Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 07:04
Static task
static1
Behavioral task
behavioral1
Sample
f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe
Resource
win10v2004-20240802-en
General
-
Target
f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe
-
Size
2.6MB
-
MD5
33857aaf491139fc1ccf53db39555e6d
-
SHA1
9530de07d75bf6a2122ac7dcd0ee58fad0aa2ce8
-
SHA256
f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47
-
SHA512
bd8a14e1823d16adaace2f0c648b6f5ffa9b848232185ae295e7560683743c5ac7a2590d9db8034553afd38bed82f2f2f8e7a7df7215fd3fdf64b5e93a8aa64b
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bS:sxX7QnxrloE5dpUpLb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe -
Executes dropped EXE 2 IoCs
pid Process 3096 sysaopti.exe 4580 xbodloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files1S\\xbodloc.exe" f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBOQ\\optiaec.exe" f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4056 f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe 4056 f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe 4056 f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe 4056 f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe 3096 sysaopti.exe 3096 sysaopti.exe 4580 xbodloc.exe 4580 xbodloc.exe 3096 sysaopti.exe 3096 sysaopti.exe 4580 xbodloc.exe 4580 xbodloc.exe 3096 sysaopti.exe 3096 sysaopti.exe 4580 xbodloc.exe 4580 xbodloc.exe 3096 sysaopti.exe 3096 sysaopti.exe 4580 xbodloc.exe 4580 xbodloc.exe 3096 sysaopti.exe 3096 sysaopti.exe 4580 xbodloc.exe 4580 xbodloc.exe 3096 sysaopti.exe 3096 sysaopti.exe 4580 xbodloc.exe 4580 xbodloc.exe 3096 sysaopti.exe 3096 sysaopti.exe 4580 xbodloc.exe 4580 xbodloc.exe 3096 sysaopti.exe 3096 sysaopti.exe 4580 xbodloc.exe 4580 xbodloc.exe 3096 sysaopti.exe 3096 sysaopti.exe 4580 xbodloc.exe 4580 xbodloc.exe 3096 sysaopti.exe 3096 sysaopti.exe 4580 xbodloc.exe 4580 xbodloc.exe 3096 sysaopti.exe 3096 sysaopti.exe 4580 xbodloc.exe 4580 xbodloc.exe 3096 sysaopti.exe 3096 sysaopti.exe 4580 xbodloc.exe 4580 xbodloc.exe 3096 sysaopti.exe 3096 sysaopti.exe 4580 xbodloc.exe 4580 xbodloc.exe 3096 sysaopti.exe 3096 sysaopti.exe 4580 xbodloc.exe 4580 xbodloc.exe 3096 sysaopti.exe 3096 sysaopti.exe 4580 xbodloc.exe 4580 xbodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4056 wrote to memory of 3096 4056 f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe 92 PID 4056 wrote to memory of 3096 4056 f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe 92 PID 4056 wrote to memory of 3096 4056 f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe 92 PID 4056 wrote to memory of 4580 4056 f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe 93 PID 4056 wrote to memory of 4580 4056 f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe 93 PID 4056 wrote to memory of 4580 4056 f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe"C:\Users\Admin\AppData\Local\Temp\f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3096
-
-
C:\Files1S\xbodloc.exeC:\Files1S\xbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4580
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD5b368be22b6f3efa4cb1810b4e2cb27d5
SHA196d9349871e2237380f6a6a964652272f27904cf
SHA2560ce0efd3c2aeed662f19833d3c79744b8359494af12b382b3e7777d0c7994675
SHA512af2f2195302b6a944a5992be11177f07c76f88b892b66482c2c157ae316974d20fe28185e8aebe84e480ad1d768f3116cf63f72f7876477c9534741de1d0a0c9
-
Filesize
2.6MB
MD5d819e8ee1b49c3100c84602b07f39c53
SHA1f4c9baf33cf7e8df4cd541409744556d79deb073
SHA256054a3b847575d76efa4f09ddce9e5ebc8fb8cc066cf2d57d3e8135f2260ad288
SHA5126da752a2e0b60aa9c41cf056d1635d92d92307749661034bba95b3a29d3cdb59298b2a87d7ec8fe7971e3e71e34e8714622d2d406bdd9f155c04399c92207484
-
Filesize
12KB
MD55ce46de9d1c8ab23eeb8a98bb0b2232e
SHA1eb2b026ffaf5a7802065fa5971c5c4495fa6763a
SHA2560f99b7bc2b192971b8bed8dbf4f50389b59e62d5cae4d0fbbb58657c2730a6b0
SHA512173969eb6ea4e493f9c0d1c1df5c1080fb72fc38f0fc13e5eaffdd7eeae658b9464603a66d0a918d3f86bca65b97dccfd201cd7d66c1758e452476026a290712
-
Filesize
2.6MB
MD5bb28c6c767235644c585e3bdd462431c
SHA1987c425dae3cb9a528ffdb7ff7aaf3035a513775
SHA2562eebbdc69c18bfba0d93c84ec4c53d8bbc545b2a961fb13f80e83d4f9cdfbe96
SHA51252f7dd7b5d12ac5a40c919a048a57cc9f58eee83fb0c7ae54ce0b27af8770917013ed50f35fcc424a9ac2152c856aadd121a06a701a67fd6aa369c8a741b8643
-
Filesize
201B
MD5b2f7d5c0f9ce10cadf6f8273903220a8
SHA14248a149860367004ad6017a93aef54a9b7dc5a5
SHA25640da32f78a992be999daa600bd51685178b79f968c5a170f4cd5b90825cc3df3
SHA512cd4173132302e09a2f83391bbed64955f9384ce3be0da258c9fb9b7af5455df9c09d4f7a6c81924efd1ae3ad7435189c68dc795e5723c11c050b0b54326401fe
-
Filesize
169B
MD5b50ad40c11403182bdd3e63fd2f51911
SHA1c9debdced362fd3d73342c98095711c8e7618aab
SHA256b8fc3eea296c2bacd35667b83fec10a4096b7870d1a9bc5c98472912ece39010
SHA5125907498aea9387584b07cd26398a0b6eddab56db2f80dd98833002ef20fc6611ee873eeee8e9a7fb517917a4c61e838286647d7c2808b3f929679c3309edea4b
-
Filesize
2.6MB
MD530822b51d1508e1fb9c14f48bee9f4d6
SHA149faa70482c4db6f0865fe28fdc53e36d5702f1d
SHA2569b86b025438597309fefd7edec837f855072cad3b290683374fd1e74b803dfab
SHA5123eb5e31ef17a1bd01eaed70f57fa406f583e749139c899012c4e45af6e2b4fc5dec70ed0db70391798e5d9a815ccdaf687a94877f79475df2fa6397c3c2e946d