26d0f8bbea034e94934b5e138d5bfeb8c8e3a60967571a212ca4743dc4255386

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

853aa45dfc957703c23d4cb7056c9040N.exe
Size

2.6MB
MD5

853aa45dfc957703c23d4cb7056c9040
SHA1

2b397b31a5f7258cec43db9ec654204459b578d6
SHA256

26d0f8bbea034e94934b5e138d5bfeb8c8e3a60967571a212ca4743dc4255386
SHA512

3417ffaade5ffb045ec859d19354dd4e718e27dd6ce1f22138f25b0590d49f6a100d94d1a8f12737a8d54b647499745698c196a691a536d3fbc78d8ac7b999d9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bS:sxX7QnxrloE5dpUpBb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	853aa45dfc957703c23d4cb7056c9040N.exe

Executes dropped EXE 2 IoCs

pid	Process
992	locdevdob.exe
3908	xbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvXM\\xbodsys.exe"	853aa45dfc957703c23d4cb7056c9040N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZIL\\optiasys.exe"	853aa45dfc957703c23d4cb7056c9040N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	853aa45dfc957703c23d4cb7056c9040N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3628	853aa45dfc957703c23d4cb7056c9040N.exe
3628	853aa45dfc957703c23d4cb7056c9040N.exe
3628	853aa45dfc957703c23d4cb7056c9040N.exe
3628	853aa45dfc957703c23d4cb7056c9040N.exe
992	locdevdob.exe
992	locdevdob.exe
3908	xbodsys.exe
3908	xbodsys.exe
992	locdevdob.exe
992	locdevdob.exe
3908	xbodsys.exe
3908	xbodsys.exe
992	locdevdob.exe
992	locdevdob.exe
3908	xbodsys.exe
3908	xbodsys.exe
992	locdevdob.exe
992	locdevdob.exe
3908	xbodsys.exe
3908	xbodsys.exe
992	locdevdob.exe
992	locdevdob.exe
3908	xbodsys.exe
3908	xbodsys.exe
992	locdevdob.exe
992	locdevdob.exe
3908	xbodsys.exe
3908	xbodsys.exe
992	locdevdob.exe
992	locdevdob.exe
3908	xbodsys.exe
3908	xbodsys.exe
992	locdevdob.exe
992	locdevdob.exe
3908	xbodsys.exe
3908	xbodsys.exe
992	locdevdob.exe
992	locdevdob.exe
3908	xbodsys.exe
3908	xbodsys.exe
992	locdevdob.exe
992	locdevdob.exe
3908	xbodsys.exe
3908	xbodsys.exe
992	locdevdob.exe
992	locdevdob.exe
3908	xbodsys.exe
3908	xbodsys.exe
992	locdevdob.exe
992	locdevdob.exe
3908	xbodsys.exe
3908	xbodsys.exe
992	locdevdob.exe
992	locdevdob.exe
3908	xbodsys.exe
3908	xbodsys.exe
992	locdevdob.exe
992	locdevdob.exe
3908	xbodsys.exe
3908	xbodsys.exe
992	locdevdob.exe
992	locdevdob.exe
3908	xbodsys.exe
3908	xbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 992	3628	853aa45dfc957703c23d4cb7056c9040N.exe	90
PID 3628 wrote to memory of 992	3628	853aa45dfc957703c23d4cb7056c9040N.exe	90
PID 3628 wrote to memory of 992	3628	853aa45dfc957703c23d4cb7056c9040N.exe	90
PID 3628 wrote to memory of 3908	3628	853aa45dfc957703c23d4cb7056c9040N.exe	91
PID 3628 wrote to memory of 3908	3628	853aa45dfc957703c23d4cb7056c9040N.exe	91
PID 3628 wrote to memory of 3908	3628	853aa45dfc957703c23d4cb7056c9040N.exe	91

