3f6a80b8e4c1e99375c9e94629d60ef3ec6de4b6bb31deee8fe10293d6cb8b34

Analysis

max time kernel
119s
max time network
87s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d866f563e7c8fec28bedb1766583e20N.exe
Size

3.6MB
MD5

4d866f563e7c8fec28bedb1766583e20
SHA1

a82c168ad193fb12ff8c6f895544b0a30ef3355f
SHA256

3f6a80b8e4c1e99375c9e94629d60ef3ec6de4b6bb31deee8fe10293d6cb8b34
SHA512

ebfcb8bda2bd83a942f6770e2040001ecd9de56e5563e056d84766173499728c380ed185e328154254c4f7799e32618073b7cf6fa30b503c29d8930754daffb9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSqz8:sxX7QnxrloE5dpUpGbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	4d866f563e7c8fec28bedb1766583e20N.exe

Executes dropped EXE 2 IoCs

pid	Process
2444	sysaopti.exe
2440	xdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotIW\\xdobec.exe"	4d866f563e7c8fec28bedb1766583e20N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZLM\\boddevec.exe"	4d866f563e7c8fec28bedb1766583e20N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3060	4d866f563e7c8fec28bedb1766583e20N.exe
3060	4d866f563e7c8fec28bedb1766583e20N.exe
3060	4d866f563e7c8fec28bedb1766583e20N.exe
3060	4d866f563e7c8fec28bedb1766583e20N.exe
2444	sysaopti.exe
2444	sysaopti.exe
2440	xdobec.exe
2440	xdobec.exe
2444	sysaopti.exe
2444	sysaopti.exe
2440	xdobec.exe
2440	xdobec.exe
2444	sysaopti.exe
2444	sysaopti.exe
2440	xdobec.exe
2440	xdobec.exe
2444	sysaopti.exe
2444	sysaopti.exe
2440	xdobec.exe
2440	xdobec.exe
2444	sysaopti.exe
2444	sysaopti.exe
2440	xdobec.exe
2440	xdobec.exe
2444	sysaopti.exe
2444	sysaopti.exe
2440	xdobec.exe
2440	xdobec.exe
2444	sysaopti.exe
2444	sysaopti.exe
2440	xdobec.exe
2440	xdobec.exe
2444	sysaopti.exe
2444	sysaopti.exe
2440	xdobec.exe
2440	xdobec.exe
2444	sysaopti.exe
2444	sysaopti.exe
2440	xdobec.exe
2440	xdobec.exe
2444	sysaopti.exe
2444	sysaopti.exe
2440	xdobec.exe
2440	xdobec.exe
2444	sysaopti.exe
2444	sysaopti.exe
2440	xdobec.exe
2440	xdobec.exe
2444	sysaopti.exe
2444	sysaopti.exe
2440	xdobec.exe
2440	xdobec.exe
2444	sysaopti.exe
2444	sysaopti.exe
2440	xdobec.exe
2440	xdobec.exe
2444	sysaopti.exe
2444	sysaopti.exe
2440	xdobec.exe
2440	xdobec.exe
2444	sysaopti.exe
2444	sysaopti.exe
2440	xdobec.exe
2440	xdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2444	3060	4d866f563e7c8fec28bedb1766583e20N.exe	87
PID 3060 wrote to memory of 2444	3060	4d866f563e7c8fec28bedb1766583e20N.exe	87
PID 3060 wrote to memory of 2444	3060	4d866f563e7c8fec28bedb1766583e20N.exe	87
PID 3060 wrote to memory of 2440	3060	4d866f563e7c8fec28bedb1766583e20N.exe	90
PID 3060 wrote to memory of 2440	3060	4d866f563e7c8fec28bedb1766583e20N.exe	90
PID 3060 wrote to memory of 2440	3060	4d866f563e7c8fec28bedb1766583e20N.exe	90

