d6976b55c2a622c14bcc6ad8ef685bf81cffbdff05c9aeea5e6f29fcd35ee9e8

Analysis

max time kernel
119s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c5c6dbc11badbf3b14d23a94ef93050N.exe
Size

3.1MB
MD5

0c5c6dbc11badbf3b14d23a94ef93050
SHA1

8ee09db58b1f3e7e118849cf20eee1b8d9263c75
SHA256

d6976b55c2a622c14bcc6ad8ef685bf81cffbdff05c9aeea5e6f29fcd35ee9e8
SHA512

03761f4fb83efeb49cc6cdf1db074c9174303bd4215809e56677dc51cf5a1e03821a3a9f61f6c6ea55d3dbfba2fe3601fbbe6723f23d3e2c9bae3a47aa7c0677
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSqz8:sxX7QnxrloE5dpUpfbVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	0c5c6dbc11badbf3b14d23a94ef93050N.exe

Executes dropped EXE 2 IoCs

pid	Process
2892	sysxbod.exe
3664	devoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocMI\\devoptiloc.exe"	0c5c6dbc11badbf3b14d23a94ef93050N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidE0\\optidevsys.exe"	0c5c6dbc11badbf3b14d23a94ef93050N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c5c6dbc11badbf3b14d23a94ef93050N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3852	0c5c6dbc11badbf3b14d23a94ef93050N.exe
3852	0c5c6dbc11badbf3b14d23a94ef93050N.exe
3852	0c5c6dbc11badbf3b14d23a94ef93050N.exe
3852	0c5c6dbc11badbf3b14d23a94ef93050N.exe
2892	sysxbod.exe
2892	sysxbod.exe
3664	devoptiloc.exe
3664	devoptiloc.exe
2892	sysxbod.exe
2892	sysxbod.exe
3664	devoptiloc.exe
3664	devoptiloc.exe
2892	sysxbod.exe
2892	sysxbod.exe
3664	devoptiloc.exe
3664	devoptiloc.exe
2892	sysxbod.exe
2892	sysxbod.exe
3664	devoptiloc.exe
3664	devoptiloc.exe
2892	sysxbod.exe
2892	sysxbod.exe
3664	devoptiloc.exe
3664	devoptiloc.exe
2892	sysxbod.exe
2892	sysxbod.exe
3664	devoptiloc.exe
3664	devoptiloc.exe
2892	sysxbod.exe
2892	sysxbod.exe
3664	devoptiloc.exe
3664	devoptiloc.exe
2892	sysxbod.exe
2892	sysxbod.exe
3664	devoptiloc.exe
3664	devoptiloc.exe
2892	sysxbod.exe
2892	sysxbod.exe
3664	devoptiloc.exe
3664	devoptiloc.exe
2892	sysxbod.exe
2892	sysxbod.exe
3664	devoptiloc.exe
3664	devoptiloc.exe
2892	sysxbod.exe
2892	sysxbod.exe
3664	devoptiloc.exe
3664	devoptiloc.exe
2892	sysxbod.exe
2892	sysxbod.exe
3664	devoptiloc.exe
3664	devoptiloc.exe
2892	sysxbod.exe
2892	sysxbod.exe
3664	devoptiloc.exe
3664	devoptiloc.exe
2892	sysxbod.exe
2892	sysxbod.exe
3664	devoptiloc.exe
3664	devoptiloc.exe
2892	sysxbod.exe
2892	sysxbod.exe
3664	devoptiloc.exe
3664	devoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 2892	3852	0c5c6dbc11badbf3b14d23a94ef93050N.exe	88
PID 3852 wrote to memory of 2892	3852	0c5c6dbc11badbf3b14d23a94ef93050N.exe	88
PID 3852 wrote to memory of 2892	3852	0c5c6dbc11badbf3b14d23a94ef93050N.exe	88
PID 3852 wrote to memory of 3664	3852	0c5c6dbc11badbf3b14d23a94ef93050N.exe	89
PID 3852 wrote to memory of 3664	3852	0c5c6dbc11badbf3b14d23a94ef93050N.exe	89
PID 3852 wrote to memory of 3664	3852	0c5c6dbc11badbf3b14d23a94ef93050N.exe	89

