50bbefa10e6336de58597f0a704e5341e4c8565630fd25f0a3547d7fa95b8577

Analysis

max time kernel
149s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50bbefa10e6336de58597f0a704e5341e4c8565630fd25f0a3547d7fa95b8577.exe
Size

3.0MB
MD5

19d3190a274fef9ee1b1c6686b821291
SHA1

3a6be238bfc274003251097be7dfc48d8f142ccb
SHA256

50bbefa10e6336de58597f0a704e5341e4c8565630fd25f0a3547d7fa95b8577
SHA512

25782640a8f00189725d319dcbaeea9864eaf7d2e9aa9879a516cd045d0dd3e5729dbcda6841d0dc7d3f206549c5a8085956b2dd162bb2a2250d36cbc6084872
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bSqz8:sxX7QnxrloE5dpUpEbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	50bbefa10e6336de58597f0a704e5341e4c8565630fd25f0a3547d7fa95b8577.exe

Executes dropped EXE 2 IoCs

pid	Process
4372	sysabod.exe
1260	xoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeY8\\xoptiloc.exe"	50bbefa10e6336de58597f0a704e5341e4c8565630fd25f0a3547d7fa95b8577.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxNB\\dobxsys.exe"	50bbefa10e6336de58597f0a704e5341e4c8565630fd25f0a3547d7fa95b8577.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1948	50bbefa10e6336de58597f0a704e5341e4c8565630fd25f0a3547d7fa95b8577.exe
1948	50bbefa10e6336de58597f0a704e5341e4c8565630fd25f0a3547d7fa95b8577.exe
1948	50bbefa10e6336de58597f0a704e5341e4c8565630fd25f0a3547d7fa95b8577.exe
1948	50bbefa10e6336de58597f0a704e5341e4c8565630fd25f0a3547d7fa95b8577.exe
4372	sysabod.exe
4372	sysabod.exe
1260	xoptiloc.exe
1260	xoptiloc.exe
4372	sysabod.exe
4372	sysabod.exe
1260	xoptiloc.exe
1260	xoptiloc.exe
4372	sysabod.exe
4372	sysabod.exe
1260	xoptiloc.exe
1260	xoptiloc.exe
4372	sysabod.exe
4372	sysabod.exe
1260	xoptiloc.exe
1260	xoptiloc.exe
4372	sysabod.exe
4372	sysabod.exe
1260	xoptiloc.exe
1260	xoptiloc.exe
4372	sysabod.exe
4372	sysabod.exe
1260	xoptiloc.exe
1260	xoptiloc.exe
4372	sysabod.exe
4372	sysabod.exe
1260	xoptiloc.exe
1260	xoptiloc.exe
4372	sysabod.exe
4372	sysabod.exe
1260	xoptiloc.exe
1260	xoptiloc.exe
4372	sysabod.exe
4372	sysabod.exe
1260	xoptiloc.exe
1260	xoptiloc.exe
4372	sysabod.exe
4372	sysabod.exe
1260	xoptiloc.exe
1260	xoptiloc.exe
4372	sysabod.exe
4372	sysabod.exe
1260	xoptiloc.exe
1260	xoptiloc.exe
4372	sysabod.exe
4372	sysabod.exe
1260	xoptiloc.exe
1260	xoptiloc.exe
4372	sysabod.exe
4372	sysabod.exe
1260	xoptiloc.exe
1260	xoptiloc.exe
4372	sysabod.exe
4372	sysabod.exe
1260	xoptiloc.exe
1260	xoptiloc.exe
4372	sysabod.exe
4372	sysabod.exe
1260	xoptiloc.exe
1260	xoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 4372	1948	50bbefa10e6336de58597f0a704e5341e4c8565630fd25f0a3547d7fa95b8577.exe	85
PID 1948 wrote to memory of 4372	1948	50bbefa10e6336de58597f0a704e5341e4c8565630fd25f0a3547d7fa95b8577.exe	85
PID 1948 wrote to memory of 4372	1948	50bbefa10e6336de58597f0a704e5341e4c8565630fd25f0a3547d7fa95b8577.exe	85
PID 1948 wrote to memory of 1260	1948	50bbefa10e6336de58597f0a704e5341e4c8565630fd25f0a3547d7fa95b8577.exe	88
PID 1948 wrote to memory of 1260	1948	50bbefa10e6336de58597f0a704e5341e4c8565630fd25f0a3547d7fa95b8577.exe	88
PID 1948 wrote to memory of 1260	1948	50bbefa10e6336de58597f0a704e5341e4c8565630fd25f0a3547d7fa95b8577.exe	88

