146bb4d513728f31072cd0f2a2092942aafe31cefea499e0c37f90defd6ca090

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8280d0e1676c4249517d300ee730b470N.exe
Size

2.6MB
MD5

8280d0e1676c4249517d300ee730b470
SHA1

78d7d9f64898180db1859ca463534d1db3a0623e
SHA256

146bb4d513728f31072cd0f2a2092942aafe31cefea499e0c37f90defd6ca090
SHA512

3d14273ce2deeba7fb83905e81429e750b96bccb8dfc2a44fa957907cb8943b27a93a4c5297b36afee8a8bf2de0e5f7d86a00ef9dd24e0dcba735e070c07f365
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bS:sxX7QnxrloE5dpUpxb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	8280d0e1676c4249517d300ee730b470N.exe

Executes dropped EXE 2 IoCs

pid	Process
2744	sysaopti.exe
2968	xbodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2112	8280d0e1676c4249517d300ee730b470N.exe
2112	8280d0e1676c4249517d300ee730b470N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeHH\\xbodloc.exe"	8280d0e1676c4249517d300ee730b470N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid3W\\boddevloc.exe"	8280d0e1676c4249517d300ee730b470N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8280d0e1676c4249517d300ee730b470N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2112	8280d0e1676c4249517d300ee730b470N.exe
2112	8280d0e1676c4249517d300ee730b470N.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe
2744	sysaopti.exe
2968	xbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2744	2112	8280d0e1676c4249517d300ee730b470N.exe	30
PID 2112 wrote to memory of 2744	2112	8280d0e1676c4249517d300ee730b470N.exe	30
PID 2112 wrote to memory of 2744	2112	8280d0e1676c4249517d300ee730b470N.exe	30
PID 2112 wrote to memory of 2744	2112	8280d0e1676c4249517d300ee730b470N.exe	30
PID 2112 wrote to memory of 2968	2112	8280d0e1676c4249517d300ee730b470N.exe	31
PID 2112 wrote to memory of 2968	2112	8280d0e1676c4249517d300ee730b470N.exe	31
PID 2112 wrote to memory of 2968	2112	8280d0e1676c4249517d300ee730b470N.exe	31
PID 2112 wrote to memory of 2968	2112	8280d0e1676c4249517d300ee730b470N.exe	31

C:\Users\Admin\AppData\Local\Temp\8280d0e1676c4249517d300ee730b470N.exe
"C:\Users\Admin\AppData\Local\Temp\8280d0e1676c4249517d300ee730b470N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2744
- C:\AdobeHH\xbodloc.exe
  C:\AdobeHH\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeHH\xbodloc.exe

Filesize
2.6MB

MD5
427c852ab1059eb5548dc7cbb5054c37

SHA1
5becc98d2f0942eef778388bb484d5546384050f

SHA256
109bc4fb006139a450b21fcf3776b5ab4497a583a75000fd67892505726bcfd8

SHA512
8c1e8ce52cbd692586e0d86e08133d0749799bf2298bb7df968e6977248f79d67c5c6b415d5d57f3ea02d2066ed8516ecfb8408bb9483b52ff18c36abf4112b2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
beb90abef7820bf685c69e83e5ec40c6

SHA1
82532042b518916da8482707bb17407356d85c5d

SHA256
63d2110f7bd3da26a1bf237c82bc2516e95dd62cf58aef07559b4d0d159c14a7

SHA512
a8f909f46b726f9810aa18de614e9286494f0f4bf5f66d1144fbe943587328b55b9f77d822f7b78332d5500d66c150979e72476c85998bc94baa27de9b39cd1b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
2ad8efc5f70415a0cc4596ade0423737

SHA1
e048d28925c0d5598bdc9d9071b8a6e88c790207

SHA256
6a040e5f84f9b8858d4c3ca268a97d5fa273af04901af5e75ad40fee805fecdd

SHA512
737e5d163a4cdfc510c60c2c1739ea2517f442e83ee215db7fc8bd62a6de3b3cb708c11491d0b826bf7248b08a89dd08b2457b13b623cd869d22e72f6eb6c5e0

Download Submit
C:\Vid3W\boddevloc.exe

Filesize
2.6MB

MD5
a8f709f48cc33ea0e0ea25c1e679e0da

SHA1
69842448d6a9c5cb4a0ce3cef5dfa9a68c3161da

SHA256
40f4382b5a1f608b3854e7d0470bcf0e49a16a9b281697fa8356e330fe998aa2

SHA512
2765241e1d19142af4eb309cd0a522a832877c517abe99fbba97dbc3e13bd418c306aa2d1a21e2b58a59a2a1864744459185c691ec820768860027efe59ac986

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
2.6MB

MD5
ed25f26bea295117e5aa851c37256ede

SHA1
0ddff019760d5c1a7b6bafef35194c96126aa099

SHA256
8d32cf267a7dccecc398da782b7a90fc3120e902444acba311848785e1ddd2d3

SHA512
1680eed28ae287cb2a61f9855695f757b325f90cc3a0a146d04f9e37fa24cd9ae7064d28ca447f68eff772cebde383b5a2a3dfa332c6e911911836de0f93035f

Download Submit