afc094a7e7120c7240b6b1ea2ba6659e48dbd37f519087e4fd0296f23c9d7ff1

Analysis

max time kernel
120s
max time network
21s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-08-2024 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa4326c1ce14edbd9eef77add4cb1680N.exe
Size

2.6MB
MD5

aa4326c1ce14edbd9eef77add4cb1680
SHA1

32e67525829050225c6e81e818bbc80f83c30f0e
SHA256

afc094a7e7120c7240b6b1ea2ba6659e48dbd37f519087e4fd0296f23c9d7ff1
SHA512

b1c81efc47580055ce4b988b660826f8bca40ce5f4302b2d4a0641ec4dbe2503617da5c5e7e620ff93b55a3f61daf03a539314b7fbb6fbb13a09145c0fecbb03
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUptb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	aa4326c1ce14edbd9eef77add4cb1680N.exe

Executes dropped EXE 2 IoCs

pid	Process
2148	sysxdob.exe
2760	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2296	aa4326c1ce14edbd9eef77add4cb1680N.exe
2296	aa4326c1ce14edbd9eef77add4cb1680N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files8F\\xbodsys.exe"	aa4326c1ce14edbd9eef77add4cb1680N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid6X\\optixloc.exe"	aa4326c1ce14edbd9eef77add4cb1680N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa4326c1ce14edbd9eef77add4cb1680N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2296	aa4326c1ce14edbd9eef77add4cb1680N.exe
2296	aa4326c1ce14edbd9eef77add4cb1680N.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe
2148	sysxdob.exe
2760	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2148	2296	aa4326c1ce14edbd9eef77add4cb1680N.exe	29
PID 2296 wrote to memory of 2148	2296	aa4326c1ce14edbd9eef77add4cb1680N.exe	29
PID 2296 wrote to memory of 2148	2296	aa4326c1ce14edbd9eef77add4cb1680N.exe	29
PID 2296 wrote to memory of 2148	2296	aa4326c1ce14edbd9eef77add4cb1680N.exe	29
PID 2296 wrote to memory of 2760	2296	aa4326c1ce14edbd9eef77add4cb1680N.exe	30
PID 2296 wrote to memory of 2760	2296	aa4326c1ce14edbd9eef77add4cb1680N.exe	30
PID 2296 wrote to memory of 2760	2296	aa4326c1ce14edbd9eef77add4cb1680N.exe	30
PID 2296 wrote to memory of 2760	2296	aa4326c1ce14edbd9eef77add4cb1680N.exe	30

C:\Users\Admin\AppData\Local\Temp\aa4326c1ce14edbd9eef77add4cb1680N.exe
"C:\Users\Admin\AppData\Local\Temp\aa4326c1ce14edbd9eef77add4cb1680N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2148
- C:\Files8F\xbodsys.exe
  C:\Files8F\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files8F\xbodsys.exe

Filesize
10KB

MD5
1b916c50de9513bd35995ff6e69aef92

SHA1
52937fef400b241d4a8b1ddd227652b7c677d4bb

SHA256
87b86902356dc8919842b25007d34f46886d02128a2a02cb251d67dde3bccbe0

SHA512
7d45f793fac4540d35fd63f20caf5172cb11727e67a9016311072bbe1de9cbfac63ba2f8cb9bc93bb3b067ce7a65d0ee23b7d88fc199ffd6728e49343007d85e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
1c6137170049e524c2ad7cafbf989162

SHA1
0c5c8522d4dccfc9e5263b6a1dc0169d83b9d3b9

SHA256
f712ecff82bdb0c1c6efa49cb056314fa6a7f78b39d683b22e3a1754ee0c2a44

SHA512
0f6a0e03276566ca12c96892bdb89d4028d17e1a2c6254d6ff97b391829c301ccea3b9163e412dbc8c08fe03e92e37a1d0dbe0ee88f2443c08520c835fa396ff

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
f43001ad318a34f72ed76945386b87f4

SHA1
52c411a0a0722588d6a0b780ac0e4dddd3955d45

SHA256
ce6811ab11e062353f4cfd315a6a9f34dbfc82ba7a6ed1c4974b578afe842d3d

SHA512
d29fc4114c3ef916c28acace0c1d4cf95a83e8599402cfffecd093a69e4def2dc43784b23bb6e5a091fe81c06815af209c7c330c30c3a11c65b06663f7381d79

Download Submit
C:\Vid6X\optixloc.exe

Filesize
7KB

MD5
84c3a9ef71c6c32cc10faa7a3122fe8d

SHA1
44094cadec949c065d4321a4cb7bb4c11cd999f9

SHA256
de832fdf2de3a5ef6ef5856b88230214e4a82f75e7bd75a06e26b26295f3f07b

SHA512
f1a129f7aed7cc664d5863e93709d5db2f4f45caf6e6372303a8d02f820d81b54c422a04eb54ae98bd4ba94cd7035a4f0faa9a15bf71b5210f2274fb4f64ac3a

Download Submit
C:\Vid6X\optixloc.exe

Filesize
2.6MB

MD5
f6beed7f2e65aec1c12e8547d3b84fd6

SHA1
8d304623ed4f99a0d8091b354615714a4133da8b

SHA256
5193a9eac6dc2383e8f3497ae88bd0918331e5185bb235103b94efc9840bd87a

SHA512
c5ae941c9e65f42e3657c26672a646e27b20ed05c68d1306fce803c54c785168e9ac597d157df8a3e60ec6ed8a75c3d03d21f01ef0a3346ada0551fe988cf06a

Download Submit
\Files8F\xbodsys.exe

Filesize
2.6MB

MD5
dc3ed05c10b0f37555ff5c95f5f7aed7

SHA1
156ac6da31971f565e2417bf9f38434db22152e6

SHA256
94e05243b555edcfa6977256c3ad2dd1113f4ba1223964b27f9287072a9a6f73

SHA512
cdac99e5eb97e971ed372ac585b79b54b862670ab50e5907ee9fc5a1299d1b1bffc68f0841960d7305f25cf58c617ca0eadd3c6df0f73e349dc4718b71ddb068

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.6MB

MD5
bf2c53cb46f872104feccca7aa933a0f

SHA1
a5b1aa7c834c5f536d31dc85b9990a242bbebff4

SHA256
e9e04ea2ae509097f665812efe2b1a53925c2a95547d0b0f403f1b5a60e6dea6

SHA512
d8314d835c0357e3dd647b82e3e3567b69cfe62ce5a588fb7b2f0f2f6aa57493a409cb633b7b6a7906e85b8a05715cbad20e661cb478d7f887a8d2cbda5d0ecb

Download Submit