df38ab2fbdb24ffd55092eeb
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpZbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe

Executes dropped EXE 2 IoCs

pid	Process
440	sysxopti.exe
2152	xdobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZKT\\dobxloc.exe"	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv2R\\xdobloc.exe"	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1992	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe
1992	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe
1992	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe
1992	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe
440	sysxopti.exe
440	sysxopti.exe
2152	xdobloc.exe
2152	xdobloc.exe
440	sysxopti.exe
440	sysxopti.exe
2152	xdobloc.exe
2152	xdobloc.exe
440	sysxopti.exe
440	sysxopti.exe
2152	xdobloc.exe
2152	xdobloc.exe
440	sysxopti.exe
440	sysxopti.exe
2152	xdobloc.exe
2152	xdobloc.exe
440	sysxopti.exe
440	sysxopti.exe
2152	xdobloc.exe
2152	xdobloc.exe
440	sysxopti.exe
440	sysxopti.exe
2152	xdobloc.exe
2152	xdobloc.exe
440	sysxopti.exe
440	sysxopti.exe
2152	xdobloc.exe
2152	xdobloc.exe
440	sysxopti.exe
440	sysxopti.exe
2152	xdobloc.exe
2152	xdobloc.exe
440	sysxopti.exe
440	sysxopti.exe
2152	xdobloc.exe
2152	xdobloc.exe
440	sysxopti.exe
440	sysxopti.exe
2152	xdobloc.exe
2152	xdobloc.exe
440	sysxopti.exe
440	sysxopti.exe
2152	xdobloc.exe
2152	xdobloc.exe
440	sysxopti.exe
440	sysxopti.exe
2152	xdobloc.exe
2152	xdobloc.exe
440	sysxopti.exe
440	sysxopti.exe
2152	xdobloc.exe
2152	xdobloc.exe
440	sysxopti.exe
440	sysxopti.exe
2152	xdobloc.exe
2152	xdobloc.exe
440	sysxopti.exe
440	sysxopti.exe
2152	xdobloc.exe
2152	xdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 440	1992	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe	86
PID 1992 wrote to memory of 440	1992	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe	86
PID 1992 wrote to memory of 440	1992	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe	86
PID 1992 wrote to memory of 2152	1992	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe	87
PID 1992 wrote to memory of 2152	1992	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe	87
PID 1992 wrote to memory of 2152	1992	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe	87

C:\Users\Admin\AppData\Local\Temp\3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe
"C:\Users\Admin\AppData\Local\Temp\3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:440
- C:\SysDrv2R\xdobloc.exe
  C:\SysDrv2R\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZKT\dobxloc.exe

Filesize
1.4MB

MD5
57c7395c5235304b8a9c4dfdb0be6bb6

SHA1
ad0d1cf780f78e82fd5d1d1e044596369610acf3

SHA256
d8ecf665fbf945c90de70193765594e2ec06b0f3032954a720c2049176bbc6c1

SHA512
021f5b5af0fd06c0aa0b68ef0ee7096725c0d27dd43cd0e4f46f54d2708adb13102ca4ef9ea20a2b82672dd0bddeec563120d2a3fa2c089ee3907029af255cc4

Download Submit
C:\LabZKT\dobxloc.exe

Filesize
9KB

MD5
bceeb783568178019cfa9ce19da30a69

SHA1
3918c6d01f7a27b2a71133015ea935c5555085ff

SHA256
41737594ceef89e9d4d0389deb11f042ea5d02e903e1359b3110a565e7c0b1bd

SHA512
7f5f1ad508c1398430e588ab45f558d602b62af4ef7015ce011fe61ef27edee18de0252583558376c713ddc3fdba30604a1b0746cd79acd745c19075f7a1bbf0

Download Submit
C:\SysDrv2R\xdobloc.exe

Filesize
4.1MB

MD5
1d7a8f1d27ac2d44c0ac93a83121d26d

SHA1
7d444a7fc45ea521dfc2b2e7ef023746ddc094f0

SHA256
31d089045cc383bb656709b020793aca15d206470f3f5880a86898c7e8886375

SHA512
9871a26f25a007d08ee9cd0a519ea74d2404097f6a9a6bdbfe2b2a8020ab3bdd9bff045b20c1c7956bd8fb7ba9c8c98b082ac1a4886ad6e28771720e6df77ea9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
c7abe1dfb5f690ff552ae5f5ac233c31

SHA1
4a6a0f87270a527c12f9ae3322caa5b9cd16f4e7

SHA256
0e71175772b265dd77a33cecd906d6bf10d3db02f2036cf19cb7abec141800b2

SHA512
00f106bf430039d6e172dced2d25057e5608d5e56243af1274af4eb66758d58dba40aac9593f65f9ad9db533104681d7878d5e25ad45ac1fd100edf448dc42d8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
7ba8fe1a80b81042b3993c9f7b9775f9

SHA1
f899fca684c968636e4cee4f800cba3a74666d7a

SHA256
95aed87fba88f41d2c0beee8b1f0f89131e91ca5cdfabe1ade6f68f6cc823c5a

SHA512
9e3dff298eb1a9af3c2558205f9573cc9097223f8edc43b9ac7fb251ba6322c67c3bbbc50c78769ffaadb701975691f6cce4470af22593a815a0db7d0373159a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

Filesize
4.1MB

MD5
34c625ee80048e4ffb25c95a26acfebb

SHA1
649a0e75288f08011b4b940ef05283749ec41630

SHA256
19be7985a048a1aefb3ca452bc5fcfc31611d1c52ee86392b5b3fd60053f0109

SHA512
38a33c8728c4a8d5159f3d1855dd2b3ad5b2977274aa86c0c930f130da67368720e18d0ed9bd0d1574ae3d8f251a65c8362e5c1271811d32673b3f2b64bce191

Download Submit