4d8d24f39d1527a4660fb3530c5853e36e35ef90b9c1bd72b7c64a592956d7a4

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

935e8330a277f53f5ae26a2cd6c7c9a0N.exe
Size

2.6MB
MD5

935e8330a277f53f5ae26a2cd6c7c9a0
SHA1

59c92a2554fb4d11c71d9bfbb4dc72e828d63db6
SHA256

4d8d24f39d1527a4660fb3530c5853e36e35ef90b9c1bd72b7c64a592956d7a4
SHA512

416356bc4eb73f0cd4ff43a4ee39e461b931a62d42ebb6361cf96fd0d11096fdf47e602b75571217421ab8d93ebb6e483c0806ca64b3f765ed286f8bf0e88f52
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUpxb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	935e8330a277f53f5ae26a2cd6c7c9a0N.exe

Executes dropped EXE 2 IoCs

pid	Process
3036	sysabod.exe
2644	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2324	935e8330a277f53f5ae26a2cd6c7c9a0N.exe
2324	935e8330a277f53f5ae26a2cd6c7c9a0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocJV\\xoptiec.exe"	935e8330a277f53f5ae26a2cd6c7c9a0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ73\\optidevloc.exe"	935e8330a277f53f5ae26a2cd6c7c9a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	935e8330a277f53f5ae26a2cd6c7c9a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2324	935e8330a277f53f5ae26a2cd6c7c9a0N.exe
2324	935e8330a277f53f5ae26a2cd6c7c9a0N.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe
3036	sysabod.exe
2644	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 3036	2324	935e8330a277f53f5ae26a2cd6c7c9a0N.exe	31
PID 2324 wrote to memory of 3036	2324	935e8330a277f53f5ae26a2cd6c7c9a0N.exe	31
PID 2324 wrote to memory of 3036	2324	935e8330a277f53f5ae26a2cd6c7c9a0N.exe	31
PID 2324 wrote to memory of 3036	2324	935e8330a277f53f5ae26a2cd6c7c9a0N.exe	31
PID 2324 wrote to memory of 2644	2324	935e8330a277f53f5ae26a2cd6c7c9a0N.exe	32
PID 2324 wrote to memory of 2644	2324	935e8330a277f53f5ae26a2cd6c7c9a0N.exe	32
PID 2324 wrote to memory of 2644	2324	935e8330a277f53f5ae26a2cd6c7c9a0N.exe	32
PID 2324 wrote to memory of 2644	2324	935e8330a277f53f5ae26a2cd6c7c9a0N.exe	32

C:\Users\Admin\AppData\Local\Temp\935e8330a277f53f5ae26a2cd6c7c9a0N.exe
"C:\Users\Admin\AppData\Local\Temp\935e8330a277f53f5ae26a2cd6c7c9a0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3036
- C:\IntelprocJV\xoptiec.exe
  C:\IntelprocJV\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocJV\xoptiec.exe

Filesize
2.6MB

MD5
0a8812e39f82d34c85700ab1d7607b87

SHA1
88d93d187d19c9fe1ba45d9db3f1a7b8a7bfb577

SHA256
339c27f326f1ef5ffcb8eedd86a6c61682976d4f6e4c654a9999c3c987f17dc4

SHA512
3e792ae025cb9231930bf805ce1c4dc46399e52c34d2a845b0fbec4d08e6bae9d2f41cf576c0ba4a0c6fc7f53407d3f3902ed1f1afe981f03dfcb7c02a9c7af3

Download Submit
C:\LabZ73\optidevloc.exe

Filesize
2.6MB

MD5
112440f149fab2d8915296a1401c2bac

SHA1
669e192a30a626068f6c4033509ba5bb8e2917e5

SHA256
4f4a858a64d6f51424c4955290a7e6158687719fe5fd9d70c864a7d58f0a9aad

SHA512
93edfe1bf13e13d0a6c4b2560ff291f466fb33aa635a08d666e195029c7a788e6b9dcfea9ce18eb0dcd6fe86c94ec47b096312599d97b208af4ff5b97f5bd4ee

Download Submit
C:\LabZ73\optidevloc.exe

Filesize
2.6MB

MD5
c029943995f5abac1c002822a99bd35b

SHA1
bd4b53247b738b00437f2427586b5d24a593747b

SHA256
8e420aee076bfbe515cd4be8a1ded7a4d6b8d544f969f1debac79109dd79d559

SHA512
5321c36f5e0bd79cb13ceca0f6d6535fd2775968c75e849513854ebb2248175b1574a854697097874a87922f1f84dc4677f6b067e7902e4813ecbd7e7071e053

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
5f1126c6e901f16ab402fc589ddb33ea

SHA1
86c19b289c69a73a3030d4b3a93f0e059b3ca80c

SHA256
1c031067d9fd35fb7db1a791197223832e8411d4222c277aa69cd749c1926384

SHA512
662d205cb593833108ed098861f961bd02f87b236ce00617f73cb206063617a42540c69f0d41130c5954dd5fa34669cfd7ece4a1479486b5ad426c8e939d4b59

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
f7ff64af3582cbce438c8e94f4ec7912

SHA1
c8fb975d2e5d17032997f952bd2f766bed1188bb

SHA256
919433876d8f7e367d6b902a64f923958c71ec95ecd01259ac0a3f64c210326a

SHA512
c3985256739ffc0848765991537bde5c6f977efd61fff9a7c3a25fe44b926706246a8d0209b1772201d200c582785f37eca5906862b33e2766bb3a9fec7497e2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
2.6MB

MD5
31a90d246468da5f4d0b4e4e635d74cd

SHA1
e4d003ba5085441f7b7c95339dd08659e4dc9157

SHA256
1f8f3c319a0852c0afbd793a624adf7cae778518d3f893774d0a03ba6fdcfa45

SHA512
96fa077d2665a4b6f5452b8d9bbc0576137c4d1e8090469c6cbfb389d6cef05cc854285409a9f4be9fc3645191c94a296ef82db571d28d89aa3f5e9e45aa7348

Download Submit