4d40de5105aa36dbb5ca0ddc9cd6e97c43f8da9ec642c1acb10c995115f72e97

Analysis

max time kernel
149s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d40de5105aa36dbb5ca0ddc9cd6e97c43f8da9ec642c1acb10c995115f72e97.exe
Size

3.9MB
MD5

14c9a9fde298ea76d25725507bcf653f
SHA1

3f1333bc16975b78da5741d8f5a27593a3e5f264
SHA256

4d40de5105aa36dbb5ca0ddc9cd6e97c43f8da9ec642c1acb10c995115f72e97
SHA512

6464472cc0d68f0904c49625e60adf61ccf3bf3618185c9e13ff5a24c24dee91cc4a3586ac7582defa551354bf0d266a3e550e6ae948f7f86aab78731688fd25
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bSqz8:sxX7QnxrloE5dpUp/bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	4d40de5105aa36dbb5ca0ddc9cd6e97c43f8da9ec642c1acb10c995115f72e97.exe

Executes dropped EXE 2 IoCs

pid	Process
1212	sysxdob.exe
396	xoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeEH\\xoptiec.exe"	4d40de5105aa36dbb5ca0ddc9cd6e97c43f8da9ec642c1acb10c995115f72e97.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxKB\\dobxec.exe"	4d40de5105aa36dbb5ca0ddc9cd6e97c43f8da9ec642c1acb10c995115f72e97.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4276	4d40de5105aa36dbb5ca0ddc9cd6e97c43f8da9ec642c1acb10c995115f72e97.exe
4276	4d40de5105aa36dbb5ca0ddc9cd6e97c43f8da9ec642c1acb10c995115f72e97.exe
4276	4d40de5105aa36dbb5ca0ddc9cd6e97c43f8da9ec642c1acb10c995115f72e97.exe
4276	4d40de5105aa36dbb5ca0ddc9cd6e97c43f8da9ec642c1acb10c995115f72e97.exe
1212	sysxdob.exe
1212	sysxdob.exe
396	xoptiec.exe
396	xoptiec.exe
1212	sysxdob.exe
1212	sysxdob.exe
396	xoptiec.exe
396	xoptiec.exe
1212	sysxdob.exe
1212	sysxdob.exe
396	xoptiec.exe
396	xoptiec.exe
1212	sysxdob.exe
1212	sysxdob.exe
396	xoptiec.exe
396	xoptiec.exe
1212	sysxdob.exe
1212	sysxdob.exe
396	xoptiec.exe
396	xoptiec.exe
1212	sysxdob.exe
1212	sysxdob.exe
396	xoptiec.exe
396	xoptiec.exe
1212	sysxdob.exe
1212	sysxdob.exe
396	xoptiec.exe
396	xoptiec.exe
1212	sysxdob.exe
1212	sysxdob.exe
396	xoptiec.exe
396	xoptiec.exe
1212	sysxdob.exe
1212	sysxdob.exe
396	xoptiec.exe
396	xoptiec.exe
1212	sysxdob.exe
1212	sysxdob.exe
396	xoptiec.exe
396	xoptiec.exe
1212	sysxdob.exe
1212	sysxdob.exe
396	xoptiec.exe
396	xoptiec.exe
1212	sysxdob.exe
1212	sysxdob.exe
396	xoptiec.exe
396	xoptiec.exe
1212	sysxdob.exe
1212	sysxdob.exe
396	xoptiec.exe
396	xoptiec.exe
1212	sysxdob.exe
1212	sysxdob.exe
396	xoptiec.exe
396	xoptiec.exe
1212	sysxdob.exe
1212	sysxdob.exe
396	xoptiec.exe
396	xoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 1212	4276	4d40de5105aa36dbb5ca0ddc9cd6e97c43f8da9ec642c1acb10c995115f72e97.exe	90
PID 4276 wrote to memory of 1212	4276	4d40de5105aa36dbb5ca0ddc9cd6e97c43f8da9ec642c1acb10c995115f72e97.exe	90
PID 4276 wrote to memory of 1212	4276	4d40de5105aa36dbb5ca0ddc9cd6e97c43f8da9ec642c1acb10c995115f72e97.exe	90
PID 4276 wrote to memory of 396	4276	4d40de5105aa36dbb5ca0ddc9cd6e97c43f8da9ec642c1acb10c995115f72e97.exe	91
PID 4276 wrote to memory of 396	4276	4d40de5105aa36dbb5ca0ddc9cd6e97c43f8da9ec642c1acb10c995115f72e97.exe	91
PID 4276 wrote to memory of 396	4276	4d40de5105aa36dbb5ca0ddc9cd6e97c43f8da9ec642c1acb10c995115f72e97.exe	91

