52a4b7ac73f100099b6bb3c6c82ffe809cf851880cd9a66edbde74ef3149b71b

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b721cda796355822135677cd008513b0N.exe
Size

2.6MB
MD5

b721cda796355822135677cd008513b0
SHA1

a29a3537f0ef3f24c91697a1a97a4cbbc61e5456
SHA256

52a4b7ac73f100099b6bb3c6c82ffe809cf851880cd9a66edbde74ef3149b71b
SHA512

4eafc3171d0b9eea0ff93fef1bf8392caa3d2f90072268ee5aa292030e0bb0dad73911bc5cb060219a8c7705589b6a661da207579c05d115981b496f72523f55
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUpjb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	b721cda796355822135677cd008513b0N.exe

Executes dropped EXE 2 IoCs

pid	Process
1996	sysaopti.exe
2740	xoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2280	b721cda796355822135677cd008513b0N.exe
2280	b721cda796355822135677cd008513b0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe0B\\xoptisys.exe"	b721cda796355822135677cd008513b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintDU\\bodxec.exe"	b721cda796355822135677cd008513b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b721cda796355822135677cd008513b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	b721cda796355822135677cd008513b0N.exe
2280	b721cda796355822135677cd008513b0N.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe
1996	sysaopti.exe
2740	xoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 1996	2280	b721cda796355822135677cd008513b0N.exe	31
PID 2280 wrote to memory of 1996	2280	b721cda796355822135677cd008513b0N.exe	31
PID 2280 wrote to memory of 1996	2280	b721cda796355822135677cd008513b0N.exe	31
PID 2280 wrote to memory of 1996	2280	b721cda796355822135677cd008513b0N.exe	31
PID 2280 wrote to memory of 2740	2280	b721cda796355822135677cd008513b0N.exe	32
PID 2280 wrote to memory of 2740	2280	b721cda796355822135677cd008513b0N.exe	32
PID 2280 wrote to memory of 2740	2280	b721cda796355822135677cd008513b0N.exe	32
PID 2280 wrote to memory of 2740	2280	b721cda796355822135677cd008513b0N.exe	32

C:\Users\Admin\AppData\Local\Temp\b721cda796355822135677cd008513b0N.exe
"C:\Users\Admin\AppData\Local\Temp\b721cda796355822135677cd008513b0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1996
- C:\Adobe0B\xoptisys.exe
  C:\Adobe0B\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe0B\xoptisys.exe

Filesize
2.6MB

MD5
d309993adf3359fc6b30e2e6670389b5

SHA1
25e144145d81ca7dbeae8d3c53dc2a2925276c7d

SHA256
636ab2abec36b06b8e782d10d04c98f69e83472b32f98765b78a41b10e1a2242

SHA512
45b4395317e248131ece721b2489dfb6d823d2a4c787b80e603a93b06370d462f1a652f265723445250aa227844ef2728eff7f233e85fae2ab85a6b76ca6a33d

Download Submit
C:\MintDU\bodxec.exe

Filesize
486KB

MD5
e1b8e8ecd8cf17356b4b49e86ce74b3b

SHA1
916abde448f2118c3558bfd3b126a4c002ee3a79

SHA256
02ba0c9655cc6af1da95d351cd565a08c146f1fbc995850c5716eaba1b8fc699

SHA512
b16660b31cfc57411332c8d6028a784312d4754e6e5dcc9a50bd9c4d90cdea9cc02b47a78386fbf3d10b10250110fc647345c49a9005fe26e99278b349dc571c

Download Submit
C:\MintDU\bodxec.exe

Filesize
2.6MB

MD5
c4bd4daea9e8edb309ffb97044b99367

SHA1
b0ee00276ab7c1c964ef41db54c7a59631b193d9

SHA256
d326369e7df464f4080ebe52090c5f6d077a27ba5235602dec413b35871e6878

SHA512
26be535e064ea6ff4e6f25d7af173e70f2489fc307639a36dd5e2dde0ecdeee90e42defdfd6c6b17a98f189ef557d19c143d1c24e33d6dac9d6da4a67fe971f3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
d7ce49077a81735a821648b9780854f7

SHA1
29e66f790edf9b050fe3b94c9a38809c11722974

SHA256
e5f0df21c50c357e9cd4127c27bc36c5fe4bb75a079d6237d3ad09c21a4f979d

SHA512
f55014e81c428a3ea5a753ee82a2bb47de9c5c2dfa670caa8b0e0cb254bcbc01c3165a87d262c67058fd60bee0116e86d140bb80c4a10496d129ae36ed39cf4e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
57c57851535a43f549af9b62eb72193f

SHA1
568ecc4ab7c61ac4d00fd6511b7cdb8ea1cafc64

SHA256
ada0460e2bea3b4401becba1b6b48fa94405de2a9be688b9d1e192032e131f20

SHA512
b5c4418c096d03678f7c01b46c47b3f28baded9e6f5c1cd1937a2c65f06ac917dff717527414fc78159d84589f4b0a6095a42c1b31571f7bc4348fd63caa4fb5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
2.6MB

MD5
22989b19961f6b9fe17d5cf183a2bfc3

SHA1
b26bf935d49ee07c1c0744462c0dc2f77a67531f

SHA256
6f5812a10f22a02b82e8950b65fcfc88c57045e3f2b190492939fd7e6c5d4003

SHA512
a185a42bf86dba73f635bf2955e4b2992add49936ee5489db0d28906f02ccb2dfc6fa918156307f9d452a6f95fa65a65f7026eda2d20886ab0a0c4ae27f5c17a

Download Submit