1d0ae82da8c544dbc1cffd917d52d4bae2b128ac0f2bf7bab7bb0cbda233a2b2

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

700e2365594ee4bd77f8c33042f29650N.exe
Size

2.6MB
MD5

700e2365594ee4bd77f8c33042f29650
SHA1

027fbb11cb198860cdff8918643ae5cba34b659a
SHA256

1d0ae82da8c544dbc1cffd917d52d4bae2b128ac0f2bf7bab7bb0cbda233a2b2
SHA512

3d1e3b6c879d3c31b79e13834dafada42e1e882e1803973485e506b166444816b7ba99a11b42a30f2a40c6be4a67a5c5c8e1af391699b7c128b588611732def4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bS:sxX7QnxrloE5dpUp0b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	700e2365594ee4bd77f8c33042f29650N.exe

Executes dropped EXE 2 IoCs

pid	Process
3000	sysaopti.exe
2944	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2124	700e2365594ee4bd77f8c33042f29650N.exe
2124	700e2365594ee4bd77f8c33042f29650N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocWZ\\xbodsys.exe"	700e2365594ee4bd77f8c33042f29650N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxJL\\dobaec.exe"	700e2365594ee4bd77f8c33042f29650N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	700e2365594ee4bd77f8c33042f29650N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2124	700e2365594ee4bd77f8c33042f29650N.exe
2124	700e2365594ee4bd77f8c33042f29650N.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe
3000	sysaopti.exe
2944	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 3000	2124	700e2365594ee4bd77f8c33042f29650N.exe	30
PID 2124 wrote to memory of 3000	2124	700e2365594ee4bd77f8c33042f29650N.exe	30
PID 2124 wrote to memory of 3000	2124	700e2365594ee4bd77f8c33042f29650N.exe	30
PID 2124 wrote to memory of 3000	2124	700e2365594ee4bd77f8c33042f29650N.exe	30
PID 2124 wrote to memory of 2944	2124	700e2365594ee4bd77f8c33042f29650N.exe	31
PID 2124 wrote to memory of 2944	2124	700e2365594ee4bd77f8c33042f29650N.exe	31
PID 2124 wrote to memory of 2944	2124	700e2365594ee4bd77f8c33042f29650N.exe	31
PID 2124 wrote to memory of 2944	2124	700e2365594ee4bd77f8c33042f29650N.exe	31

C:\Users\Admin\AppData\Local\Temp\700e2365594ee4bd77f8c33042f29650N.exe
"C:\Users\Admin\AppData\Local\Temp\700e2365594ee4bd77f8c33042f29650N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3000
- C:\IntelprocWZ\xbodsys.exe
  C:\IntelprocWZ\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxJL\dobaec.exe

Filesize
2.6MB

MD5
9621cf386dffb68cb43bd37b9753f456

SHA1
105abedf8864757522d17ddeaf35b4deca177fc7

SHA256
a285757af08a852b936cdc26c91de02c194357d164b29aa91c09d9690d25cb69

SHA512
94d20255ceff7a6d87221a90aac39f544e2cc08d7387be4c1dec77945cd89d91c39080393ce5aadcb6bb8ad845e3205ea4e439d7896e901dde02ad39cd58a294

Download Submit
C:\GalaxJL\dobaec.exe

Filesize
715KB

MD5
bc79eb9addb4957236527798a596a015

SHA1
01fc1c6bc9ac11b30d9a46c56699df0fc622c219

SHA256
202bccbab82388581abfb54007328a4d682bfb603634f2d302d6cacf8a01a72d

SHA512
8a91a3e268163af6a26694a63797caf3571dee6c7fc75d42a65587226a132e833a6bed5bc55e9f29dcea66da31e49077f8830a453ed18d3112cb29d1c53b27f4

Download Submit
C:\IntelprocWZ\xbodsys.exe

Filesize
2.6MB

MD5
4751103f1c97ad2759099f45a370639f

SHA1
09cf558875cf952d934018976ae044e799df9809

SHA256
a2e28ce28124ada3a205f90cb79f8a71778fb30bdb8e813e9c536acfa8f2ea05

SHA512
64ca9b808c55404153b89aece907e9ed168d164b9356f02027677ae3947732265a957c29c2b700552262f9bfac6518fb455d06443dca5bb0098d65348bcaa2ed

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
f50699b203e504169b3d08b830253622

SHA1
59874d72952f117a4c132e374fc446c7faf35f3b

SHA256
b5b1d72579031f54c7bf63c8e900c5f7506976c235380d159bd3c338cf6c5305

SHA512
4950afdf85d1090e09956beb35d1b4fe91fd94818981a40b3f77a495d7e698328206e3b054db60386027d08bf760642665c4b661ef37d7d5a5f64dde0213b1cd

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
015acd4f340faeadb780aa2c20d57bf0

SHA1
5b8502a1f045c6998e0a60ffdf5276bbb8087a09

SHA256
846270545a06ba3b289b820c6858b55934aab80af8b231e01b17d46ae55e6d42

SHA512
077de83dc75e6e4b8daf011a32a3e3cf6a9c0f47f3688d03436ef589b4a7f132c173846616588120b70f3aa7bb634a32fd1c012dc600a86b0296e7baa0cf023c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
2.6MB

MD5
21bf241e5c425074c8d605f4075d3abe

SHA1
f5a0ebffef32df2128a1cc28d70a97a5f01ea466

SHA256
9fbf2419914b85f222a42cfb2e58f23086bc5c4410c004d35da4c0b0f0238c78

SHA512
7d19a15f812d40d8ad4b7e41c6ed246145f872031bb8d96ce6868c906e724b826f79d7e4c828c4f6a8576ca08691df99b91f52e81a611c98d055f0462ab30628

Download Submit