C:\Users\Admin\AppData\Local\Temp\4d866f563e7c8fec28bedb1766583e20N.exe
"C:\Users\Admin\AppData\Local\Temp\4d866f563e7c8fec28bedb1766583e20N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2444
- C:\UserDotIW\xdobec.exe
  C:\UserDotIW\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZLM\boddevec.exe

Filesize
106KB

MD5
a16934d3597e2bddf404e48af462d3dd

SHA1
7cca60e3495c9101d48dda8af30d2ad5fe4cb0e5

SHA256
a3b1282bc36663c37f20fd5e18c1036c6bc9b85f7d1e5f23612f0ab1fe7c5fe2

SHA512
4a8650e6c46746429f07de29d5d3f6ab1015386e8db4ea30a8a0125287e2b4fa855e053034b4a0737f8625b6b8ac32f21acbd194c5895cc675291a7dcf321969

Download Submit
C:\LabZLM\boddevec.exe

Filesize
23KB

MD5
859ebb87091eda45d4aaf0ea5e233084

SHA1
7db3583f649e3ca4a64208de312be8edeef804e4

SHA256
e5879114b6d73753c6e36f5dd28769d598180e7749714c60c98d3de4a491bbe9

SHA512
c09308ad9e9cabad916973148c7d104d499eb492568eaf5574fd9b68dee97beb2fade58e85b0be82d4c0ae18f05f7658c7b9a79adabd2c57472b2579cb7cb9c9

Download Submit
C:\UserDotIW\xdobec.exe

Filesize
66KB

MD5
6559119009800de15e8db88b273c6eb8

SHA1
4bf6a142c16f4aee156f5c16b94b21434c075866

SHA256
ea7119e6d54f6ca9999dc602bd5c03aee694c5556a02d087138ebf96e54e19b0

SHA512
a470aeff142732d4a893d37b63dd1a8618f2ba0bff998c79d13692d70355e9a26259e1b0e2d1acf492e9eef9d7ed8dc7ab809db4162dcfe0cb958e8fcffca2a9

Download Submit
C:\UserDotIW\xdobec.exe

Filesize
3.6MB

MD5
ed09e05a0194800311b841f5dcad0356

SHA1
79aa80a91423139a994b59af1b4dfb3c44af6d63

SHA256
ac0bd656cfbe8a2ccff40e2e663f7df026105a2b84c96b77bad299a1f80930d9

SHA512
e1ab813cb483de4e803e3a86e30ff9c593f094bb9e6aa45edba0bce8c1288c7ab653bdbdde3a420d2dfc769e61c189057ac07260ed45e9ff732fdea0a698c117

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
bc783d705b44889b999137bf5278189e

SHA1
32f2d83e70c2168d3e9dc72d7ca6b4272ed163f7

SHA256
7e56f496b8367e4caa130f842a5c32f361e9a3737057893bab2a9fb4572279b2

SHA512
755c5d1ec32f0a7468e33e45f0cbb84417534e66e0663d7a1ce8f8202e32a5630a405514f0c20f0d4f91eb2db2349d0f0fe1b2ed2040b48a5ffae33e2bf500af

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
39f18f5510fb6cfe6d2099195b43436a

SHA1
4b6c8bc46469c66731d3acd030ead0120659b50a

SHA256
0a38a41c2661cacfe266bc1f6dc3fdaac1ee6698018420f085c83398ca58822c

SHA512
1fdfb7f749d0c80989b6abbd5015b70000b5fe29d83cb686b43ada78aa382a23ac4487485f15365249cc6c11888a436bf5e30f476d8a88ee01bdc2da3ac71186

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.6MB

MD5
825e0554ade7e7a026db4ab26b2928f1

SHA1
6fdf230a52acafe30ba1d8b4c4c2b6c9f305638d

SHA256
5cc955738f57483363463865c62bc9f0d4ab4da1d052bca5df0d87dbfde3a8ad

SHA512
0e19f5713a037eaab43f634f7b7b8cc0ab0b7b0a7aca74ccf443e3a4eaebf1ae4b9ac2efb7686c889320b9e259d8ea8e25b0de0724cb151211734a7ba7dfc8e3

Download Submit