C:\Users\Admin\AppData\Local\Temp\853aa45dfc957703c23d4cb7056c9040N.exe
"C:\Users\Admin\AppData\Local\Temp\853aa45dfc957703c23d4cb7056c9040N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:992
- C:\SysDrvXM\xbodsys.exe
  C:\SysDrvXM\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZIL\optiasys.exe

Filesize
1.6MB

MD5
693c0cb7916b3c6530563ec37bcbbb0a

SHA1
db42faaec08833b2013af0728d750a5bf37dca5e

SHA256
8198ffb1cc7c10f8afc5aaa61cb82ae097d6716596981cca7e2e30901a4f03a0

SHA512
b4e9b7f0685346c220e9e76b890a6651e82abbed80b7299192502d410dd5ccc790b7207abd03ed730cdbbc0a2234a2c7a0d839cb0d73a25464c2e8b8b705ea5e

Download Submit
C:\LabZIL\optiasys.exe

Filesize
534KB

MD5
717d8ae39787f8bd513f6e0d3e283ca8

SHA1
057da5012be40c69e5e9d7994f8b390dafb3f8fb

SHA256
ff528c279ebc1e6672f5a29599f43c83ac1a5caf49e6bcc658ff2fdd93111b9f

SHA512
05164a5e01b9fdcbd166a0cc78e087f4566cf51dcbe66337125ca7e5b566989b0d69897cd4d20ae7d3d5109fd3c9486ff4abc2e0a4523a389f9dd1a6ad2d1458

Download Submit
C:\SysDrvXM\xbodsys.exe

Filesize
833KB

MD5
6b3a14c04b1fe0fd48ef204680a270a7

SHA1
3cfb6e02a4debac43f06ea5cc30ac46d36bbed08

SHA256
9c86c8760905f46ac9d01fd015dda53a6e906b5274704de5a0ac0843336e040e

SHA512
9d8b8c4373b033566f5c482f546f7202504be7b504764aa34c0ceb6b8206294f9528f5a23cdb4b088b15900c421032b8373b756ec989adb214b96008801d5a4e

Download Submit
C:\SysDrvXM\xbodsys.exe

Filesize
2.6MB

MD5
24458984d4279cd271bff9b200cba445

SHA1
12d1959edbc3c680b74f5fd9aff02020009644bd

SHA256
88c7072e3dcedb496883c4a7ff1e5d50b16fd707d1c7ccab8f1bad1102651a90

SHA512
bab138ce3f978f3d4c918e299a3cfb1682325e472fa75ae7f3165581a03a12072eca1bb7bbcf710b916470c809373f32310fe7295cb2967803c19b95f04b5f28

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
cde90bd588790b30d09e33664ff4b0e6

SHA1
2a40cd7eabc0464150cb2f32d88ad11ee0a15a53

SHA256
6c8fa8d3200c336d100355f058d9661d7541faf238369b005c1029a1e83b9fd1

SHA512
c0b1b7c57bd332c6fae7d19741a7efbd24f83e37907f6f0f8fb24e1e757e5e1663f842c6c7a81abd541868dec687fa27283dfc82414069be9874487ef65ba0b7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
75f1ebfa072ac1785b0b4c4f4916486c

SHA1
1168ef96f59f63d76d0eb1085c40a16b82d8a07d

SHA256
660bc9235a70169750f01cddde8bdfcbdd459e32cd37a94b3c549956e22cbea3

SHA512
a8db19392556c35adbaeea07bfcbc55b620b5f8888c8045827ea879929f52213ba8a5a811295ce82bd364f8788500a7e7074c21c89c8f14458574c5645a76aee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
2.6MB

MD5
862d198c3f5ac84b847e337a7744ddba

SHA1
66d4e87915e04f2893a4b9517b19bbab4e7da124

SHA256
3e248b72139baf27654005be8e416b834c5aae7b2ac0fc82af5eab87119acbd5

SHA512
86613756ff2323d6938da0987cafeff62c4090f036d442f8146f1d20999953b601144dc212a646ef22c246972b8904588db127ae9fdd1a0fa17b9fc37625f330

Download Submit