2491109e62f7dde2f006c7bf60827198115c20d6ffccd51a3a1e23d673fba259

Analysis

max time kernel
120s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1454ad825bd6c8f015b5b9aca1632310N.exe
Size

2.6MB
MD5

1454ad825bd6c8f015b5b9aca1632310
SHA1

73715608800c2b1373ef1f4b3be103cfbc91b474
SHA256

2491109e62f7dde2f006c7bf60827198115c20d6ffccd51a3a1e23d673fba259
SHA512

ded941641fd3bced14ee6bf52a1a91da1803c3383c15841e8d88b1214043197051fc9f4101102bedca33dc8672c602325a0b2f89386d63fe4904b737d1e49a06
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bS:sxX7QnxrloE5dpUpsb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	1454ad825bd6c8f015b5b9aca1632310N.exe

Executes dropped EXE 2 IoCs

pid	Process
4904	sysadob.exe
3300	xoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocFA\\xoptiec.exe"	1454ad825bd6c8f015b5b9aca1632310N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidAJ\\bodxec.exe"	1454ad825bd6c8f015b5b9aca1632310N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1454ad825bd6c8f015b5b9aca1632310N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3412	1454ad825bd6c8f015b5b9aca1632310N.exe
3412	1454ad825bd6c8f015b5b9aca1632310N.exe
3412	1454ad825bd6c8f015b5b9aca1632310N.exe
3412	1454ad825bd6c8f015b5b9aca1632310N.exe
4904	sysadob.exe
4904	sysadob.exe
3300	xoptiec.exe
3300	xoptiec.exe
4904	sysadob.exe
4904	sysadob.exe
3300	xoptiec.exe
3300	xoptiec.exe
4904	sysadob.exe
4904	sysadob.exe
3300	xoptiec.exe
3300	xoptiec.exe
4904	sysadob.exe
4904	sysadob.exe
3300	xoptiec.exe
3300	xoptiec.exe
4904	sysadob.exe
4904	sysadob.exe
3300	xoptiec.exe
3300	xoptiec.exe
4904	sysadob.exe
4904	sysadob.exe
3300	xoptiec.exe
3300	xoptiec.exe
4904	sysadob.exe
4904	sysadob.exe
3300	xoptiec.exe
3300	xoptiec.exe
4904	sysadob.exe
4904	sysadob.exe
3300	xoptiec.exe
3300	xoptiec.exe
4904	sysadob.exe
4904	sysadob.exe
3300	xoptiec.exe
3300	xoptiec.exe
4904	sysadob.exe
4904	sysadob.exe
3300	xoptiec.exe
3300	xoptiec.exe
4904	sysadob.exe
4904	sysadob.exe
3300	xoptiec.exe
3300	xoptiec.exe
4904	sysadob.exe
4904	sysadob.exe
3300	xoptiec.exe
3300	xoptiec.exe
4904	sysadob.exe
4904	sysadob.exe
3300	xoptiec.exe
3300	xoptiec.exe
4904	sysadob.exe
4904	sysadob.exe
3300	xoptiec.exe
3300	xoptiec.exe
4904	sysadob.exe
4904	sysadob.exe
3300	xoptiec.exe
3300	xoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 4904	3412	1454ad825bd6c8f015b5b9aca1632310N.exe	87
PID 3412 wrote to memory of 4904	3412	1454ad825bd6c8f015b5b9aca1632310N.exe	87
PID 3412 wrote to memory of 4904	3412	1454ad825bd6c8f015b5b9aca1632310N.exe	87
PID 3412 wrote to memory of 3300	3412	1454ad825bd6c8f015b5b9aca1632310N.exe	88
PID 3412 wrote to memory of 3300	3412	1454ad825bd6c8f015b5b9aca1632310N.exe	88
PID 3412 wrote to memory of 3300	3412	1454ad825bd6c8f015b5b9aca1632310N.exe	88