C:\Users\Admin\AppData\Local\Temp\50bbefa10e6336de58597f0a704e5341e4c8565630fd25f0a3547d7fa95b8577.exe
"C:\Users\Admin\AppData\Local\Temp\50bbefa10e6336de58597f0a704e5341e4c8565630fd25f0a3547d7fa95b8577.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4372
- C:\AdobeY8\xoptiloc.exe
  C:\AdobeY8\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeY8\xoptiloc.exe

Filesize
2.4MB

MD5
b807ba82bd20b2b16ec19b5e73420c7b

SHA1
076aa5cd7135168647b8ebffa0c99a9c9be767d5

SHA256
3482818e11125c73826b8a1cacce724652472fed2481d90c767e10085826d30c

SHA512
8ded2c730e81a62e80b5142b89385ee6fb33b9cbdeaf5b4ca9bab82d80881ec6ffc8743967998584089e3484f0c0ef887cacba87d01bed08b65bc8923eaebc06

Download Submit
C:\AdobeY8\xoptiloc.exe

Filesize
3.0MB

MD5
bfbd3900a12b3e5ddbe5a01135213ccd

SHA1
bf37ecdabbdc8bd780175a5756ab6cb572774724

SHA256
cbc9fe22c60127254128f17385f0e714611bee690f1e395cca60f8e5c1bf89c5

SHA512
04be1db1c7a872dfcabd2cd883fc4731abe26bffef6030d31b71d64e725c0a433602c4a1858f037bd36bccef43bf6865b73c8254c5ea205a16695464e3f4d60b

Download Submit
C:\GalaxNB\dobxsys.exe

Filesize
10KB

MD5
a86336805b3d53c18600c251ef3cfa32

SHA1
69594cfc6347aa438b9319dfca41704cf4607aa6

SHA256
8f668b87e4832b3682e49e6eea02d09a2d52047043f9b41e1307714539fe88e5

SHA512
2289aa68a1720b6b54b1913d01bb230aec97ab071f17ff538689c6b271251aa3ed7892701d4e16f229faf7c3ae3b844cdb8bcd576a87134fff3c03d46ec4bc93

Download Submit
C:\GalaxNB\dobxsys.exe

Filesize
3.0MB

MD5
94762fbfee64a81a39155c7585304b2c

SHA1
fe5ccc5978d47779550d1ccc11732382fbb4509d

SHA256
5e0acfda74967deb8a7c342884c8893bf325ccf3c724c680249a967992301208

SHA512
cde54195ef0b9ffe370a63ba290b2029d82c6bd6a53799576c3c8a5ac79d9c83301910821a0a81eb8ac542ed0076307c0e22662f7a0be0e682d2d8404f81db35

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
ddf5ccb6cca41d3ff3a8b46350b87a72

SHA1
6df93f93dc420316b50b847618d90e787146ef41

SHA256
079c5766d33735fc0f7e8e31e6e3da7805f30f35705ea1f019d34c8c2b3308ae

SHA512
1cee63ed53532c2589d4b5158049693aea984d02805caa7c7ab6c9d82bd02c3c63c078b7548967ffb4ee4d91419881d67431bf7b65cecae40aed3be7df02ccc5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
a3ada0f6c8a32614e309b43ae4cfcace

SHA1
8b7d2aa5919347dc4d8f50529578110398e295dc

SHA256
cb088c9bb24faafa31cea2eb6bee4462bb7e049e1bd9e5ccac45d0e2180fbf99

SHA512
39fa3a0d8a843a029401991a2071f3661e20b6820b9f9b4633c892271366b05db780568df223d8674e1d5cbff90e702b9c0fc1dcf45e69d5fd70c3316c5d4b11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
3.0MB

MD5
5ca06eb3e2f0a341eee5e2c4b6ddc03a

SHA1
09411409a12191e261e7c67df6053797dbd52bed

SHA256
77936912abf447b073459adb40200c15a2b061ccf52ced64cd30c5f1538a5e02

SHA512
3d6cb389526cdc9361f62e295488db81902e2e21625024e9fbc14d1f3361a5cc569bed30be54a50c37e0858f82cf8b328feb80f43fe5d95064bb361293a5c4be

Download Submit