cb627ea97186743dacdc4a8fae438058c3e3ccb871817c16a2e5f97b1b270158

Analysis

max time kernel
119s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dc7676d7bd931a817897c2dde7ee930N.exe
Size

2.6MB
MD5

3dc7676d7bd931a817897c2dde7ee930
SHA1

c0e0cf70045bf78fbc93b664d0bb41b88e28f45c
SHA256

cb627ea97186743dacdc4a8fae438058c3e3ccb871817c16a2e5f97b1b270158
SHA512

77e2498add59815c05e39120f9f379c1ba3a2059eb2191d40956b22c75e7241b899c750b0218d1ef212e4c17ae82675780a2a80cd4bfecdf27963d897f4c385c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bS:sxX7QnxrloE5dpUp9b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	3dc7676d7bd931a817897c2dde7ee930N.exe

Executes dropped EXE 2 IoCs

pid	Process
1160	sysxbod.exe
5016	aoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocBI\\aoptiloc.exe"	3dc7676d7bd931a817897c2dde7ee930N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBY1\\optidevloc.exe"	3dc7676d7bd931a817897c2dde7ee930N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4664	3dc7676d7bd931a817897c2dde7ee930N.exe
4664	3dc7676d7bd931a817897c2dde7ee930N.exe
4664	3dc7676d7bd931a817897c2dde7ee930N.exe
4664	3dc7676d7bd931a817897c2dde7ee930N.exe
1160	sysxbod.exe
1160	sysxbod.exe
5016	aoptiloc.exe
5016	aoptiloc.exe
1160	sysxbod.exe
1160	sysxbod.exe
5016	aoptiloc.exe
5016	aoptiloc.exe
1160	sysxbod.exe
1160	sysxbod.exe
5016	aoptiloc.exe
5016	aoptiloc.exe
1160	sysxbod.exe
1160	sysxbod.exe
5016	aoptiloc.exe
5016	aoptiloc.exe
1160	sysxbod.exe
1160	sysxbod.exe
5016	aoptiloc.exe
5016	aoptiloc.exe
1160	sysxbod.exe
1160	sysxbod.exe
5016	aoptiloc.exe
5016	aoptiloc.exe
1160	sysxbod.exe
1160	sysxbod.exe
5016	aoptiloc.exe
5016	aoptiloc.exe
1160	sysxbod.exe
1160	sysxbod.exe
5016	aoptiloc.exe
5016	aoptiloc.exe
1160	sysxbod.exe
1160	sysxbod.exe
5016	aoptiloc.exe
5016	aoptiloc.exe
1160	sysxbod.exe
1160	sysxbod.exe
5016	aoptiloc.exe
5016	aoptiloc.exe
1160	sysxbod.exe
1160	sysxbod.exe
5016	aoptiloc.exe
5016	aoptiloc.exe
1160	sysxbod.exe
1160	sysxbod.exe
5016	aoptiloc.exe
5016	aoptiloc.exe
1160	sysxbod.exe
1160	sysxbod.exe
5016	aoptiloc.exe
5016	aoptiloc.exe
1160	sysxbod.exe
1160	sysxbod.exe
5016	aoptiloc.exe
5016	aoptiloc.exe
1160	sysxbod.exe
1160	sysxbod.exe
5016	aoptiloc.exe
5016	aoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 1160	4664	3dc7676d7bd931a817897c2dde7ee930N.exe	87
PID 4664 wrote to memory of 1160	4664	3dc7676d7bd931a817897c2dde7ee930N.exe	87
PID 4664 wrote to memory of 1160	4664	3dc7676d7bd931a817897c2dde7ee930N.exe	87
PID 4664 wrote to memory of 5016	4664	3dc7676d7bd931a817897c2dde7ee930N.exe	90
PID 4664 wrote to memory of 5016	4664	3dc7676d7bd931a817897c2dde7ee930N.exe	90
PID 4664 wrote to memory of 5016	4664	3dc7676d7bd931a817897c2dde7ee930N.exe	90

C:\Users\Admin\AppData\Local\Temp\3dc7676d7bd931a817897c2dde7ee930N.exe
"C:\Users\Admin\AppData\Local\Temp\3dc7676d7bd931a817897c2dde7ee930N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1160
- C:\IntelprocBI\aoptiloc.exe
  C:\IntelprocBI\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocBI\aoptiloc.exe

Filesize
2.6MB

MD5
71b7bfea8dea76ec902938810bcc3429

SHA1
8e90f0e90bb48e18cd889b6fddb7b6516cdc36d8

SHA256
136f019285741f42797b5fd14dd7be813ce0bc1207cb869bceffd20c15a05550

SHA512
5f9d1a6fc86c72d7e60c08965701f08c4f8fae4db36d2be5ad957941d6c78cdf4fbf2f5a2ee4302ae4ddb59b99db125e92de904dd0557dbf4b608288dbcf3f52

Download Submit
C:\KaVBY1\optidevloc.exe

Filesize
2.6MB

MD5
b05d9163154e077c1994336962220654

SHA1
8142333219347a2443db08b75de3a41ea1d753b7

SHA256
e52f9c6571c00d788642aa4b3e3ce90d1b7d09c264374207dc43c32a2b3807e0

SHA512
f10fe1eb15c21b0e08efc54bf5f0479c66a75255d5801bf3786aa33f6a102d014dd67d30ea5cbcb24242270fbda4cfa5c5741d0c7f142b68afe49230c20b2008

Download Submit
C:\KaVBY1\optidevloc.exe

Filesize
512KB

MD5
b612536a69426c62f07a81d28343052a

SHA1
c8ddf174d82c2872ec7e36e7796ab4237b063b77

SHA256
201bf89286f5f1250edb9c59d040cfe8ea65588992d4a67d7fe63c78fb921959

SHA512
26b709a53db7e3e02dde2cd9338edcac9d67aa2212bb9f096be01f48a7e30d9a6788fc4915bb6d30e2a88b5cbc6fa86e85d9bfb1c0de9d078f09faf107643f22

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
208B

MD5
623e95201769503aa8accc887fa6d08c

SHA1
5672ca544144a9df09b8adb5032758de08cc8de4

SHA256
2d396637478218c13bfdeb0fa9e51cae3446660db823b03df0f3c4b1522a301b

SHA512
8ab010fca34e27e3bf74c0a920c28fdc3a215f68b0f1871fb45ba8acfde10c9a8ad6047baaa0f5299ca8225718c99ea5bd577ecd4533f7387743ab13842d4dbd

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
176B

MD5
dbb8b34f46a9d8e76b6e1760fd7786a1

SHA1
ed52e156173b3bdaf6305cc920dd3b1bf52b5335

SHA256
d656556c9379c6b996bbdbead69ec3022b127c03b4a94e5223dacc484f2e40ed

SHA512
75bb0c343c97e1ef24751d7d1595160938bb25e5c5d12fc39f536063efec808ad534e6ec30c9c32a16a048d12a7b0c6057d6ebff04bab95fb8f677404d532f1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
2.6MB

MD5
09f0365d56a3a4c0cfde5efc2a8d4c7b

SHA1
aab081460f04db0e2f381ffca2ccc8e0ee4118c3

SHA256
47c1e5cc6201743c74787511739b8bbeb156cd9f90a59244f58b123c6ddb46ce

SHA512
c64074892eba008319ac8df0b00463380f15fd1f9601c8c068ac260dd0cfb75adf54c0838a636663bec53cb5704875051667af15658c3d3d47a4a8377e565c17

Download Submit