19129e487946dcd082c566fd4baeff3fb051b348dec2e3184d6d79c087bcff55

Analysis

max time kernel
119s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 20:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3cbb9e5e3233f6fbff8dfd3d35815960N.exe
Size

2.6MB
MD5

3cbb9e5e3233f6fbff8dfd3d35815960
SHA1

0ad9c955fa586f4333c7940b135e0c20994a01f0
SHA256

19129e487946dcd082c566fd4baeff3fb051b348dec2e3184d6d79c087bcff55
SHA512

b936ec65a4deb9dbbf6cef019c379734832bcb4bcc6205d06ba5d0edfcd9fdf41d742aca8955853a99723647b4ceaef7c184f2793b73c81822c69a7026841682
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bS:sxX7QnxrloE5dpUpAb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe	3cbb9e5e3233f6fbff8dfd3d35815960N.exe

Executes dropped EXE 2 IoCs

pid	Process
4596	sysxopti.exe
2728	adobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotBW\\adobloc.exe"	3cbb9e5e3233f6fbff8dfd3d35815960N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBOB\\optiasys.exe"	3cbb9e5e3233f6fbff8dfd3d35815960N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3cbb9e5e3233f6fbff8dfd3d35815960N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
452	3cbb9e5e3233f6fbff8dfd3d35815960N.exe
452	3cbb9e5e3233f6fbff8dfd3d35815960N.exe
452	3cbb9e5e3233f6fbff8dfd3d35815960N.exe
452	3cbb9e5e3233f6fbff8dfd3d35815960N.exe
4596	sysxopti.exe
4596	sysxopti.exe
2728	adobloc.exe
2728	adobloc.exe
4596	sysxopti.exe
4596	sysxopti.exe
2728	adobloc.exe
2728	adobloc.exe
4596	sysxopti.exe
4596	sysxopti.exe
2728	adobloc.exe
2728	adobloc.exe
4596	sysxopti.exe
4596	sysxopti.exe
2728	adobloc.exe
2728	adobloc.exe
4596	sysxopti.exe
4596	sysxopti.exe
2728	adobloc.exe
2728	adobloc.exe
4596	sysxopti.exe
4596	sysxopti.exe
2728	adobloc.exe
2728	adobloc.exe
4596	sysxopti.exe
4596	sysxopti.exe
2728	adobloc.exe
2728	adobloc.exe
4596	sysxopti.exe
4596	sysxopti.exe
2728	adobloc.exe
2728	adobloc.exe
4596	sysxopti.exe
4596	sysxopti.exe
2728	adobloc.exe
2728	adobloc.exe
4596	sysxopti.exe
4596	sysxopti.exe
2728	adobloc.exe
2728	adobloc.exe
4596	sysxopti.exe
4596	sysxopti.exe
2728	adobloc.exe
2728	adobloc.exe
4596	sysxopti.exe
4596	sysxopti.exe
2728	adobloc.exe
2728	adobloc.exe
4596	sysxopti.exe
4596	sysxopti.exe
2728	adobloc.exe
2728	adobloc.exe
4596	sysxopti.exe
4596	sysxopti.exe
2728	adobloc.exe
2728	adobloc.exe
4596	sysxopti.exe
4596	sysxopti.exe
2728	adobloc.exe
2728	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 4596	452	3cbb9e5e3233f6fbff8dfd3d35815960N.exe	89
PID 452 wrote to memory of 4596	452	3cbb9e5e3233f6fbff8dfd3d35815960N.exe	89
PID 452 wrote to memory of 4596	452	3cbb9e5e3233f6fbff8dfd3d35815960N.exe	89
PID 452 wrote to memory of 2728	452	3cbb9e5e3233f6fbff8dfd3d35815960N.exe	91
PID 452 wrote to memory of 2728	452	3cbb9e5e3233f6fbff8dfd3d35815960N.exe	91
PID 452 wrote to memory of 2728	452	3cbb9e5e3233f6fbff8dfd3d35815960N.exe	91

