7015ec6a29c8f8fed1c7806bb2b9ef24a56f0b935a5175a809c6d2e754a944a8

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/09/2024, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5585e951255d9602322e48f40f8b3330N.exe
Size

2.6MB
MD5

5585e951255d9602322e48f40f8b3330
SHA1

fe97e6c37866e88ab046d516c2a552913eb707dc
SHA256

7015ec6a29c8f8fed1c7806bb2b9ef24a56f0b935a5175a809c6d2e754a944a8
SHA512

6ee178ed2cfc5a82893b20d0ac5d9dbf3c6fcf789e607739a19836272111ca2891554cdf458946c2dbcd55c1d06d7089ce22269aac11649f642987e1276a1013
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bS:sxX7QnxrloE5dpUpSb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	5585e951255d9602322e48f40f8b3330N.exe

Executes dropped EXE 2 IoCs

pid	Process
2268	sysdevopti.exe
2828	xbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2344	5585e951255d9602322e48f40f8b3330N.exe
2344	5585e951255d9602322e48f40f8b3330N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files44\\xbodec.exe"	5585e951255d9602322e48f40f8b3330N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZJU\\optixloc.exe"	5585e951255d9602322e48f40f8b3330N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5585e951255d9602322e48f40f8b3330N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2344	5585e951255d9602322e48f40f8b3330N.exe
2344	5585e951255d9602322e48f40f8b3330N.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe
2268	sysdevopti.exe
2828	xbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2268	2344	5585e951255d9602322e48f40f8b3330N.exe	30
PID 2344 wrote to memory of 2268	2344	5585e951255d9602322e48f40f8b3330N.exe	30
PID 2344 wrote to memory of 2268	2344	5585e951255d9602322e48f40f8b3330N.exe	30
PID 2344 wrote to memory of 2268	2344	5585e951255d9602322e48f40f8b3330N.exe	30
PID 2344 wrote to memory of 2828	2344	5585e951255d9602322e48f40f8b3330N.exe	31
PID 2344 wrote to memory of 2828	2344	5585e951255d9602322e48f40f8b3330N.exe	31
PID 2344 wrote to memory of 2828	2344	5585e951255d9602322e48f40f8b3330N.exe	31
PID 2344 wrote to memory of 2828	2344	5585e951255d9602322e48f40f8b3330N.exe	31

C:\Users\Admin\AppData\Local\Temp\5585e951255d9602322e48f40f8b3330N.exe
"C:\Users\Admin\AppData\Local\Temp\5585e951255d9602322e48f40f8b3330N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2268
- C:\Files44\xbodec.exe
  C:\Files44\xbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files44\xbodec.exe

Filesize
2.6MB

MD5
3caa02f4a200f2b144677b17b3d431b6

SHA1
4ecd34a0c6e01d8b9d0502471563e4a5f9e1a623

SHA256
9479fe76deba5ca0dd56d96660a9e6f4f50ab97650b78ba96da935d2b6c7c6bc

SHA512
96a2adb7bb29c53412225d7737fc27cc715f0dcc75a1869925db5dd4161df3a9a039bdfba33dfd74211a6f8c48d8cd4daf52513b824991416d64238133cebea5

Download Submit
C:\LabZJU\optixloc.exe

Filesize
2.6MB

MD5
c2ba9299f5d4ddc0e41bb3c6415614dc

SHA1
2f7d32285b433e64f4ab0f5fd61f7bbe7d7d23dc

SHA256
2fd6c04639e680a0cb9c1123c9b22ec65718d4a5829e82180d4c71394b5ce860

SHA512
41d128da992539b3911ffaa1589c0b5036f9aca0b5eb11b82f350ea1bb58e2a7a23406eb2f19869661cdac0a3542c66abe19d1eeb9b18861234c1abc6686e78e

Download Submit
C:\LabZJU\optixloc.exe

Filesize
2.6MB

MD5
52a07b7da906ee567b0ac1636bf2db2e

SHA1
5588c6710977d5af440f038fe26b878b67b29335

SHA256
2aa14dba42760a5f93934f782e6c38f38097a122bb9e272dda1573eb65772ae4

SHA512
c34d0e34ef1086fa2685384e98cbc19b51a93864c984f83027150ec0b4a640c306b0b1aa2fcaef567dc71820a7c326f09eb01194b55e47dc4e7437200b7125d4

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
27dfa6756e8809a67d64a70adfe92408

SHA1
083b8658d526300e4d287e2794c2b8266cc36e90

SHA256
10802628d9f35f9bdd851963ec82834f33f9165f6c4120b7f8b45bfa4e144215

SHA512
2458b759bdb84df451b1e4bb029c6aa94caa056f87f8db6f474c47b609f2f67b05feb204fe9c1a9c1c314fbd987c1255afa6080a524884d21f786762d54df61f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
cfbd8f5162b89ef888655e1d1a18ce3a

SHA1
6d9cde47e9f75d36dca6ea6eac0e4509550b1d09

SHA256
c96ee485ae0d8c67cb47ea2321dbd052178d3114c705d5656dc0901b149f971a

SHA512
18f29317d0806a7ab2a37c2f4d88f12001903cf17c590d0dcf7c0becc53e1d835c3987412d25ca62a9032004ab02d6fba71bfb0247856ec033815e5d2a972a90

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
2.6MB

MD5
e133bb45d7c0be2c952deb24f876d721

SHA1
33fbac4369733210da535fabcfeb045f98aa8ed5

SHA256
8fd385d0bba9c6dd879fe91393a405e831271bd0b2c536305de8d4cd14071bc2

SHA512
2a5bf34313a0729603ccff8e1494dd1bbf54e439a5b58f6414b818aeee3d647ed8c0c39f379072567aa43625b12ec777b81d4ba7d35d9a934c413e337f5a272c

Download Submit