30c3978723b1c4e91f0c55705218d0dc26fbd70ec9bf458ab3a045154b49fc0a

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

728b370fe514bc5c47903d44bfca7460N.exe
Size

2.6MB
MD5

728b370fe514bc5c47903d44bfca7460
SHA1

aac07917ac01ff28260b6d10053ee5ddff4eac72
SHA256

30c3978723b1c4e91f0c55705218d0dc26fbd70ec9bf458ab3a045154b49fc0a
SHA512

a5c9c473d5de2ae1876a069d49d82e0cdf2d4319294a48564524fbd8265a3e16f4f95557283229b6192c916846cec79efc05c566a02b267d992ecb7433a5bf6d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpyb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	728b370fe514bc5c47903d44bfca7460N.exe

Executes dropped EXE 2 IoCs

pid	Process
2272	sysxdob.exe
2792	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1692	728b370fe514bc5c47903d44bfca7460N.exe
1692	728b370fe514bc5c47903d44bfca7460N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvJW\\xoptiec.exe"	728b370fe514bc5c47903d44bfca7460N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBKG\\bodxec.exe"	728b370fe514bc5c47903d44bfca7460N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	728b370fe514bc5c47903d44bfca7460N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1692	728b370fe514bc5c47903d44bfca7460N.exe
1692	728b370fe514bc5c47903d44bfca7460N.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe
2272	sysxdob.exe
2792	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2272	1692	728b370fe514bc5c47903d44bfca7460N.exe	29
PID 1692 wrote to memory of 2272	1692	728b370fe514bc5c47903d44bfca7460N.exe	29
PID 1692 wrote to memory of 2272	1692	728b370fe514bc5c47903d44bfca7460N.exe	29
PID 1692 wrote to memory of 2272	1692	728b370fe514bc5c47903d44bfca7460N.exe	29
PID 1692 wrote to memory of 2792	1692	728b370fe514bc5c47903d44bfca7460N.exe	30
PID 1692 wrote to memory of 2792	1692	728b370fe514bc5c47903d44bfca7460N.exe	30
PID 1692 wrote to memory of 2792	1692	728b370fe514bc5c47903d44bfca7460N.exe	30
PID 1692 wrote to memory of 2792	1692	728b370fe514bc5c47903d44bfca7460N.exe	30

C:\Users\Admin\AppData\Local\Temp\728b370fe514bc5c47903d44bfca7460N.exe
"C:\Users\Admin\AppData\Local\Temp\728b370fe514bc5c47903d44bfca7460N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2272
- C:\SysDrvJW\xoptiec.exe
  C:\SysDrvJW\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBKG\bodxec.exe

Filesize
14KB

MD5
5ffab038d17d47771c031d3b701e0cc5

SHA1
74d331d26e5210e7e523c750b0080e1641bb61f5

SHA256
1b2bb8b0c13c9e1418b1e48501e2a62606e0e890934e027d746c196943068982

SHA512
fad3e0cee5656b4fb350050395b6d8039f870087a145394dfc2eab77587a10e53b2e421be937a90a9a80244cbd3096e07f785a35d7df3b5efb0e258ca75678ec

Download Submit
C:\KaVBKG\bodxec.exe

Filesize
2.6MB

MD5
49dfc67d9d54764ee82e511932b1a53a

SHA1
123361138b71dfddc31abfadbe86661efd1db18f

SHA256
e0fdba123e74f2b883a5d281d3300724170179f4017a825cd0202127521a68d5

SHA512
56812b5c98aa26211cbd9fd7048b29037493fa90ab221ed722a3797d44eaff80e4f173ce4fb391f3b2d409f4179b3fadaafe7f9da1f78532d0fd7706ae8900e3

Download Submit
C:\SysDrvJW\xoptiec.exe

Filesize
31KB

MD5
572f2f89fa83cd0e724756eb089249da

SHA1
cbfdd4e1e893e9f876d46a79247f38ade618a89b

SHA256
cf6be1e16babe319685181c0bc39e48b663392fba1475e11b83d9b9b772a2f54

SHA512
16d7748321e538202b878a175d219dd117f409a88d9ea0f79d0f873a9872b9c287f5166a26419d18ca54609ccd763dbef4b000816d7a243b0822fd78adb35950

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
03c96560d3940f825127cd725a1ad77e

SHA1
540786bfd8843de8b7b1afa0795546f6a0ca18ce

SHA256
1230f05a2de9267cf5c18ec9450d25c6dd22b58160c3b5d5a429c32ff3516162

SHA512
4fb30e4c42b5a9ec38a8606b015e77289e8ca0c53685cab3ff2b64e4946826cdf3e781790d64b9c7d40bfc4b55a2484cf5772314c1686df7160e3ed019c4ea98

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
8760f07344b1328f32eee9324a7ea4b1

SHA1
c910e2a5254d5c5b933b9fe3ad800005b0476b03

SHA256
caa293b52751187d4d2102097576215afad00ad45c61032d0de5d927515acd37

SHA512
6dca52a57aa3e08e67e48512c5041301c98bc70b4ccbaf84f2aded03d96ec9cf8f2cc272484f61a7ea452ee5d688793e05522267314bb40d7b5b5e226be4113e

Download Submit
\SysDrvJW\xoptiec.exe

Filesize
2.6MB

MD5
b299cf9a53a13028f8de5c76abeda3f6

SHA1
407b93ba80a4fc7541499c12b460833ff5838cc7

SHA256
0184bb2eadded2c2d34e06c906a2f8bf4ab87137bae1119ab0824629d120fa0d

SHA512
63d4debe1b677689aff1fb1ccb2509e3a6b6be5ee11db21bbb3a07c6566dfc614f3aebc7c3ab223f6235b4eddf48160d5b416ddbf739820da850f3d90e742296

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.6MB

MD5
af6833850c9e86c10b4d297fd4f94a47

SHA1
566cb817791d0b78f64c7a6d69db00baa806b4d0

SHA256
6251bd09db7c7f5c4a14e9a6453b439e2916ca645430c065433c01ac61cdcdc6

SHA512
015516d7975ded23cca6b70c339647a11bc835bdc8a9000f186b7bc7625eb6477bd713f5dbd62cea5fa5c1e07859d3bd949a79f61715a2fa0b204c5cb007c0d8

Download Submit