C:\Users\Admin\AppData\Local\Temp\4d40de5105aa36dbb5ca0ddc9cd6e97c43f8da9ec642c1acb10c995115f72e97.exe
"C:\Users\Admin\AppData\Local\Temp\4d40de5105aa36dbb5ca0ddc9cd6e97c43f8da9ec642c1acb10c995115f72e97.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1212
- C:\AdobeEH\xoptiec.exe
  C:\AdobeEH\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3444,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4196 /prefetch:8
1⤵
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeEH\xoptiec.exe

Filesize
3.9MB

MD5
879e5a0c8afd80e16364ef0cd235a9e9

SHA1
04237466ef13497fa35b3ffa7cc7b56fa981a982

SHA256
f9272c367500085198aa78c9e925dcaa62abafbe6dbec95eca1a968fe2da871c

SHA512
ec904256b5dd0f46c9d559a9a80660c7a8a25529d314fdc18d6732c38690aeb18a62def64f4c3b3f2f5c240bd0278eca5f3599743f971253c2d460c42e8c2ba4

Download Submit
C:\GalaxKB\dobxec.exe

Filesize
3.9MB

MD5
1a10d9e1fad58833126afab7b460af9e

SHA1
57dd03ae75359cdca530cce58ea1ae4cae840df1

SHA256
1d00a64e6948a98048b248407a13b1626d6036e69fa5c4753d97c7d401244673

SHA512
fbf55dc2725b123e02c893bf9fc52125329608372d521d7172dad51fa375604ca9265704e045c508c34e250d0c812d1ec775fc6bcea19c589f3fb5c833ced579

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
348b46f0844e69a94b378bfab74ba183

SHA1
8b142d39b228b0716ff0e1e777b0fda8e832e567

SHA256
7308a92cb3ae2ba6665ce2041e280e96463e31dc5896bf075d69d075a3b3555f

SHA512
4b8b12aab5c8b2ee1cec28f0c2f81b9acb6c3183dd1a8f97c89c4e23a58d9486896a02092b32bd2f9cadd4a05f7ad7508c63d5a2fda50dad961022c27c7b358d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
8e81bfb596eb22f03f652f4c16f734b2

SHA1
b21cc85fa7dfe5e9e1c19c308bf8e56b6b5a71b5

SHA256
ba15899e40320364541cfd2f4e84536597ae1f9fa5c32e981dc9f65fec3de208

SHA512
9cc83212e0deb6b5e8bfb1e8c6fc9612d28f9b80b67efb04c728bb362d5177bfd3285997f09ad16e0ed9bff27f6e8cbc8ef8ca54b0aa83660f030ac0a2e1acbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
3.9MB

MD5
7daf99ca492d8d00e13095ff79c9ecfd

SHA1
4ff91afa851f699eae42888803901e2adc91ffe0

SHA256
a55a66bad65ebd0b6a3f61b9ea1fe10a36f72858182acf32fe3629f218d77009

SHA512
883dc9d62d696ee7770be755f6a8c15f4879c26296a3002cc0472408c0b4a5735bd6a734b77d4c02c1bdee5af46f068c4cdca573878f75e918c9b4cb4fb10fcb

Download Submit