9cd7c7530c351cf69271745aa5adf9a93415a8f9850e17bebbfdcffbdab1b28a

Analysis

max time kernel
120s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a721f621909b3f6a4066a844274857c0N.exe
Size

3.2MB
MD5

a721f621909b3f6a4066a844274857c0
SHA1

477052e21fd599dad2b3806f554988c3262816ce
SHA256

9cd7c7530c351cf69271745aa5adf9a93415a8f9850e17bebbfdcffbdab1b28a
SHA512

622f8c765b08f07426b2eb48ff0e500796b84335966dba16bbf8f29115f3e3c785423be73a25b1a1091ebbe324d07e799bc131defe275e22dbb4bdc5e8016610
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpLbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe	a721f621909b3f6a4066a844274857c0N.exe

Executes dropped EXE 2 IoCs

pid	Process
4632	sysxopti.exe
2368	adobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesN7\\adobsys.exe"	a721f621909b3f6a4066a844274857c0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLW\\bodxec.exe"	a721f621909b3f6a4066a844274857c0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2428	a721f621909b3f6a4066a844274857c0N.exe
2428	a721f621909b3f6a4066a844274857c0N.exe
2428	a721f621909b3f6a4066a844274857c0N.exe
2428	a721f621909b3f6a4066a844274857c0N.exe
4632	sysxopti.exe
4632	sysxopti.exe
2368	adobsys.exe
2368	adobsys.exe
4632	sysxopti.exe
4632	sysxopti.exe
2368	adobsys.exe
2368	adobsys.exe
4632	sysxopti.exe
4632	sysxopti.exe
2368	adobsys.exe
2368	adobsys.exe
4632	sysxopti.exe
4632	sysxopti.exe
2368	adobsys.exe
2368	adobsys.exe
4632	sysxopti.exe
4632	sysxopti.exe
2368	adobsys.exe
2368	adobsys.exe
4632	sysxopti.exe
4632	sysxopti.exe
2368	adobsys.exe
2368	adobsys.exe
4632	sysxopti.exe
4632	sysxopti.exe
2368	adobsys.exe
2368	adobsys.exe
4632	sysxopti.exe
4632	sysxopti.exe
2368	adobsys.exe
2368	adobsys.exe
4632	sysxopti.exe
4632	sysxopti.exe
2368	adobsys.exe
2368	adobsys.exe
4632	sysxopti.exe
4632	sysxopti.exe
2368	adobsys.exe
2368	adobsys.exe
4632	sysxopti.exe
4632	sysxopti.exe
2368	adobsys.exe
2368	adobsys.exe
4632	sysxopti.exe
4632	sysxopti.exe
2368	adobsys.exe
2368	adobsys.exe
4632	sysxopti.exe
4632	sysxopti.exe
2368	adobsys.exe
2368	adobsys.exe
4632	sysxopti.exe
4632	sysxopti.exe
2368	adobsys.exe
2368	adobsys.exe
4632	sysxopti.exe
4632	sysxopti.exe
2368	adobsys.exe
2368	adobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 4632	2428	a721f621909b3f6a4066a844274857c0N.exe	89
PID 2428 wrote to memory of 4632	2428	a721f621909b3f6a4066a844274857c0N.exe	89
PID 2428 wrote to memory of 4632	2428	a721f621909b3f6a4066a844274857c0N.exe	89
PID 2428 wrote to memory of 2368	2428	a721f621909b3f6a4066a844274857c0N.exe	91
PID 2428 wrote to memory of 2368	2428	a721f621909b3f6a4066a844274857c0N.exe	91
PID 2428 wrote to memory of 2368	2428	a721f621909b3f6a4066a844274857c0N.exe	91

C:\Users\Admin\AppData\Local\Temp\a721f621909b3f6a4066a844274857c0N.exe
"C:\Users\Admin\AppData\Local\Temp\a721f621909b3f6a4066a844274857c0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4632
- C:\FilesN7\adobsys.exe
  C:\FilesN7\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesN7\adobsys.exe

Filesize
3.2MB

MD5
38035aec7669b099129ff9edc64847a3

SHA1
00966fed1559be82c3c04076741568a694926f91

SHA256
dfc35cb9f2fd1004b903c9785aa0c93b2b8bcd380145d87e5be41390932e70cd

SHA512
86b5c6cd59c0c802e08e7fc8871ff0083df871c47e2aa7a86066b3bc24c8602c9598fe67a9cd166bb75ca5928bdbc5c1865dc285587434a6a00becdd05d91459

Download Submit
C:\MintLW\bodxec.exe

Filesize
3.2MB

MD5
f0e61859b9bd52acbc5e6e3a7444a824

SHA1
e7f246960510d4f69a75521fb605622c198962dd

SHA256
52b28d6b1bccf814015cc22ca74e6548daff4b356dfadb7ced9866b74adc8418

SHA512
b2dad619621b6ea8587b495443995f686c9632b29f584924b6fdc5da20a6b550639638333751bf30b08bda66d0900d1c658598624c639eae763323673ccf16c7

Download Submit
C:\MintLW\bodxec.exe

Filesize
3.2MB

MD5
40ed0eb8208808fab62449b746010d16

SHA1
734123db27c4894c3631414100024100c4eb923b

SHA256
e57391c20d06abbac0ce5523434516351dc33b999592e45c7414a163cb9210c3

SHA512
e28dc92527c378d31bda9bb556cab1367608f44868294228024d8357cab2f2d62e9d70a4081b98834572dafb82df9f076e5969d4558b36466fbfbbada5274463

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
02aaf6fc7989e64a4ed21846c1701ddc

SHA1
cabbf557f9925d0bb3a7b2663a77712d9c8354a9

SHA256
32c427354c39efca95ef517f820f5ac08b29300f7b527668f512427632675ca2

SHA512
200cdd440ad71c11d22e11c3175840e35051b8fb3bd55c03a0a9efc982976f4fe7619b1fd77916174917de312e03e4b8e9a46728f754b22820ed1b6af7080e89

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
c128de168c5f2cf5e31b4e3b62c14dd2

SHA1
b00a622c459603208f70436bbd1b7663ed79b980

SHA256
d11032854f52954779bd086e1e16c74ebeb37fec00c354867b9548d29d9566d5

SHA512
3dd5622d7ddbb93b172ea3839d6a25e482300403a9d231606a72942366aa1e910b65d7ce9bbda38f38c5c61008f6327b63256ccd248c8bcfad84b99fbe930c4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

Filesize
3.2MB

MD5
99d329e80f3d0da99a21bc680ee8ef93

SHA1
a4367948e8774b37adbe0be993fa12e83374858c

SHA256
e81026cda931a88749af46f9779e943b2ee94594d471ae41ce25261501dc8554

SHA512
73cf1aa5416e6e0ab5cc5b7c52e858522288dd607b27fc7a8f8f1bfb19e78f1d6b1893cc3b0476b19c08a7e1f57d7f775bbd0bb564312d87e48af7d36152efa2

Download Submit