bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe
Size

3.6MB
MD5

82c757687e2c03cd317f83ffc98e13c1
SHA1

35a903af927105d32598621561caaee18181ac99
SHA256

bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325
SHA512

07d0e8d5971175f0327e157d585763b91ebce46f181f4f88016ce632a173c793df6b19d3c5c89143f0641644d5c45b712c325c89856d24bf1c30077633c090ec
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpNbVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe

Executes dropped EXE 2 IoCs

pid	Process
2328	sysxbod.exe
980	aoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2352	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe
2352	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvTN\\aoptiloc.exe"	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBU5\\optialoc.exe"	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2352	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe
2352	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe
2328	sysxbod.exe
980	aoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2328	2352	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe	31
PID 2352 wrote to memory of 2328	2352	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe	31
PID 2352 wrote to memory of 2328	2352	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe	31
PID 2352 wrote to memory of 2328	2352	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe	31
PID 2352 wrote to memory of 980	2352	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe	32
PID 2352 wrote to memory of 980	2352	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe	32
PID 2352 wrote to memory of 980	2352	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe	32
PID 2352 wrote to memory of 980	2352	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe	32

C:\Users\Admin\AppData\Local\Temp\bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe
"C:\Users\Admin\AppData\Local\Temp\bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2328
- C:\SysDrvTN\aoptiloc.exe
  C:\SysDrvTN\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBU5\optialoc.exe

Filesize
3.6MB

MD5
96e3872af36f3ddbbb452cf375ecb649

SHA1
a82a798bfdb0bb04d39a20943ce8be50eacae79d

SHA256
880c0d2b382897a2fe52227af58b0616eedd275f967e51cd57faf60db8f4ec13

SHA512
0284a8356a85d6ea8a85e5e675ecf28677769ff27b19b9bcd1a2e1b734dd1e8a871b14e78c885cde7888c13621dc65e375fafc9398949e61f8b7a6112ac6c474

Download Submit
C:\KaVBU5\optialoc.exe

Filesize
3.6MB

MD5
0c89b84d66ba3c8e03fc9bb20927792f

SHA1
261e66f21372a4eb2fa3e098565a0c8f99832a32

SHA256
7a2798b7293f7b766d2cd71f7e231273e1a77bdc4226b01e939d5d17ffbadb5b

SHA512
11eb5be1c500326246009098841f91af48bf880d6b931c2fe41dbdef53de873506b5134102408fc96536e6da3c76f087b7afc06aad919b8919b0d453fe861fdf

Download Submit
C:\SysDrvTN\aoptiloc.exe

Filesize
3.6MB

MD5
64298f84ae2d65fac1b65f50d93f570c

SHA1
3e1d21bab6d33d79cc3fa955a6c224b352c817c2

SHA256
c22d5a70da94073a33acc4235649f25b1de0c8b2a5b5f7984071c8a4545d18e4

SHA512
7513a51feafe16b7dd9be9a26f4070d3a4fd9544e3cc27a0a0f6243678ee5126dc87f155f55e2f839b4914216411d95055bdabcf8ec1d7fc2eacb543d42aa7ea

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
e1d2ab75aa8b677f7aaa5ee7ecdfd471

SHA1
ec8f2c599ab262330774eff6793b2c279af712c7

SHA256
d146f03fad2d7a27cfa87e27b24b51d386e31ffee5daaae5d3d0297262518d40

SHA512
5b6cde0ffb89c9ef0ce0f0c8e66478ff6cb3484bb0605430d72107095663f2c8e1422070c49802db737927d0dc0aa37efbddf9c98158d3ba769b519d8bf88320

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
c26e138fe834971ed1778818bfd73307

SHA1
6753129140aa8cbc3f015d59aa866fbb723f9fcf

SHA256
d877a8ff0f6aa9c8aee45c55c16f01e959bc06cd425244cd533233b47e3ca591

SHA512
c318ab1a8eaf355e092002b343b10bebc9443016d5a7b5b3096eb3681e29d669b31a96fd3320bc84818a925d2e5d88cc8407d1ce32695de09d81ef506b469040

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
3.6MB

MD5
91a9f03e785156fcb2b67ea1e33f8f44

SHA1
7a85aae6207b0aad370c766310a533190e0e420d

SHA256
ee749135ce1059054d733f8d13c32e36a9cfccc0bde1ce4aabf060585a6ced0a

SHA512
09186c5421e6f6224ec5a3d43f5ce2ae1139177fc19f7def52e9e1edc89ef4094f64f775952bdca1dd88f825871cc8deb2207409fcfd9f6ff4ab5039bca7c1c7

Download Submit