C:\Users\Admin\AppData\Local\Temp\0c5c6dbc11badbf3b14d23a94ef93050N.exe
"C:\Users\Admin\AppData\Local\Temp\0c5c6dbc11badbf3b14d23a94ef93050N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2892
- C:\IntelprocMI\devoptiloc.exe
  C:\IntelprocMI\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocMI\devoptiloc.exe

Filesize
3.1MB

MD5
2750c91f8a0100018e0e3f3d7236f4c7

SHA1
01749c880b35bacffe20bc5ce4f795d3b48cdfc2

SHA256
eac56c0f8e5b84bf9fbe8817154b4bfa805aaabf090042416308a06ba385f5af

SHA512
db71cc48118affde92d826cb5a058afed85ae419a7feb146203a1bdaa320e0bfc2f18ab3ddb192937dbe2b392ae7d3ff2063954ab4e7f9a76323e85fadcbe4ff

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
209B

MD5
b53a768d804b1c71e3940ef13dab8efc

SHA1
3296c202d01ee539e927a7521f14b83cfcc01c31

SHA256
2f94614539e586105fb9cb5a619a8a0d17c49d0acf746ebeaf347a22a2c706c0

SHA512
edd97b30e6d64a87da948456153539cbe49b3b2eff5792c53b8519a2f95ef4127f6d90c7362dc9b3906961b64c9fc2a88a5256c9bdc36bf78a81a765e9ca525b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
177B

MD5
2a75c39cdca821dd6d8d561076a4365f

SHA1
465c61451001fab862e0daea0d9d1aafa4c24638

SHA256
869f5015c3dfe335e17342c3644266f7738fff65f704b4a9f4975a062e794efd

SHA512
3020852bc3365971364704b9c660db3fe6962f59c1b1c7915b5e176f03bb581e2b38c1c9ccada24dd4910663e640026f618bb17663684a9765f4578c1369176e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
3.1MB

MD5
f7de7afb2f57ed84f59e188f485a70ba

SHA1
e17c18b9c092c70f6c5a1dd17b823c169288a40c

SHA256
5d109d9d0d8644c5915f338767929ae1a9e9b0e7d64aad56cf29a4add0c5a93d

SHA512
62d3cdc9d67ad4f39acc1570b19a95d5ecc96f0700cc22b4b74a9d6778d5a556d026e3856b76ee697e4f6730a02a6cf9d9efe7e5844532631f904eaa60e124d6

Download Submit
C:\VidE0\optidevsys.exe

Filesize
249KB

MD5
0f77ed39d9e73c202844c510893fdf22

SHA1
1b8fc22b54148a441a8d8f465c3b0588a059e403

SHA256
05efbbbdfb1a6e94be04746408c158f9809173e75ddf3893cf6e4a1dc3323280

SHA512
41e459482d39dc37230053de1a1d454ca5aa37ccaa29405dac902231c1f37bfbdbdcbeba2159b74cf94b4cff76b82aaee00b6f078984382f241b5d54e86cb79b

Download Submit
C:\VidE0\optidevsys.exe

Filesize
3.1MB

MD5
1e378fa2034b83cdca9c005c1a698e75

SHA1
099976991bcc614c1ac71bdc01184a3af20e8969

SHA256
c0ac6512f1d5c6fe408b745557e38440f40b1a96e96ee0c9ae8e81738e949c9f

SHA512
afc2516fddce3ec265053c48041a433032ec7b4d154ae56468f2103a8c3ee3e4837eac73989c469001f59937d4fc53aaa7ae79e6d5c7b1d050158d52be850eef

Download Submit