69febc8fbd4f3b50eb3d3bd7fb09334941d0aafc4878ab21db68a61bb5e4dddb

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 23:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9bcb0b228d457a866cc9c5b9a7a7e530N.exe
Size

2.6MB
MD5

9bcb0b228d457a866cc9c5b9a7a7e530
SHA1

4a3e1ab08db7d47ddd1c84e1b9929d29de283408
SHA256

69febc8fbd4f3b50eb3d3bd7fb09334941d0aafc4878ab21db68a61bb5e4dddb
SHA512

1b5e050ae23d5fab0c1a6af71d319c1e0ff8a8945b0c55d2f8332299eb11c1dcf0aeb60fedd2ed7c3970c46a294495fbcef436909b783ffb5b5c9df62f489662
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB3B/bS:sxX7QnxrloE5dpUpAb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe	9bcb0b228d457a866cc9c5b9a7a7e530N.exe

Executes dropped EXE 2 IoCs

pid	Process
4264	sysxopti.exe
2160	adobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesN7\\adobsys.exe"	9bcb0b228d457a866cc9c5b9a7a7e530N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLW\\bodxec.exe"	9bcb0b228d457a866cc9c5b9a7a7e530N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9bcb0b228d457a866cc9c5b9a7a7e530N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3780	9bcb0b228d457a866cc9c5b9a7a7e530N.exe
3780	9bcb0b228d457a866cc9c5b9a7a7e530N.exe
3780	9bcb0b228d457a866cc9c5b9a7a7e530N.exe
3780	9bcb0b228d457a866cc9c5b9a7a7e530N.exe
4264	sysxopti.exe
4264	sysxopti.exe
2160	adobsys.exe
2160	adobsys.exe
4264	sysxopti.exe
4264	sysxopti.exe
2160	adobsys.exe
2160	adobsys.exe
4264	sysxopti.exe
4264	sysxopti.exe
2160	adobsys.exe
2160	adobsys.exe
4264	sysxopti.exe
4264	sysxopti.exe
2160	adobsys.exe
2160	adobsys.exe
4264	sysxopti.exe
4264	sysxopti.exe
2160	adobsys.exe
2160	adobsys.exe
4264	sysxopti.exe
4264	sysxopti.exe
2160	adobsys.exe
2160	adobsys.exe
4264	sysxopti.exe
4264	sysxopti.exe
2160	adobsys.exe
2160	adobsys.exe
4264	sysxopti.exe
4264	sysxopti.exe
2160	adobsys.exe
2160	adobsys.exe
4264	sysxopti.exe
4264	sysxopti.exe
2160	adobsys.exe
2160	adobsys.exe
4264	sysxopti.exe
4264	sysxopti.exe
2160	adobsys.exe
2160	adobsys.exe
4264	sysxopti.exe
4264	sysxopti.exe
2160	adobsys.exe
2160	adobsys.exe
4264	sysxopti.exe
4264	sysxopti.exe
2160	adobsys.exe
2160	adobsys.exe
4264	sysxopti.exe
4264	sysxopti.exe
2160	adobsys.exe
2160	adobsys.exe
4264	sysxopti.exe
4264	sysxopti.exe
2160	adobsys.exe
2160	adobsys.exe
4264	sysxopti.exe
4264	sysxopti.exe
2160	adobsys.exe
2160	adobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3780 wrote to memory of 4264	3780	9bcb0b228d457a866cc9c5b9a7a7e530N.exe	90
PID 3780 wrote to memory of 4264	3780	9bcb0b228d457a866cc9c5b9a7a7e530N.exe	90
PID 3780 wrote to memory of 4264	3780	9bcb0b228d457a866cc9c5b9a7a7e530N.exe	90
PID 3780 wrote to memory of 2160	3780	9bcb0b228d457a866cc9c5b9a7a7e530N.exe	91
PID 3780 wrote to memory of 2160	3780	9bcb0b228d457a866cc9c5b9a7a7e530N.exe	91
PID 3780 wrote to memory of 2160	3780	9bcb0b228d457a866cc9c5b9a7a7e530N.exe	91

C:\Users\Admin\AppData\Local\Temp\9bcb0b228d457a866cc9c5b9a7a7e530N.exe
"C:\Users\Admin\AppData\Local\Temp\9bcb0b228d457a866cc9c5b9a7a7e530N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4264
- C:\FilesN7\adobsys.exe
  C:\FilesN7\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesN7\adobsys.exe

Filesize
2.6MB

MD5
3e0aa5c1e320cd2d8d09c1ff18867ba0

SHA1
a17538d78a446b0e9505851989f80c2efe2c0289

SHA256
125a43d1ee190db2753f7065d8aa76d23f7a64c107aae1cc01f5c6f250cb0fc6

SHA512
40ccb48d63ddf73be6f6076ce679ceedea60a63e8b9b0f387b43cf9d5f24283232f320fc163da85862e1fb639b049f5cfd091f1373229d946607641aeabc1f8e

Download Submit
C:\MintLW\bodxec.exe

Filesize
2.6MB

MD5
9dfe498d2f9a82eaa83cc355b77124fc

SHA1
168f396f0c0f3ee982080b1573fa991366c15bb8

SHA256
d99a583415be4a12cb9e8b8628145001780869b16ba11dde37ab5028dcf995ae

SHA512
e5c4a56b1b917edc6d3df3a5252ad25548b43d90e3f5666804abd11f2550bef8986729d503b80253e8b3549d9dc144372830cde2a54dc6882d5ada986a8af65d

Download Submit
C:\MintLW\bodxec.exe

Filesize
2.6MB

MD5
36921d204ddda79ab37e4e983f410439

SHA1
6cec86e67a7bd9737c22fb5a88bd1f58301b984c

SHA256
bfa2d20273e710422eab541b52680cee802028acc40a436652d242632c2b611e

SHA512
eba2493550037485a07c62fd8d5b886e616334a98c76da3b83715939250fc994e5333bb08fb163da0e4f916feea44cace0fab550b11bc123d132b5b2473adf20

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
02aaf6fc7989e64a4ed21846c1701ddc

SHA1
cabbf557f9925d0bb3a7b2663a77712d9c8354a9

SHA256
32c427354c39efca95ef517f820f5ac08b29300f7b527668f512427632675ca2

SHA512
200cdd440ad71c11d22e11c3175840e35051b8fb3bd55c03a0a9efc982976f4fe7619b1fd77916174917de312e03e4b8e9a46728f754b22820ed1b6af7080e89

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
c128de168c5f2cf5e31b4e3b62c14dd2

SHA1
b00a622c459603208f70436bbd1b7663ed79b980

SHA256
d11032854f52954779bd086e1e16c74ebeb37fec00c354867b9548d29d9566d5

SHA512
3dd5622d7ddbb93b172ea3839d6a25e482300403a9d231606a72942366aa1e910b65d7ce9bbda38f38c5c61008f6327b63256ccd248c8bcfad84b99fbe930c4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

Filesize
2.6MB

MD5
f4258dc9aeae3f4b45805e9e0ec8a10d

SHA1
27f5926e37a067fb230d0cb14ab6ecd804d23fb7

SHA256
6ce369bc553e161d2d21ec52b845e86f032de98d7d0f6797e2a7bfd236f24e38

SHA512
c6603b975ef33645f244804ac8f0a2dd48271493480aa7f4f5913b1dee82cc6f0f29f2e9231379adcf4a3fbad23cf6bcc380d83aa7600bf05351054485a32078

Download Submit