f715b76a3f5a9af6f08f68f1e337b9ad88944449a73d47152519c7bde3832d1c

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f715b76a3f5a9af6f08f68f1e337b9ad88944449a73d47152519c7bde3832d1c.exe
Size

3.1MB
MD5

f93989fe91432ab483ed3edda3d84814
SHA1

c193cdc726c8d6a5eb1ff0fd626a988626f0a90b
SHA256

f715b76a3f5a9af6f08f68f1e337b9ad88944449a73d47152519c7bde3832d1c
SHA512

0664cccb61106b4481bfdfdf3e07ccfb0d8cc70e77e7ce80a13a7120eefb22bbc9a4297de6dadb8ff5a2dfdee647989bdb13b2dcc0937287398bd3ce229bebdd
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpJbVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	f715b76a3f5a9af6f08f68f1e337b9ad88944449a73d47152519c7bde3832d1c.exe

Executes dropped EXE 2 IoCs

pid	Process
2912	sysdevopti.exe
2396	xdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
1856	f715b76a3f5a9af6f08f68f1e337b9ad88944449a73d47152519c7bde3832d1c.exe
1856	f715b76a3f5a9af6f08f68f1e337b9ad88944449a73d47152519c7bde3832d1c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv4W\\xdobec.exe"	f715b76a3f5a9af6f08f68f1e337b9ad88944449a73d47152519c7bde3832d1c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxAR\\optialoc.exe"	f715b76a3f5a9af6f08f68f1e337b9ad88944449a73d47152519c7bde3832d1c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1856	f715b76a3f5a9af6f08f68f1e337b9ad88944449a73d47152519c7bde3832d1c.exe
1856	f715b76a3f5a9af6f08f68f1e337b9ad88944449a73d47152519c7bde3832d1c.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe
2912	sysdevopti.exe
2396	xdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2912	1856	f715b76a3f5a9af6f08f68f1e337b9ad88944449a73d47152519c7bde3832d1c.exe	28
PID 1856 wrote to memory of 2912	1856	f715b76a3f5a9af6f08f68f1e337b9ad88944449a73d47152519c7bde3832d1c.exe	28
PID 1856 wrote to memory of 2912	1856	f715b76a3f5a9af6f08f68f1e337b9ad88944449a73d47152519c7bde3832d1c.exe	28
PID 1856 wrote to memory of 2912	1856	f715b76a3f5a9af6f08f68f1e337b9ad88944449a73d47152519c7bde3832d1c.exe	28
PID 1856 wrote to memory of 2396	1856	f715b76a3f5a9af6f08f68f1e337b9ad88944449a73d47152519c7bde3832d1c.exe	29
PID 1856 wrote to memory of 2396	1856	f715b76a3f5a9af6f08f68f1e337b9ad88944449a73d47152519c7bde3832d1c.exe	29
PID 1856 wrote to memory of 2396	1856	f715b76a3f5a9af6f08f68f1e337b9ad88944449a73d47152519c7bde3832d1c.exe	29
PID 1856 wrote to memory of 2396	1856	f715b76a3f5a9af6f08f68f1e337b9ad88944449a73d47152519c7bde3832d1c.exe	29

C:\Users\Admin\AppData\Local\Temp\f715b76a3f5a9af6f08f68f1e337b9ad88944449a73d47152519c7bde3832d1c.exe
"C:\Users\Admin\AppData\Local\Temp\f715b76a3f5a9af6f08f68f1e337b9ad88944449a73d47152519c7bde3832d1c.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2912
- C:\SysDrv4W\xdobec.exe
  C:\SysDrv4W\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxAR\optialoc.exe

Filesize
3.1MB

MD5
f0f3cfdead12ea22fd06b637b119c597

SHA1
30bb952c8bc0acd987af6da88eb4295cde25a8c1

SHA256
e29c6f284c02bd530d6739899a9fc7ce519717efca2f0f78c62c8a183e99b1e7

SHA512
47dc05429a26d9c5ff518ab630df1a2d449f963da0d751d96ea778d095455d176474744045b32b60022a7955402eacbd487c5ab112b655c58135c6a4a881e0c7

Download Submit
C:\GalaxAR\optialoc.exe

Filesize
340KB

MD5
a30922e1b63b3d1bdf468b6eb193f7cf

SHA1
2ed28e53cd89b577015a82ecb7a4b4ffcb60eb9d

SHA256
77fd262e4f16e273a668c7b247ef512be2b9eab79f381ab975538e1d11c87004

SHA512
43c766838336747a0a0d0252b4e8fb55cec3e96d6824b77553570539facc06ca2e6255b0e6faa8311dfee8706dc07d0f4929b7e74008ea4c0021ad51eedf09d6

Download Submit
C:\SysDrv4W\xdobec.exe

Filesize
3.1MB

MD5
7cfb29ac44f805a505610f7dd04cda38

SHA1
e5ca55814539adc1f761093ba9949fa8e2e41a1e

SHA256
c7f89ae0024e0384303ec50c611818a4c5929785623208ee09dc43dc01277cf5

SHA512
18abfcb57f2b837b737ca5daa472016c2dc33f2a65d1f5acf0664df208418defd7f928b33ed1c02ef722760fe6db182b745cdd66c13041b02eb754cfb4638278

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
7cda6fe3cb987156bc668aa262a6753b

SHA1
562f4185f3035235af9af127844fd4dd6470df0b

SHA256
a6cb1dd9d79b8032392833fe432ea3c44bfe0fe3daab680b2e73ec738367d38d

SHA512
a400c0e3918ff31934ba4f16a671a27f10b681e0070321d96de1243c7fe5ec4af5026eebf18653bc4084e766abed87dafba3f29af6ff155be54a9b920028ab47

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
104a9d7d23633c47910ebc05c881b2cd

SHA1
3c665d890698c6028ffb0226ac8870f7c0b7975d

SHA256
98865abc878a7aa4d5d817de3fdef39c2582d3ebe05c651ee2c99cb012fc8216

SHA512
37a7761a56060768df186270b7e88d61f1e43335d5fc333eb19b954d10d8f71f205f646d0dcd98d753f6d12e12c0e0ffd90e3dfcf718f0b3144dad3f276c4d1f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
3.1MB

MD5
14a7dc28dbd12d0079cdc07fa941458f

SHA1
5cb5913fbb2ef5512ffeb6a6b6c408e2d47115be

SHA256
ee3021ab617e3fce60207ef6e33a1dff7679d63e2aa7b10b860071f618e35c6e

SHA512
ee38972af181ad053b3854dd10bc3c7ee02de4f29f73e1c694b11130c1aeca71ef6da770f12e9b38ef1537a7ab8d73d0210c1a974d9a7b1cb7d3acf3d68de3f2

Download Submit