2491109e62f7dde2f006c7bf60827198115c20d6ffccd51a3a1e23d673fba259

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
26/08/2024, 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1454ad825bd6c8f015b5b9aca1632310N.exe
Size

2.6MB
MD5

1454ad825bd6c8f015b5b9aca1632310
SHA1

73715608800c2b1373ef1f4b3be103cfbc91b474
SHA256

2491109e62f7dde2f006c7bf60827198115c20d6ffccd51a3a1e23d673fba259
SHA512

ded941641fd3bced14ee6bf52a1a91da1803c3383c15841e8d88b1214043197051fc9f4101102bedca33dc8672c602325a0b2f89386d63fe4904b737d1e49a06
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bS:sxX7QnxrloE5dpUpsb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	1454ad825bd6c8f015b5b9aca1632310N.exe

Executes dropped EXE 2 IoCs

pid	Process
1248	sysdevbod.exe
2028	xbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
1908	1454ad825bd6c8f015b5b9aca1632310N.exe
1908	1454ad825bd6c8f015b5b9aca1632310N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeK5\\xbodec.exe"	1454ad825bd6c8f015b5b9aca1632310N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintGP\\optixloc.exe"	1454ad825bd6c8f015b5b9aca1632310N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1454ad825bd6c8f015b5b9aca1632310N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1908	1454ad825bd6c8f015b5b9aca1632310N.exe
1908	1454ad825bd6c8f015b5b9aca1632310N.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe
1248	sysdevbod.exe
2028	xbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 1248	1908	1454ad825bd6c8f015b5b9aca1632310N.exe	31
PID 1908 wrote to memory of 1248	1908	1454ad825bd6c8f015b5b9aca1632310N.exe	31
PID 1908 wrote to memory of 1248	1908	1454ad825bd6c8f015b5b9aca1632310N.exe	31
PID 1908 wrote to memory of 1248	1908	1454ad825bd6c8f015b5b9aca1632310N.exe	31
PID 1908 wrote to memory of 2028	1908	1454ad825bd6c8f015b5b9aca1632310N.exe	32
PID 1908 wrote to memory of 2028	1908	1454ad825bd6c8f015b5b9aca1632310N.exe	32
PID 1908 wrote to memory of 2028	1908	1454ad825bd6c8f015b5b9aca1632310N.exe	32
PID 1908 wrote to memory of 2028	1908	1454ad825bd6c8f015b5b9aca1632310N.exe	32

C:\Users\Admin\AppData\Local\Temp\1454ad825bd6c8f015b5b9aca1632310N.exe
"C:\Users\Admin\AppData\Local\Temp\1454ad825bd6c8f015b5b9aca1632310N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1248
- C:\AdobeK5\xbodec.exe
  C:\AdobeK5\xbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeK5\xbodec.exe

Filesize
2.6MB

MD5
90807cc3f1e3812d65582698070d402c

SHA1
8c0d40fb7be6b3f1e6fcf86790dfbe81b1589e93

SHA256
6d3259726eb8f7612c2a890e434e67fb0dc273df17b838a89e76dad9e4daa669

SHA512
ed5aafa397e58aa61ab3019a88e881f04ed0a001afb62c24147ea26db6d58236075e5b7d4f3d26ea45ada57911196c57aff414c39112eae7017c35c0d89508be

Download Submit
C:\MintGP\optixloc.exe

Filesize
2.6MB

MD5
92f96d5b50b62028f18cf2abed2f1e4e

SHA1
d4bef2528af92d689ab28fe680429a4b6e326fc4

SHA256
958c9b2685fd1654483c5de2c8fff280b1cea1cf7bea50110fb1eea851daf730

SHA512
788b0a541fc61385ea0e01f48686f830c35a35999e38ed7c26eb763dbc39a66a42f8bf83a2fc7a15e49e3d821c2100055dcc0f7c40f2a25b7a859d704a6a9a64

Download Submit
C:\MintGP\optixloc.exe

Filesize
2.6MB

MD5
7da8e49d1fb7ee1b6a31c24015e923d6

SHA1
7f9746254f1e8c1dd73d3a38ab3be30a37ebacfb

SHA256
feff384c8f820e384aaf09d667187cc6365b20e8dbea4af979ce7d1b71786554

SHA512
c96fd2405cbb49e40ef0574ad51630e68ec961395ad6424e3a24579032fbaa57d89e3530740e9a8bd3d99552fafbab37fe2359ca15fb164ec00a0d37b435eef6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
6bc2b33255344b6c3f502604d99d9f5f

SHA1
c6c38d0a602d8e88ae5ac25b5df72811adf89b3d

SHA256
dfa7cbbdce3d5c71892903b21abda51480e1b6aec9f57a66667ebef0abdbcb8f

SHA512
f546e05a14d0228688dd0fe61b89920c6c959ce519f077a23e05195c4dc40cb2f24fcb344fd72a0aba73615d5f5dbfe1424e02b45d3a6b0a3d74d563337f5cef

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
8bc88ed5038d432dd5ca3e06f5da05d1

SHA1
c819865601fc1159ecda7aa0479c1d8d1c6f5138

SHA256
696ad8d69d994ee71a5fbf24282a101ab0e446df0dfeff6852d5a51ca1a35401

SHA512
5d61b3e840193b7c021a7a2bedc0e4ab4f4eae0e5165f99b49f805a35e6a949c96f40fb21ab5b41394ba11b5082f249aa90857c3d8d725b1291ecac3188f8f81

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
98c4c820bd3baca28721588ac2a5901a

SHA1
ab7ebcbca72e7dbb96e2cf1620d8d3485b813cbe

SHA256
30b4d528a66b1950dfd9fdeaa2ca31bb9efd932b409900a326b784c34f6d2202

SHA512
21e225558b2aebbd1a7af551d76431ff5ded919cf77397fe6801d819bdcbb89d36b91d0ad5110da49bc5a5994fd2c73a38982090b14e4b758c6c201afad9655b

Download Submit