C:\Users\Admin\AppData\Local\Temp\3cbb9e5e3233f6fbff8dfd3d35815960N.exe
"C:\Users\Admin\AppData\Local\Temp\3cbb9e5e3233f6fbff8dfd3d35815960N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:452
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4596
- C:\UserDotBW\adobloc.exe
  C:\UserDotBW\adobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBOB\optiasys.exe

Filesize
1.0MB

MD5
e406407519bdc009ca995b51fc80088c

SHA1
44c3e6a09a1b139f6750ab75b5a6b0d3039c99c8

SHA256
302fe2df2bf52e102a61269c394e191e00dcf33ce26329b9603bf0cbf8545695

SHA512
8d1eda3f81734bb43e25bc3a7d3225b80462c54799b6d3589be1649dc9a6bfa24f8ac0ef1766f6cf07a8f61f1de78d538db410f58573c8de971889f9eb626c10

Download Submit
C:\KaVBOB\optiasys.exe

Filesize
909KB

MD5
1f20bc536cfb127e1e68879f46bade44

SHA1
56a25dbb4d5d7257d7022cbd84cb94921a751b93

SHA256
91e04bb2aa48ea0d5b83ba3b6e21834e6d3d33366ea14052fd494f053c0eb233

SHA512
97def4567fc35097fb7c60c1fdc035adb2662b8db0d920b42be785b6ffae93c6069e3228026feb730a0c8ab924e78e6949f27144a919f516e7310a6aaa5cb81f

Download Submit
C:\UserDotBW\adobloc.exe

Filesize
512B

MD5
e5f87ced043dbdc34bbd32a8dd98972e

SHA1
64802c7da01c2a964cff79e6e5038fd6aa5ba388

SHA256
481c17ffa324206b6ad488b63518822bcdb94e0b8487044790d29812cb164295

SHA512
1b6992d7e5a3b0472b16f5ac08ad73b4a5f15cbc0b383e94c2a67c7d35a779abd25b5a0551f1aa5716bab77a9dcd396e2131b700f7d679b9f8518f173b80613f

Download Submit
C:\UserDotBW\adobloc.exe

Filesize
2.6MB

MD5
3fc7cee6244c3348a8f39b4c844d6a4c

SHA1
f478e591f8fab5a0afbc20680d2d97e07803cf8d

SHA256
6681838df73a39904a404d18a384aac902ff20edf6f4424d43806112c89d9879

SHA512
55da70376ad768ffbda4819f7d98e50f0f354e48a51e512df7e01032bb8a162302be28588f8bcf029150f87910a384e26ed7bb1324c7850fe2db394b7a989ef9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
f557623de5e5a69bfb3a9af0e5fce036

SHA1
76373804a83a7ead76f957e7e96c59beb49179d9

SHA256
e58506189f66cd105110b63d22f40d005c29e716627e56a61f2d480e941a9a1b

SHA512
c60acc6d37e7afcb18279c1c025934f8a60c2dd793dcd78f1eba65d420dc8952b89a901c4ba89a6f35760af17a9c6b4cfb7cbb972ecc8499657bba90ef6f5ffa

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
9fb31b0ba36327a7b1209f66c8e45432

SHA1
0c9e0fb9a458361f1dc7f01d48f47b3acb208758

SHA256
fea3b18deb4e52fe234abfaadb2a47f74be4cfe369fb282d1279ac06a637dc1d

SHA512
e5b04e0c803f5cd703ddd296f417f8e00c37d45aff676457be45897fe5af68e02f6f6642aca0c29e9147bce24ef32c19c25294b837b6b79a2ae753a73ce8db09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

Filesize
2.6MB

MD5
90f76d05909d54a98af346e867b8328b

SHA1
5beb9e4a3c10f4d103b244d5c9232423f22771c6

SHA256
bc4de70f4a65ddb253df9afe2cb0565760753628d44281f7ccbcd09a7a9dd4c0

SHA512
71ec4a1e6d3202d4e6560755f92960678b51114d54c451c7a57063b65553cbea90775d7edcdaae868d3fe84f8335895331bda282aeca2150d249544cd625875e

Download Submit