C:\Users\Admin\AppData\Local\Temp\1454ad825bd6c8f015b5b9aca1632310N.exe
"C:\Users\Admin\AppData\Local\Temp\1454ad825bd6c8f015b5b9aca1632310N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4904
- C:\IntelprocFA\xoptiec.exe
  C:\IntelprocFA\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocFA\xoptiec.exe

Filesize
303KB

MD5
215c25d26ffd06c0b37405fca16dd463

SHA1
1488b2ac4efdcb3cec596d664a5b372b93e6701c

SHA256
1cea2d5d6ca3b64f57b4ed74ebf4802ad0f4f53329ddf61be4a3fde6f1b9ce67

SHA512
82213663d545e3a1a6087a4a94cd5bdeb25c323d298b9aa6d228b5f34721237573c79da23add48c11584a7aa232913c388cdb37d1811a3f83fd3aaabe45100e2

Download Submit
C:\IntelprocFA\xoptiec.exe

Filesize
2.6MB

MD5
247905a9b0628414b1b590f2ef4c0776

SHA1
597f6c75ca1786c55fb78e287db2717b13bf10b0

SHA256
afd65e98969853e46eb71f484a65ba1e630842452d04f5c709a62641c62ef9f3

SHA512
f6fe6794459c1c8c03e9befdd95b13af7170c94940bd1cf7231dee7e01094433f0637c36ffb17d880dd8e5d69e1dea6a6e7c1aa72e5c964b61d36fe388268cef

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
a1283dd5c3ee4e5614ccb8223b079a79

SHA1
0c68c39da326d4167d302b47c712e23af6c80061

SHA256
139459f50f57dcf2359650d568682f800d68887a0b55dcf602f97e87721f11c8

SHA512
f5a5689a6d0f7bd55c307bdb53053edb0b8032733b5b995b1d6f5930c739995e000c8cd228d1d5a41f90bf6f75e0466921764e47fd77eb45c591e643565cd615

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
ffc58ac99b6a39ba2e8e7925317647a6

SHA1
7b7a3fcacf9c02e4f5cda88797d3fa1b6a1fe1fc

SHA256
f84234f8c8f3a748a47f7c7e370dc4d89fcd3be86c609b45645bfc82f28111d7

SHA512
304bd5d827063b2997e71f8e2251cff28e8996fd7448bb28b42c228aa7e05305db37e5c16fe6dd234a43ebb49e70179660b267d87442bbadc860d728de94994d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
2.6MB

MD5
883fc423a0ae2e694f973ace798a9076

SHA1
a5e4756605948c4b9ac45f616c4778be5e7f4024

SHA256
840e697c90b33d430c2861cc1847e2212a415c22730c70cb0089ed48968a62e2

SHA512
c6d1066ad5365d615d3519b4a8167ad55edd26589ac730ee282e5d2c8a454da548ccbcf962fc1fdca332b4ca0c20e53def451c2b0c4dc7fd04544bd1866cad44

Download Submit
C:\VidAJ\bodxec.exe

Filesize
2.6MB

MD5
584b5529b7215f296556284518817be5

SHA1
3a71a7da8a683c4787f158c258589cad814e9718

SHA256
fb6500485ddc4bd45caebab384ad28748e867c5ee9e8ae48a7d5ab65bcb7feda

SHA512
3eed7f363e73367289353fcd8afa8c6d2aae17b238a42a3f5ef14374888622b515f6ebd94c7b980339446914a71c1f4416c608b6ced32f3a943000e680be00f4

Download Submit
C:\VidAJ\bodxec.exe

Filesize
2.6MB

MD5
4d79d663909d42d95db9fecbbeafa477

SHA1
71f7b23e7405aa1c5483d490f26d50f3a8af7607

SHA256
79ce00d364fa673b97bf4a4e47a2e92b2335ee31c3e076b8eaaf2070b564a8a9

SHA512
9681c566559fdf83adfe44feb423cba414462cf4fef139e2fe3e7d345523ce562fa448df44ac6427764ae8d947c54c68c44344dfc83ba06cfba4f063cf351714

Download Submit