2258b8a79295b61acc7c7140f5c52b3215922dd904e96288f89b505f865b6b2a

Analysis

max time kernel
119s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 12:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

10756b87c243db57f44cd84a635cfee0N.exe
Size

2.6MB
MD5

10756b87c243db57f44cd84a635cfee0
SHA1

34a600d4c1bddb5793ec6a052f9ffbb7d5606558
SHA256

2258b8a79295b61acc7c7140f5c52b3215922dd904e96288f89b505f865b6b2a
SHA512

85850d371682a85ea92ba57e74d02c48eec4540936758676d6bbbcea1b77caf0f85cc51c226f8c1037b0a3ca44b32cbc6a146cb2a8fceb2f567445edadce28fb
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUp+b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	10756b87c243db57f44cd84a635cfee0N.exe

Executes dropped EXE 2 IoCs

pid	Process
4664	sysxbod.exe
564	xoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocW2\\xoptiec.exe"	10756b87c243db57f44cd84a635cfee0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBE3\\dobasys.exe"	10756b87c243db57f44cd84a635cfee0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10756b87c243db57f44cd84a635cfee0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4612	10756b87c243db57f44cd84a635cfee0N.exe
4612	10756b87c243db57f44cd84a635cfee0N.exe
4612	10756b87c243db57f44cd84a635cfee0N.exe
4612	10756b87c243db57f44cd84a635cfee0N.exe
4664	sysxbod.exe
4664	sysxbod.exe
564	xoptiec.exe
564	xoptiec.exe
4664	sysxbod.exe
4664	sysxbod.exe
564	xoptiec.exe
564	xoptiec.exe
4664	sysxbod.exe
4664	sysxbod.exe
564	xoptiec.exe
564	xoptiec.exe
4664	sysxbod.exe
4664	sysxbod.exe
564	xoptiec.exe
564	xoptiec.exe
4664	sysxbod.exe
4664	sysxbod.exe
564	xoptiec.exe
564	xoptiec.exe
4664	sysxbod.exe
4664	sysxbod.exe
564	xoptiec.exe
564	xoptiec.exe
4664	sysxbod.exe
4664	sysxbod.exe
564	xoptiec.exe
564	xoptiec.exe
4664	sysxbod.exe
4664	sysxbod.exe
564	xoptiec.exe
564	xoptiec.exe
4664	sysxbod.exe
4664	sysxbod.exe
564	xoptiec.exe
564	xoptiec.exe
4664	sysxbod.exe
4664	sysxbod.exe
564	xoptiec.exe
564	xoptiec.exe
4664	sysxbod.exe
4664	sysxbod.exe
564	xoptiec.exe
564	xoptiec.exe
4664	sysxbod.exe
4664	sysxbod.exe
564	xoptiec.exe
564	xoptiec.exe
4664	sysxbod.exe
4664	sysxbod.exe
564	xoptiec.exe
564	xoptiec.exe
4664	sysxbod.exe
4664	sysxbod.exe
564	xoptiec.exe
564	xoptiec.exe
4664	sysxbod.exe
4664	sysxbod.exe
564	xoptiec.exe
564	xoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 4664	4612	10756b87c243db57f44cd84a635cfee0N.exe	88
PID 4612 wrote to memory of 4664	4612	10756b87c243db57f44cd84a635cfee0N.exe	88
PID 4612 wrote to memory of 4664	4612	10756b87c243db57f44cd84a635cfee0N.exe	88
PID 4612 wrote to memory of 564	4612	10756b87c243db57f44cd84a635cfee0N.exe	90
PID 4612 wrote to memory of 564	4612	10756b87c243db57f44cd84a635cfee0N.exe	90
PID 4612 wrote to memory of 564	4612	10756b87c243db57f44cd84a635cfee0N.exe	90

C:\Users\Admin\AppData\Local\Temp\10756b87c243db57f44cd84a635cfee0N.exe
"C:\Users\Admin\AppData\Local\Temp\10756b87c243db57f44cd84a635cfee0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4664
- C:\IntelprocW2\xoptiec.exe
  C:\IntelprocW2\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocW2\xoptiec.exe

Filesize
2.6MB

MD5
8a0fe1cd752302e7ffb991af85b55fef

SHA1
23b36164959cbc306462909b70f7e15d8b24ef24

SHA256
b8725811e57a1846009284e3fdbecf052e5277a8bf86ff091fa7f3321664e443

SHA512
5e62a6befa3d5f31c57e02aef00787e1292f807688df0d6dc53054dfb63b2fcc6b351852bd0486eae10acd1a92e35413abebab7af2037f19b38f8dd24725f218

Download Submit
C:\KaVBE3\dobasys.exe

Filesize
2.6MB

MD5
61429017ce0e5dc34e4e4b7e5f92a5ad

SHA1
0c8c6cc75366cd1dfecc2b0a70d5a24caa09c081

SHA256
ecfd7beb802d69cdea957687e9e6eff459a7ce2c28b35e0825458d75051733dc

SHA512
209efb3a2097f0f56faa6ccf945f63b20387bb038f31934ee93e4c67476425cb83282e151092d730552711ee2974ce137b2c4a52cd623ea61de875a0ddc8a513

Download Submit
C:\KaVBE3\dobasys.exe

Filesize
2.6MB

MD5
7b9eb765f6ee00a2a0e8bb2791e271f8

SHA1
39a05864adaeb1c4f571d69d8d8b66ff92ba6904

SHA256
509197e32c9e0d2d132fe9ee9c71cd959bfa16de69a60a78105a6cb4d06622cd

SHA512
aab16700a9aa27b872129828a44addb34c6da4b0f6d02d4283573703c7fc1e296f16c444827552d1ef27c194b327cb262b4f310a710d5c7d208ad3f450c2168e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
36e2047d39ca005d49da809e2d9f4d25

SHA1
2ad600cdf442f48ab02493b2aaae463246665a48

SHA256
60f9f321509afdfe5e73acfa4e6dd1af33b775c7d2f7df147feb84a14a150183

SHA512
98d95ffee14a7ea3dd0d35d53025b52fd657787880e70bfc41ce28d2b8fb796f043b4657f264a1787af57c36a5b50d0fbb8ad58372a7546fbe1d766dd5a1560d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
aee34f829e3a69bccd1132cab5efa56c

SHA1
8ef42fa41625a4600e856053a07b83c98545a8f6

SHA256
d2c85259c7718c3593401a9780fdf5c9bb443b19eecf9d0e0607bf92705eb223

SHA512
349e629531c4bcb393c3195963d142e1a9131f01316d10d5e50bcec96707bba9c810f47b6e1059066f321368e298529d71335294e296e1254bbb2b8c7ae26375

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
2.6MB

MD5
1a3c27e0373b581eeed3c38a4a924cd8

SHA1
3dfa259ab81d0f95e31a66ed4801aedfbaf2edb0

SHA256
4837a95210b02269ec80a24ea07661f3143e9b5ece4cca5c18dacaf4560d8703

SHA512
1041414c5741a8e75b822b9c3798f8907688eeb91a6ed18b298188730d51e85524ca293dd794cf9aef97ba0485906ed7067762d358d398433c095b0589823fa3

Download Submit