e8acf2d0a610aefc5f31a171742654fdc650785df62e9dd7ce805db86d124d77

Analysis

max time kernel
149s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 11:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

59f6045bffb53fbad4322925156c1590N.exe
Size

2.9MB
MD5

59f6045bffb53fbad4322925156c1590
SHA1

25c7f7285500dadb47f394b67048104112226b16
SHA256

e8acf2d0a610aefc5f31a171742654fdc650785df62e9dd7ce805db86d124d77
SHA512

dbe193558ff08ba84397aa07c0ba9924b5cd9335832958409c2d6d03944dfd1a6b3712931d8b71edbe779f38f62f8f980aa8ed6627848e5a363ed41aff5e98db
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSqz8:sxX7QnxrloE5dpUp5bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	59f6045bffb53fbad4322925156c1590N.exe

Executes dropped EXE 2 IoCs

pid	Process
2728	sysxdob.exe
2876	xoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
1656	59f6045bffb53fbad4322925156c1590N.exe
1656	59f6045bffb53fbad4322925156c1590N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvC4\\xoptisys.exe"	59f6045bffb53fbad4322925156c1590N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxXZ\\bodaloc.exe"	59f6045bffb53fbad4322925156c1590N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1656	59f6045bffb53fbad4322925156c1590N.exe
1656	59f6045bffb53fbad4322925156c1590N.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe
2728	sysxdob.exe
2876	xoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2728	1656	59f6045bffb53fbad4322925156c1590N.exe	29
PID 1656 wrote to memory of 2728	1656	59f6045bffb53fbad4322925156c1590N.exe	29
PID 1656 wrote to memory of 2728	1656	59f6045bffb53fbad4322925156c1590N.exe	29
PID 1656 wrote to memory of 2728	1656	59f6045bffb53fbad4322925156c1590N.exe	29
PID 1656 wrote to memory of 2876	1656	59f6045bffb53fbad4322925156c1590N.exe	30
PID 1656 wrote to memory of 2876	1656	59f6045bffb53fbad4322925156c1590N.exe	30
PID 1656 wrote to memory of 2876	1656	59f6045bffb53fbad4322925156c1590N.exe	30
PID 1656 wrote to memory of 2876	1656	59f6045bffb53fbad4322925156c1590N.exe	30

C:\Users\Admin\AppData\Local\Temp\59f6045bffb53fbad4322925156c1590N.exe
"C:\Users\Admin\AppData\Local\Temp\59f6045bffb53fbad4322925156c1590N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2728
- C:\SysDrvC4\xoptisys.exe
  C:\SysDrvC4\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxXZ\bodaloc.exe

Filesize
2.9MB

MD5
78e0ef1384b6425d315f04302999c7d8

SHA1
acf2f417df7e8eb867de5d3fdcbde4206c017356

SHA256
df11d6ad78e1b14d80dc1cabccc22b9345f3aa401eb6769da7f4b8cc9b9bdaa4

SHA512
191b9c0457a62e01e40354d587503716b3436827aba233a59ed7562458ba431050ceaea57b8b0174852aca63818c7a99f27894b9c53525538604d7a710388f07

Download Submit
C:\GalaxXZ\bodaloc.exe

Filesize
2.9MB

MD5
31c31636d5e71a085e40e88e7553ff28

SHA1
3cb27718e9ddeff56cc27221c030f5e71a5f63c3

SHA256
cf5f0efd8201dd9e7b48239d8dfcd40dd11db010f585521b34a2805be6b133e4

SHA512
af16003d6689e3c073bef55781a16214ced0b1387bfa8372276b4d7dcc0b3de9eab26a6b64566a66717b83dcd79a811bf63ef7a55cecab9b2c1d28b4521d7072

Download Submit
C:\SysDrvC4\xoptisys.exe

Filesize
2.9MB

MD5
90e23c4383f6ad22b3bb69270f93dc17

SHA1
c4e0b8c67174a7d969111713730b00dc8c459e0a

SHA256
85963dc49b85d85ba2b5314fd2a127c54541bc091a3333cb60cf51a078e1e29d

SHA512
792b0930064ae0bfeaa1855d9e2d0783da6600e3fe99b8eceef99515f706b53fd3dfdb97790f69838dc01b836dc8aa726dd7408ce33dfc7cd1d42e21dca07bd6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
6569ee89afce8f1dd6dbc2ba3b1f7362

SHA1
da600e54a94be99e11037fc1ebd2c603a1ec6e82

SHA256
34f63a01727d26937a15d84a121ac5506f20a2476af0f1b67a04c8c9668efd0c

SHA512
7f76791af8a251e24002e949fc8282801e1946bbb7d50005801168da78be6152b3445db0c77437b6eb5085ad200ec9c67cb4be8d79c16cb72e222210e5c7c79e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
e81337d5ea005af785b4449136f04607

SHA1
92905121d4c77bae94330efbd7bb02ec58b172ca

SHA256
de82737e76073c3c8051cd8a3920475979087da19cd369789f3cbfe5455b6641

SHA512
434ae68d46c9d66d76848c9e5b64351a80571dc3ca539bf9278ca4b874db61ee4c9eab31dac5de83fce016908e19b26ef769098bafa33eeab259c2845298e6ca

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.9MB

MD5
453a49da40f3f355db84c52c8f527d72

SHA1
d2219cf5e98df07ee135f170f0c6d65e9f9e24fb

SHA256
0741cbd1fdf66c5624e47feb5538bb4dfcc53523d16546ab5a70b6693c1e0b8b

SHA512
c12ee9ed0b37aa8e1e957faf9df90f9a67ae8dc8fbe9a06bb88bb78717e0897af50d6f4ca2e02c1026ca1b2f8e8e911f98095de6a751cafafb479343938ba763

Download Submit