c8a861f5d84df03a97ec8b51d77b4ba91e6ccc84dd7222b70d5a1f065efcae24

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b5a4639b5d423aa1079f67ae74ae010N.exe
Size

3.6MB
MD5

4b5a4639b5d423aa1079f67ae74ae010
SHA1

eeb5bedf3071f79797ce675be3511ea51691cadf
SHA256

c8a861f5d84df03a97ec8b51d77b4ba91e6ccc84dd7222b70d5a1f065efcae24
SHA512

fc252824c9df9f9127a6815c03f7871701c4180237e9b00c5163ed55a5563151220d5e26dfb75a3a279df4ee82c9aa2d5fa853b42cf0b75db8fdd22c56b8f4e5
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bSqz8:sxX7QnxrloE5dpUp8bVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	4b5a4639b5d423aa1079f67ae74ae010N.exe

Executes dropped EXE 2 IoCs

pid	Process
2744	sysabod.exe
2784	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1924	4b5a4639b5d423aa1079f67ae74ae010N.exe
1924	4b5a4639b5d423aa1079f67ae74ae010N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotY9\\xoptiec.exe"	4b5a4639b5d423aa1079f67ae74ae010N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidGY\\boddevloc.exe"	4b5a4639b5d423aa1079f67ae74ae010N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b5a4639b5d423aa1079f67ae74ae010N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1924	4b5a4639b5d423aa1079f67ae74ae010N.exe
1924	4b5a4639b5d423aa1079f67ae74ae010N.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe
2744	sysabod.exe
2784	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2744	1924	4b5a4639b5d423aa1079f67ae74ae010N.exe	30
PID 1924 wrote to memory of 2744	1924	4b5a4639b5d423aa1079f67ae74ae010N.exe	30
PID 1924 wrote to memory of 2744	1924	4b5a4639b5d423aa1079f67ae74ae010N.exe	30
PID 1924 wrote to memory of 2744	1924	4b5a4639b5d423aa1079f67ae74ae010N.exe	30
PID 1924 wrote to memory of 2784	1924	4b5a4639b5d423aa1079f67ae74ae010N.exe	31
PID 1924 wrote to memory of 2784	1924	4b5a4639b5d423aa1079f67ae74ae010N.exe	31
PID 1924 wrote to memory of 2784	1924	4b5a4639b5d423aa1079f67ae74ae010N.exe	31
PID 1924 wrote to memory of 2784	1924	4b5a4639b5d423aa1079f67ae74ae010N.exe	31

C:\Users\Admin\AppData\Local\Temp\4b5a4639b5d423aa1079f67ae74ae010N.exe
"C:\Users\Admin\AppData\Local\Temp\4b5a4639b5d423aa1079f67ae74ae010N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2744
- C:\UserDotY9\xoptiec.exe
  C:\UserDotY9\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotY9\xoptiec.exe

Filesize
3.6MB

MD5
02b47c3cd1ecd72e859674b4e6c79638

SHA1
93cc39ed5acbea73e1a30e780cef9e859d4d4813

SHA256
edf41df1defb721f6ebfb14ba8e3d6c81a5d34e3cceff45c98f6e1265d939934

SHA512
d1249a566012b958edd5cb337a81968da158b0faf73b2f07651a0cd08e0d10d080d7a4d89003d161099fb1767d72fa084d37b281c290e00638e65a16327686cc

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
d4b0c2f5a543dfb580a85ae4ae7c27a7

SHA1
ec98bf5c0f7896edd916e15b91c545e3c5e4f790

SHA256
b80d73de533633935467eb4b582d193f565c90b057aa892b90bdea147a3f91a4

SHA512
5e8c438e8e0ebd14e4d39f917d27f48e5ee29c9d4ca61c90ea8a7ce2d22f613de052631e45ffd112358216e028c2c7efdd7c0c7d90af28c79bfe521a7b90b9f5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
2668c59ceca7a771c7bd2f5b10969e75

SHA1
90c716ff671760b6387d9d91edd97a547d81a6f0

SHA256
3aec9f653d19a2a7a8ed4b31bc55293241f76e0ba0a95d5ddde6632e4900e156

SHA512
f8220c995f47c8e4d8622b2845df35175c07c7bb43e45aabd7279d14a264b1f4c0aadc034519c26c6360292159d85a6a5ac7559285c694d9ff1d6f6e2e345338

Download Submit
C:\VidGY\boddevloc.exe

Filesize
3.6MB

MD5
862dc9f32488b2444cc18afdfe99ee43

SHA1
b6718a4a43ac40e30f9646a596b149d7adb31bed

SHA256
9e66e0b232cf33d4fbf7200ae14f96947c1586c47d0b834e69bdb6d701aac932

SHA512
fe24e63dd98628624868d9fe6f101ec899c2e8f3561a96632b057e36fc47613dd9d25562efe68747b19a2238259678f30b6b83bb9663145017b36d94e1947acc

Download Submit
C:\VidGY\boddevloc.exe

Filesize
3.6MB

MD5
454dc23fbf898cd773a3573359b35c66

SHA1
2b81c744fe1398f8b29d351ba48aa571e9e17d1c

SHA256
df949a52126803eb645f0d10ee8734b4b88e4484ccf8d70abb78878d1a390ff4

SHA512
23a79ee966f6ca1eb96390cf99e516ee97810826a44eb50fceb55c7bef45e417558675d8a048876c2dbf4c5becaeb2b11426872aba23a9d9aa41b0a029782115

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
3.6MB

MD5
b9833c8c73323aa9966f8b5d9659b98d

SHA1
cd5f5ea1a29ad5f8318926cc083b0a73c382f3d2

SHA256
6e54caffa2c1a2278f7efe7356daf283d64d0d1e40096b2129ff4bb9502222e2

SHA512
61057eaf09d598430cb6d05a723eb6a395d0b375e830740ac148f67e4fb4fee86cfe036dcd174ddc2d1d3c995d09514b5fa6b304c521b3bf449b6c3d6e537b8d

Download Submit