5b14f3a64c8e323a146a107f2c54254075cd493e9517acd95a32756ac964a479

Analysis

max time kernel
150s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b14f3a64c8e323a146a107f2c54254075cd493e9517acd95a32756ac964a479.exe
Size

2.6MB
MD5

6ca1691262147c6d97427353247711c6
SHA1

8e6cd4aaadc86113a0c563fd5546b8f3844965bb
SHA256

5b14f3a64c8e323a146a107f2c54254075cd493e9517acd95a32756ac964a479
SHA512

43021fd8dda6d37510cafacd021c08c9ee7532912cf7448e4b06c6fb0da787165b1f1618944f245ec929d845ad6197db61d3c32c5d15e2b00c68b48e577f325a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBzB/bSq:sxX7QnxrloE5dpUpQbV

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	5b14f3a64c8e323a146a107f2c54254075cd493e9517acd95a32756ac964a479.exe

Executes dropped EXE 2 IoCs

pid	Process
1184	sysaopti.exe
4520	xbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe78\\xbodec.exe"	5b14f3a64c8e323a146a107f2c54254075cd493e9517acd95a32756ac964a479.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintIL\\dobdevec.exe"	5b14f3a64c8e323a146a107f2c54254075cd493e9517acd95a32756ac964a479.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b14f3a64c8e323a146a107f2c54254075cd493e9517acd95a32756ac964a479.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2888	5b14f3a64c8e323a146a107f2c54254075cd493e9517acd95a32756ac964a479.exe
2888	5b14f3a64c8e323a146a107f2c54254075cd493e9517acd95a32756ac964a479.exe
2888	5b14f3a64c8e323a146a107f2c54254075cd493e9517acd95a32756ac964a479.exe
2888	5b14f3a64c8e323a146a107f2c54254075cd493e9517acd95a32756ac964a479.exe
1184	sysaopti.exe
1184	sysaopti.exe
4520	xbodec.exe
4520	xbodec.exe
1184	sysaopti.exe
1184	sysaopti.exe
4520	xbodec.exe
4520	xbodec.exe
1184	sysaopti.exe
1184	sysaopti.exe
4520	xbodec.exe
4520	xbodec.exe
1184	sysaopti.exe
1184	sysaopti.exe
4520	xbodec.exe
4520	xbodec.exe
1184	sysaopti.exe
1184	sysaopti.exe
4520	xbodec.exe
4520	xbodec.exe
1184	sysaopti.exe
1184	sysaopti.exe
4520	xbodec.exe
4520	xbodec.exe
1184	sysaopti.exe
1184	sysaopti.exe
4520	xbodec.exe
4520	xbodec.exe
1184	sysaopti.exe
1184	sysaopti.exe
4520	xbodec.exe
4520	xbodec.exe
1184	sysaopti.exe
1184	sysaopti.exe
4520	xbodec.exe
4520	xbodec.exe
1184	sysaopti.exe
1184	sysaopti.exe
4520	xbodec.exe
4520	xbodec.exe
1184	sysaopti.exe
1184	sysaopti.exe
4520	xbodec.exe
4520	xbodec.exe
1184	sysaopti.exe
1184	sysaopti.exe
4520	xbodec.exe
4520	xbodec.exe
1184	sysaopti.exe
1184	sysaopti.exe
4520	xbodec.exe
4520	xbodec.exe
1184	sysaopti.exe
1184	sysaopti.exe
4520	xbodec.exe
4520	xbodec.exe
1184	sysaopti.exe
1184	sysaopti.exe
4520	xbodec.exe
4520	xbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 1184	2888	5b14f3a64c8e323a146a107f2c54254075cd493e9517acd95a32756ac964a479.exe	94
PID 2888 wrote to memory of 1184	2888	5b14f3a64c8e323a146a107f2c54254075cd493e9517acd95a32756ac964a479.exe	94
PID 2888 wrote to memory of 1184	2888	5b14f3a64c8e323a146a107f2c54254075cd493e9517acd95a32756ac964a479.exe	94
PID 2888 wrote to memory of 4520	2888	5b14f3a64c8e323a146a107f2c54254075cd493e9517acd95a32756ac964a479.exe	95
PID 2888 wrote to memory of 4520	2888	5b14f3a64c8e323a146a107f2c54254075cd493e9517acd95a32756ac964a479.exe	95
PID 2888 wrote to memory of 4520	2888	5b14f3a64c8e323a146a107f2c54254075cd493e9517acd95a32756ac964a479.exe	95

