f09180a270bfb25fe82f223b4720c9468eb806f2ea258b527df92b0b1b67361f

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7bfc13f38ceb9a0b5ba44dac40dafb0N.exe
Size

2.6MB
MD5

d7bfc13f38ceb9a0b5ba44dac40dafb0
SHA1

69c5b072582b4a4cde7f2344e5a0f4c9309122b0
SHA256

f09180a270bfb25fe82f223b4720c9468eb806f2ea258b527df92b0b1b67361f
SHA512

79ac9bb70b2cc885ac5a5f1f19cc9d4aac014311ccb4033ac176bbe386ca904b1958ccd91c8dc418eccb056dcbf40ba80ff0e0ac8b8df5e2d35ed00b92ace6ce
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUpxb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	d7bfc13f38ceb9a0b5ba44dac40dafb0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2848	sysdevopti.exe
2700	xbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2140	d7bfc13f38ceb9a0b5ba44dac40dafb0N.exe
2140	d7bfc13f38ceb9a0b5ba44dac40dafb0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZXT\\optidevloc.exe"	d7bfc13f38ceb9a0b5ba44dac40dafb0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv5K\\xbodec.exe"	d7bfc13f38ceb9a0b5ba44dac40dafb0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7bfc13f38ceb9a0b5ba44dac40dafb0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2140	d7bfc13f38ceb9a0b5ba44dac40dafb0N.exe
2140	d7bfc13f38ceb9a0b5ba44dac40dafb0N.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe
2848	sysdevopti.exe
2700	xbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2848	2140	d7bfc13f38ceb9a0b5ba44dac40dafb0N.exe	31
PID 2140 wrote to memory of 2848	2140	d7bfc13f38ceb9a0b5ba44dac40dafb0N.exe	31
PID 2140 wrote to memory of 2848	2140	d7bfc13f38ceb9a0b5ba44dac40dafb0N.exe	31
PID 2140 wrote to memory of 2848	2140	d7bfc13f38ceb9a0b5ba44dac40dafb0N.exe	31
PID 2140 wrote to memory of 2700	2140	d7bfc13f38ceb9a0b5ba44dac40dafb0N.exe	32
PID 2140 wrote to memory of 2700	2140	d7bfc13f38ceb9a0b5ba44dac40dafb0N.exe	32
PID 2140 wrote to memory of 2700	2140	d7bfc13f38ceb9a0b5ba44dac40dafb0N.exe	32
PID 2140 wrote to memory of 2700	2140	d7bfc13f38ceb9a0b5ba44dac40dafb0N.exe	32

C:\Users\Admin\AppData\Local\Temp\d7bfc13f38ceb9a0b5ba44dac40dafb0N.exe
"C:\Users\Admin\AppData\Local\Temp\d7bfc13f38ceb9a0b5ba44dac40dafb0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2848
- C:\SysDrv5K\xbodec.exe
  C:\SysDrv5K\xbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZXT\optidevloc.exe

Filesize
2.6MB

MD5
18898175b0735d0ca1c0d6ada9bcfb27

SHA1
a3825ad1406aa3ff82e0b34fb54bfe0959484c4f

SHA256
291cdac055c62261b5a0bac45f06b7ec1ab64017604a82fbd33c7b11054ecd1b

SHA512
d50405b0a20d62555fb6360546ab44970e6568f3e1c416e50aec7ad15cea8df69c385c9adbc129e994811356dc88f8cad556004f757dc6bf41ba0afc1886fb8d

Download Submit
C:\SysDrv5K\xbodec.exe

Filesize
2.6MB

MD5
c09cfe5951846de8da26b77ab7d23d1d

SHA1
832787e74265514f13ea00699685adba2d341b15

SHA256
9e62f84866bed9f9d22a0510f442640efdf44868c230fe39ac148bcc61fc6fbd

SHA512
f0736e2f1083992d0d7c67187fc6be8f49f0afafd4e4e28c96646b3dadd9ad1738362de59dd04833bf87bc216a3d6faa5d285f4020ca74ff3c8f2190f1274032

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
9a289f3a93e9fb228971350484603e73

SHA1
cf7a016f70cf1fd3a855f4a43a29f1043648903b

SHA256
05bcc75e6fbc16ce7e4cac291777d3f53015e6d757b544e115b19dfe42543a6a

SHA512
6834f7d7272a1a9aa87627b5c19b864aa5c20092c22b4bb4acbe2d22144573b43bbd4f3eda482573d8d86a974581083a24662d43ee09a0af9002aa314ca22398

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
c4e94dbedd44cab289dbcc93c40ea306

SHA1
7660fdb28ea855b7e9bc7781259ad067f77726dc

SHA256
8c1de2920a8e9227465be3e99eeeb059ba112c61d610dbc037907befaca8c82e

SHA512
d2df292c14e9a951ab97268d96a7d6b067b7eb8778dbad1b46bf5eb89c17f10724274e6bebea8f2b0863169dce10070078245a25d118f60e7d461deeee138831

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
2.6MB

MD5
1f6ead65ea5164b4105b562e2e3dc4d1

SHA1
aaf65289950daf4be225edfc9c975ab097515216

SHA256
c4d99c91d7f215200c099bc2724281e8631c276c743abf030beac8979782cb28

SHA512
b21f1536ed50c6273614e3b755e58ea187186551fca378977edb431cb82044ef6dbc6f7abdb053a4ef1653fbd069c765f958303a380f9e14c30eefa4f64dd1e0

Download Submit