2377e5c7fb9deeae097ceeeef8d168fcc9db1018cddc1f2f2172b8d60efef539

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1e36bec5b6893a77f788eff5293ff50N.exe
Size

2.6MB
MD5

d1e36bec5b6893a77f788eff5293ff50
SHA1

4f620d7513e6a2a44dfee5e5c090a5054a553bf6
SHA256

2377e5c7fb9deeae097ceeeef8d168fcc9db1018cddc1f2f2172b8d60efef539
SHA512

80ebb5f6b5459239f1ad773ae5ae7f34296d10f9b7b7c87de8c34d783133a5a507daa2383d65ae866f474295433c58ddb2ef04c7a49dacad0caf0ef84fc9d78e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bS:sxX7QnxrloE5dpUpRb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe	d1e36bec5b6893a77f788eff5293ff50N.exe

Executes dropped EXE 2 IoCs

pid	Process
3008	sysxopti.exe
828	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2092	d1e36bec5b6893a77f788eff5293ff50N.exe
2092	d1e36bec5b6893a77f788eff5293ff50N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc0T\\adobsys.exe"	d1e36bec5b6893a77f788eff5293ff50N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB46\\optixec.exe"	d1e36bec5b6893a77f788eff5293ff50N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1e36bec5b6893a77f788eff5293ff50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2092	d1e36bec5b6893a77f788eff5293ff50N.exe
2092	d1e36bec5b6893a77f788eff5293ff50N.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe
3008	sysxopti.exe
828	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 3008	2092	d1e36bec5b6893a77f788eff5293ff50N.exe	30
PID 2092 wrote to memory of 3008	2092	d1e36bec5b6893a77f788eff5293ff50N.exe	30
PID 2092 wrote to memory of 3008	2092	d1e36bec5b6893a77f788eff5293ff50N.exe	30
PID 2092 wrote to memory of 3008	2092	d1e36bec5b6893a77f788eff5293ff50N.exe	30
PID 2092 wrote to memory of 828	2092	d1e36bec5b6893a77f788eff5293ff50N.exe	31
PID 2092 wrote to memory of 828	2092	d1e36bec5b6893a77f788eff5293ff50N.exe	31
PID 2092 wrote to memory of 828	2092	d1e36bec5b6893a77f788eff5293ff50N.exe	31
PID 2092 wrote to memory of 828	2092	d1e36bec5b6893a77f788eff5293ff50N.exe	31

C:\Users\Admin\AppData\Local\Temp\d1e36bec5b6893a77f788eff5293ff50N.exe
"C:\Users\Admin\AppData\Local\Temp\d1e36bec5b6893a77f788eff5293ff50N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3008
- C:\Intelproc0T\adobsys.exe
  C:\Intelproc0T\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc0T\adobsys.exe

Filesize
2.6MB

MD5
7d339ca07a65d05a0dbd86b2dbea0e1c

SHA1
d63278b297c31960eb2d2c2f76c52931e80d61bc

SHA256
b51518dc97f403b5cf97aef16b27a2c9aae9e4937922bb54b4d24bb6ef7cc912

SHA512
f1819ee289bc7c673bd558a928366936b7f3cd26f240b6e33494bffd89985870de469d526fbd13950ba5fea58c3280d63e130412b82019c523e78b80aeb426ee

Download Submit
C:\KaVB46\optixec.exe

Filesize
2.6MB

MD5
c95fa1743612583238ec1eafcf76ad19

SHA1
13fe3852b2857866acbd17687a49330f85245fda

SHA256
9fe9c1f7bae32affbb0ffab5f98ae5a6d989fcf5742b4024228db044cc079d53

SHA512
45626b6ec7aa3e45d452091919e4d94aa08d43479bf8d1688c5b1192e99ac4a4f79d0a99ef332ce87169f4335b0bc1749339edb6999d2650076c5ea5265c9aac

Download Submit
C:\KaVB46\optixec.exe

Filesize
2.6MB

MD5
7ed48c9f518f501a44793778e3441190

SHA1
b14db446c867e98aacfdbefe7911c91c3c7201e1

SHA256
741d85475d0ef43d05a34b5f71abd886930507cc5c69d08855c799d6623ea4cb

SHA512
f172f9bff37105aa76e4128656b06c463d9f6c68de7052ade9cc64f55573051fd32d2e040f5328536b01699d4c0899bb69aef72aae743cc80c5a29299d798073

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
19f0129513a1265b21330ac030355a14

SHA1
7fa7fb1229f874ff0327c2233d4dc4534755a64b

SHA256
31311b180c0180568e67ce3f177672f1d3030987edc1d19d7dcb53dda0f331fa

SHA512
3380ec0cb8d5334dfd9edb5720ec1e82a89845ae8dc4488e6806d7214740153239e34fef0601020f66fa3f0fcbab311e6566090a71c9814d3b584ae28fa145de

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
4b785fcc6576b3fcc6cd066596ef9c4f

SHA1
95a36e3d1c3d5bf090e4a0279bdbc9b12a1ef88e

SHA256
1dbd345a4c4a4304e4b920f10a4950649968ca644008e8858d6a3791da2cb0ea

SHA512
67faded3d594b85601db86a77352fdef12f144ff1fde62c9ebef324b75e94c561bdda62b3872c379000f0894b0e4621f5298114ec4281ad958bcd9384b4d6e9a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

Filesize
2.6MB

MD5
fbb7d2219c16394310ccc62040a86576

SHA1
cfbe634f186d89a9a78994789ab7707d03e76528

SHA256
4d82dd071990e5e03c400c17f67ad6607d179d0829c9b1b3024de7670184d349

SHA512
c5ae212e06c237adb91b21e5b0e2514df3ee1bc849488dcb3fb35a58d0524f6a9b1a557ca63c97778988fd61d606075b05e899c4eff875000a43c0baa23d7a3f

Download Submit