68a1ab0f586c44096fbe8905de8afa15db234131867ea9015b4ec1d95a8411b6

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec6558faf08f52f3404fd23b1a5830e0N.exe
Size

4.1MB
MD5

ec6558faf08f52f3404fd23b1a5830e0
SHA1

df59f565572a5fe45632044b4b026005e022c367
SHA256

68a1ab0f586c44096fbe8905de8afa15db234131867ea9015b4ec1d95a8411b6
SHA512

3daeb88504192c20261a3b8a5c40092c5c147548e553a184e1e90672a661382e9dabf61c6f3e15bd048c3aa3e21acbb6af5844c4b1b904bdc6f7f3c7aaefc953
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpfbVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	ec6558faf08f52f3404fd23b1a5830e0N.exe

Executes dropped EXE 2 IoCs

pid	Process
3376	sysdevopti.exe
4664	xbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocYM\\xbodloc.exe"	ec6558faf08f52f3404fd23b1a5830e0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBWT\\optixsys.exe"	ec6558faf08f52f3404fd23b1a5830e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec6558faf08f52f3404fd23b1a5830e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2948	ec6558faf08f52f3404fd23b1a5830e0N.exe
2948	ec6558faf08f52f3404fd23b1a5830e0N.exe
2948	ec6558faf08f52f3404fd23b1a5830e0N.exe
2948	ec6558faf08f52f3404fd23b1a5830e0N.exe
3376	sysdevopti.exe
3376	sysdevopti.exe
4664	xbodloc.exe
4664	xbodloc.exe
3376	sysdevopti.exe
3376	sysdevopti.exe
4664	xbodloc.exe
4664	xbodloc.exe
3376	sysdevopti.exe
3376	sysdevopti.exe
4664	xbodloc.exe
4664	xbodloc.exe
3376	sysdevopti.exe
3376	sysdevopti.exe
4664	xbodloc.exe
4664	xbodloc.exe
3376	sysdevopti.exe
3376	sysdevopti.exe
4664	xbodloc.exe
4664	xbodloc.exe
3376	sysdevopti.exe
3376	sysdevopti.exe
4664	xbodloc.exe
4664	xbodloc.exe
3376	sysdevopti.exe
3376	sysdevopti.exe
4664	xbodloc.exe
4664	xbodloc.exe
3376	sysdevopti.exe
3376	sysdevopti.exe
4664	xbodloc.exe
4664	xbodloc.exe
3376	sysdevopti.exe
3376	sysdevopti.exe
4664	xbodloc.exe
4664	xbodloc.exe
3376	sysdevopti.exe
3376	sysdevopti.exe
4664	xbodloc.exe
4664	xbodloc.exe
3376	sysdevopti.exe
3376	sysdevopti.exe
4664	xbodloc.exe
4664	xbodloc.exe
3376	sysdevopti.exe
3376	sysdevopti.exe
4664	xbodloc.exe
4664	xbodloc.exe
3376	sysdevopti.exe
3376	sysdevopti.exe
4664	xbodloc.exe
4664	xbodloc.exe
3376	sysdevopti.exe
3376	sysdevopti.exe
4664	xbodloc.exe
4664	xbodloc.exe
3376	sysdevopti.exe
3376	sysdevopti.exe
4664	xbodloc.exe
4664	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 3376	2948	ec6558faf08f52f3404fd23b1a5830e0N.exe	94
PID 2948 wrote to memory of 3376	2948	ec6558faf08f52f3404fd23b1a5830e0N.exe	94
PID 2948 wrote to memory of 3376	2948	ec6558faf08f52f3404fd23b1a5830e0N.exe	94
PID 2948 wrote to memory of 4664	2948	ec6558faf08f52f3404fd23b1a5830e0N.exe	95
PID 2948 wrote to memory of 4664	2948	ec6558faf08f52f3404fd23b1a5830e0N.exe	95
PID 2948 wrote to memory of 4664	2948	ec6558faf08f52f3404fd23b1a5830e0N.exe	95

C:\Users\Admin\AppData\Local\Temp\ec6558faf08f52f3404fd23b1a5830e0N.exe
"C:\Users\Admin\AppData\Local\Temp\ec6558faf08f52f3404fd23b1a5830e0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3376
- C:\IntelprocYM\xbodloc.exe
  C:\IntelprocYM\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4388,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=3864 /prefetch:8
1⤵
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocYM\xbodloc.exe

Filesize
4.1MB

MD5
7be6ff73617b9026981cdfd060763570

SHA1
217477ff2e254762ba6c3cffae023974efd09f40

SHA256
6d6db06a55688a3a1da73b1820f7b204b5a5e478c59c4539f1d08bedd6e22199

SHA512
0b33cac5f2a3490d377c9ea3076c7e0b9d8395e93ca0c92267489f38d7ae2531dc8a76b7545ea09e298be34d3fad8e09323933afdce4f657a3e6b9888d02170d

Download Submit
C:\KaVBWT\optixsys.exe

Filesize
4.1MB

MD5
11aa8f1731617d4b2fbb71e536e4261a

SHA1
1d669439945bda9229985f9919c30bd5733a0898

SHA256
36c033ed8c2e4542a54f76be9fa7740f400e0bec67a362b8b9783321ff452573

SHA512
bd90f3feb1583281ed9039543f2ae2db4096174d4acb3f6e2f7e1f3b73dc048a866b65b1c41151e25dc75fcdeb3c0fbc486ec8aafe8e659362762302b71e0a6a

Download Submit
C:\KaVBWT\optixsys.exe

Filesize
4.1MB

MD5
e5092b5bcae1c492568367e7373a4839

SHA1
7389b3e06c812f45aa1bfe88fdef8806e3256296

SHA256
59f0d90efe6f36f96ae12111b3d4d7732d1394e69f26cfd4fbfd51e512672bd4

SHA512
37ff406b525d6a186801ac39683bd0d79098c995f615f4a2c224ca2d057e575e966376136bd9a220df1f2ce4b3711e47327f29868125f747cb97fa70886b46e3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
208B

MD5
b995e210027bea4ebc53ba4401b34f80

SHA1
1b15559e9fb0497e94f28d5d1bea87698d81ecfc

SHA256
fe697710ee8d5a33b62d826900dc7ad990a18eb836666889d24a51bac3d93ea1

SHA512
7b8846e767fc525cb69d538c2872e9a4a385be90363cf9d68f5fa7d0954f82fb778416b8e92afaec0b0510614bbd27d56756ec01b634915e95261fc33b03002e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
176B

MD5
819f67a8a9470c5fbfe94f20c1f336a1

SHA1
f221f74310d4ed833da3f1dbc9c4c8ec7a8863af

SHA256
b03cfd2aafc62d9f7e14eb942412526f1aa0046aa87747e1b4fdb1a507a47a1d

SHA512
811f247c1033d4c0cd14d7d61e57dfabbb5789cc7c818d2733e5ca5110f86c267d119668b2245d3d2ebeef4e0fde47805ca5883222e8108d76a3a87f87fb96ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
4.1MB

MD5
54a54722f645afe466ffc347b58d525d

SHA1
0743610be32612211f923fbcdfe5197b22732e1d

SHA256
3433edc66ee61efb8d3ceadbc61259ab6173f61a99626fa4f3f895b6a98b27a5

SHA512
b7eb0af38037025ee8587c5f3b3cb944f58b11c39abeffc95401dff49ad90718f14f90f22a8eaeff273cb2fd65a55286192ffd6030b5eb5646746da95cae0b47

Download Submit