C:\Users\Admin\AppData\Local\Temp\5b14f3a64c8e323a146a107f2c54254075cd493e9517acd95a32756ac964a479.exe
"C:\Users\Admin\AppData\Local\Temp\5b14f3a64c8e323a146a107f2c54254075cd493e9517acd95a32756ac964a479.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1184
- C:\Adobe78\xbodec.exe
  C:\Adobe78\xbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4248,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=1304 /prefetch:8
1⤵
PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe78\xbodec.exe

Filesize
2.5MB

MD5
840236dbbb33c9cfefb605c409d34830

SHA1
4c54a664448d6932db1bc9fc82a569dde6f82a3f

SHA256
a7f50eab2c7a0b1fde498b1bf1c9709436f4bb65900a17e7c8edd73c27db83ad

SHA512
a45d6a7a079fb93fdfe7348956cd0ca676a22855dfb7c21704bcdf3c763c42e503e4cc43c8bb9d5e29bbaef2d68c1bb0aa4a0c00b07b0f7ee0c1ee930af6bb95

Download Submit
C:\Adobe78\xbodec.exe

Filesize
2.6MB

MD5
99ac69dd60fda8c03a88a095a3633c49

SHA1
870a94f83743640fd82d0c05013a45f55f0b7d2b

SHA256
2fba82c97a6ef886c78401309abc461e996f07f11cfc2949ebbca42e82530c92

SHA512
b8596ee4c52e8b329ff73f8dd737769ff10702cdb218cb3c358c5d5d95680f1f162082c1033fcf3216184a421e531a71eda971e4da00c13278c17d695c27724f

Download Submit
C:\MintIL\dobdevec.exe

Filesize
1.7MB

MD5
9dec71161f6cd70cc6c5d38793e3eb6c

SHA1
f23a5f3851698dc200321075f5fefda7d99b54d7

SHA256
73fc9fbe3b0daf0bbd6c5884e025d251236c2cfda29aa353d74249d10ff8aea9

SHA512
aad38b34139f8810372e2c601e985bb5a55959bbf9517c2a18828e34e52ee681b5126deeba8947fe1fa93cda9806317bf787e9c3055d6fbc2a529b52f726fe56

Download Submit
C:\MintIL\dobdevec.exe

Filesize
2.2MB

MD5
65d86cc3b4c0bef7bcf709276f721d27

SHA1
1cfc90e212917a48f3185cefecb0d75618902b24

SHA256
8c41bf3aad42f08bd5d59bd7c120b5573c53bfe90e3e1451cad128b2cec550da

SHA512
40607e788a2772ff95e5038bf3003ec706f8bafdc8c49ab04182cad2179d9162e6700c03698523c2306b57f611e3ba184b29420c707592cd43603f14ec3779a9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
8f6df48450b3f0bbc41d2126a2a9afd2

SHA1
7361080cddaf464d56174251a495d1028ac07964

SHA256
67ccf290e48a9c5df18bb15a5ec66a743a670e1a7c491d5902e95a731bfd7c8e

SHA512
c4ed2c5c4b200a55f39d8205a48abfdf8c7dbb234de7115332055ed503760bae9b60a34f10f70d1f2da27b8e9a20d05c42c1823d2b69f3395db27eca861109b4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
223f5d013fce6b73b95ba8cb10edbf3d

SHA1
16b5cb7b7276d0a18357456c96e9a8fa25bb3413

SHA256
098e7883cea3710819485f067dcddbacc41a8b13abef840b999792b058b38b0b

SHA512
04809dbc9d97ff48c29f6953b61117b3519232744200217e477cee0762b746d0163aa836a1c8947919795727c5b8de3ff1bb0fb9a7e83d3b06915432ecf1f598

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
2.6MB

MD5
d614203bdb65f14bc9a7da760401d72a

SHA1
0203305924e98892c937161df4b3f878f35d9dd5

SHA256
353377f67186fcfa66676bbe513450fa361fcd89f4039f43119327896e0453f3

SHA512
52e0e48f4fe3e0e59bf5611f2ecaa4dba5651ea2d89880256aa75459c9caf86883290e1a31d58d1153be2023a85c1bc0e31738fe412030b97a06daaf51ee450f

Download Submit