c3b369a69848da75bc31098a6a4f24b036c2fcc9634f17451f06cbe213ef0f9f

Analysis

max time kernel
119s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80965b44d705b5cc644160777d8e3cb0N.exe
Size

2.6MB
MD5

80965b44d705b5cc644160777d8e3cb0
SHA1

8c437db70779fbc40b86ff837e1f40dc1c7a539d
SHA256

c3b369a69848da75bc31098a6a4f24b036c2fcc9634f17451f06cbe213ef0f9f
SHA512

48f4fae9874dba2d3d9525e069ee139ea17b55c3c8bf592b466efa1ad5aeee482876a9c813dfb05ff227df5b45820754c0afc5a0d2443223f36a2f6eccba70d9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bS:sxX7QnxrloE5dpUp4b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	80965b44d705b5cc644160777d8e3cb0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2764	sysadob.exe
2824	xbodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1872	80965b44d705b5cc644160777d8e3cb0N.exe
1872	80965b44d705b5cc644160777d8e3cb0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB9W\\optidevec.exe"	80965b44d705b5cc644160777d8e3cb0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocX7\\xbodloc.exe"	80965b44d705b5cc644160777d8e3cb0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80965b44d705b5cc644160777d8e3cb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1872	80965b44d705b5cc644160777d8e3cb0N.exe
1872	80965b44d705b5cc644160777d8e3cb0N.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe
2764	sysadob.exe
2824	xbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2764	1872	80965b44d705b5cc644160777d8e3cb0N.exe	30
PID 1872 wrote to memory of 2764	1872	80965b44d705b5cc644160777d8e3cb0N.exe	30
PID 1872 wrote to memory of 2764	1872	80965b44d705b5cc644160777d8e3cb0N.exe	30
PID 1872 wrote to memory of 2764	1872	80965b44d705b5cc644160777d8e3cb0N.exe	30
PID 1872 wrote to memory of 2824	1872	80965b44d705b5cc644160777d8e3cb0N.exe	31
PID 1872 wrote to memory of 2824	1872	80965b44d705b5cc644160777d8e3cb0N.exe	31
PID 1872 wrote to memory of 2824	1872	80965b44d705b5cc644160777d8e3cb0N.exe	31
PID 1872 wrote to memory of 2824	1872	80965b44d705b5cc644160777d8e3cb0N.exe	31

C:\Users\Admin\AppData\Local\Temp\80965b44d705b5cc644160777d8e3cb0N.exe
"C:\Users\Admin\AppData\Local\Temp\80965b44d705b5cc644160777d8e3cb0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2764
- C:\IntelprocX7\xbodloc.exe
  C:\IntelprocX7\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocX7\xbodloc.exe

Filesize
2.6MB

MD5
f237317302f1c524a7d64e2a69a21bf5

SHA1
4ee184645893b185220f43c2131b895ec7cebefd

SHA256
9319c3920e1b55e74cfefcf7892fc028cb9814b24fa6b987c528703c9e3e288e

SHA512
b90a1157dfabc3011585f734439e15f998b271ac4e4adfbe2429e36b24075330958bd441fcfe4b20f5b72e82aa8fbe05e9f4e0daf342424140636af3566cc70a

Download Submit
C:\KaVB9W\optidevec.exe

Filesize
2.0MB

MD5
2456e825ceeedb20f71206165d49e947

SHA1
890f9632fef2a6bf43a9dfd735746c09de658961

SHA256
bed445e013cfb98c10918a7d597b299d1361eedd9c130606df15e64bf7cc7606

SHA512
970e403d499e2e6ce89292e5e79ed790e0a90bd1db7ff84e7bb8662441954b77395552a9eff23069355d32fb3163ba55b4761c48c45bc8f4ad37465dad63e20e

Download Submit
C:\KaVB9W\optidevec.exe

Filesize
2.6MB

MD5
a0411cb66aab05f602782814fd21e021

SHA1
79661a32f5f760e43459f7ea1d37ba68d79069a9

SHA256
d4edb1b1a9dbf4b80e7f00e5ed06c31c11518547ad93227d2492e294fc1dbb8d

SHA512
0b3af8f675c4909076b3327873286f11c587fa010580a0e0ed63ff7de339a3e1f77d18b1974066d730d4a863acf5387c2fd3fa57576ce0d3ad652aebd8ac9c9d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
624415f687631366197b74e677d16f34

SHA1
067ffe957125f707ca2f4b0aeb508885e376d72c

SHA256
6de9fb698a0d7c7e654e2fb340ee2a31b4ee69ea91707040783675fd57ba852a

SHA512
d05edb4c340ebc7318b29d182b9b964064ea4c41c269983a62a184d2b490c2316edf24469af6974fbaec64ae4a20160665d7fe06f99385e8d5fe82758d7d5086

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
54281dc7c0316043eeaed7cb20ae94dc

SHA1
e973acd9c5767928fe0639e19aca6d0d8c55e360

SHA256
a274ce37cfad3ca404bbd6fb497ae44f35532c07a61211c1689347ce33b8369d

SHA512
1f9f1940a9e2670d39c95dfb7b91c3506f1818755bb9268a9d0ad358f543f026954c43c74e4c341b6a8f35297bf40f8a8f881a51554036a08fa24904d809441a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
2.6MB

MD5
ab049fcde5597d9849e3796c803532d2

SHA1
57dba8ada042111f2de2588a8a7d8e44a8b44cdf

SHA256
bf878763800ea8404dc60e299dcba9bc95d1b9b6ec7f2b7e3e7042c35e381f16

SHA512
675071188fa3b4b6bbc0c4aefa244df6d72eb9904374d92ca6d719c177d8703f214f8e87a55e94253035c32a6ee7569af130c3b856a76b88bcf13d123b379944

Download Submit