bd719bf2076cb24de75da2f2a6864f24c2561c89e3501ca7f81a207cf1fa9f5a

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd719bf2076cb24de75da2f2a6864f24c2561c89e3501ca7f81a207cf1fa9f5a.exe
Size

2.6MB
MD5

0494c5b94fea1b310f8c4eeb6dd01d4b
SHA1

863d68dda0506f05411552c4976b0d22b942504d
SHA256

bd719bf2076cb24de75da2f2a6864f24c2561c89e3501ca7f81a207cf1fa9f5a
SHA512

feca16b48d583d46028d0ca4f20a6455dd5335c81086ced94997220620956a479df632b71a0507ed268ad6ea8a9be6436af9c7cd6f923b7d47616b07859ef24c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBSB/bS:sxX7QnxrloE5dpUpdb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	bd719bf2076cb24de75da2f2a6864f24c2561c89e3501ca7f81a207cf1fa9f5a.exe

Executes dropped EXE 2 IoCs

pid	Process
2312	sysdevopti.exe
1972	xoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2204	bd719bf2076cb24de75da2f2a6864f24c2561c89e3501ca7f81a207cf1fa9f5a.exe
2204	bd719bf2076cb24de75da2f2a6864f24c2561c89e3501ca7f81a207cf1fa9f5a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe2U\\xoptiloc.exe"	bd719bf2076cb24de75da2f2a6864f24c2561c89e3501ca7f81a207cf1fa9f5a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidDF\\bodxloc.exe"	bd719bf2076cb24de75da2f2a6864f24c2561c89e3501ca7f81a207cf1fa9f5a.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd719bf2076cb24de75da2f2a6864f24c2561c89e3501ca7f81a207cf1fa9f5a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2204	bd719bf2076cb24de75da2f2a6864f24c2561c89e3501ca7f81a207cf1fa9f5a.exe
2204	bd719bf2076cb24de75da2f2a6864f24c2561c89e3501ca7f81a207cf1fa9f5a.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe
2312	sysdevopti.exe
1972	xoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2312	2204	bd719bf2076cb24de75da2f2a6864f24c2561c89e3501ca7f81a207cf1fa9f5a.exe	28
PID 2204 wrote to memory of 2312	2204	bd719bf2076cb24de75da2f2a6864f24c2561c89e3501ca7f81a207cf1fa9f5a.exe	28
PID 2204 wrote to memory of 2312	2204	bd719bf2076cb24de75da2f2a6864f24c2561c89e3501ca7f81a207cf1fa9f5a.exe	28
PID 2204 wrote to memory of 2312	2204	bd719bf2076cb24de75da2f2a6864f24c2561c89e3501ca7f81a207cf1fa9f5a.exe	28
PID 2204 wrote to memory of 1972	2204	bd719bf2076cb24de75da2f2a6864f24c2561c89e3501ca7f81a207cf1fa9f5a.exe	29
PID 2204 wrote to memory of 1972	2204	bd719bf2076cb24de75da2f2a6864f24c2561c89e3501ca7f81a207cf1fa9f5a.exe	29
PID 2204 wrote to memory of 1972	2204	bd719bf2076cb24de75da2f2a6864f24c2561c89e3501ca7f81a207cf1fa9f5a.exe	29
PID 2204 wrote to memory of 1972	2204	bd719bf2076cb24de75da2f2a6864f24c2561c89e3501ca7f81a207cf1fa9f5a.exe	29

C:\Users\Admin\AppData\Local\Temp\bd719bf2076cb24de75da2f2a6864f24c2561c89e3501ca7f81a207cf1fa9f5a.exe
"C:\Users\Admin\AppData\Local\Temp\bd719bf2076cb24de75da2f2a6864f24c2561c89e3501ca7f81a207cf1fa9f5a.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2312
- C:\Adobe2U\xoptiloc.exe
  C:\Adobe2U\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe2U\xoptiloc.exe

Filesize
2.6MB

MD5
67a35d00adbe2c3db6475fafbca4aa9b

SHA1
033c065fef816d80f1c8fa70969337f391e3b280

SHA256
719e524873d5472789613e9ea68d7ebf37a9eca86e634ec87d02dc72b01aa3aa

SHA512
d1be6ad0a91b58b00ff8ff2c486e201df46395b727a4989c76916a0f6627b06a4f9ec29b53a5fb8b0af6e42e169abaed8d72c301a0c147872b8e67abdb79f246

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
ed1211d7663c0e66b6783cd1ad1fa96a

SHA1
e651511513c85c648faea70dc117a19c10c52b16

SHA256
0d02275f88e84fe22070b2056ee2dace43880433897ad576ec1187eb4e7f592a

SHA512
242df7c5ba05734e711efba4894a6e545ac6c3af322305c12b81b8842c418e56a3079a4aa9680330a2282a427bcee610d5eb26a9d6a5865c2a4705528ffe4259

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
758efad1cfb10e745e16f5523b952091

SHA1
e0bd6f7832880b058610b4b32cb5cf73b350b010

SHA256
58a2a2f465a5892f7890b88164e33f71f6405fd3a9925ce73063cf507c10d7f9

SHA512
d314565590165b8b61f16fadb7218a1cf321b8bd6e087a13508308febc810aae06459d14c1c591567bf08c416f51df716290522c075a213e4fe04ae72c1e290d

Download Submit
C:\VidDF\bodxloc.exe

Filesize
2.6MB

MD5
756897c34c9108a4b417a66632598f75

SHA1
e00cfa41e76a41e54c3e9793928fc58bc7c35f27

SHA256
c5888c01a5d095ec12eea00cc3b20d1d5291a26c4713e3399faf0db7dfcad627

SHA512
fbf08be1195a0c019cb4006f56249e8710034cddb55afbb081c4a0908e4892014563b482a5c6258bc3cf84c78ae1e33e9f306ae1eb57d8d1a883e1f245e65d43

Download Submit
C:\VidDF\bodxloc.exe

Filesize
416KB

MD5
2bd4bd849b96f65105138b6fbc161a69

SHA1
dc7cec9b8e27409db017bac8e00c5c7a4f4f942b

SHA256
21a0d7667e5999e33d34bb6b145cba222d9e0f2b8ff1083293748e4e36180a1c

SHA512
756cd9d6edfd1aa04fc4e39613cf6667c3db977c0d774cbd50da4a53786dc9031638ff0016c58dd9822c93898f835c148ea1a6168203cdfb85b23d69591a1f17

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
2.6MB

MD5
d37e7c62605f8c414798c643d9b93751

SHA1
ea784800a25d529130de8d87930e36fa96c85751

SHA256
f42f2a2bd75dfba1d9c6a9afab97b72d3e7ac25775407131ff5432f7d9775012

SHA512
f4da0c78942c9287b6069e6c5b7f20103341ac9c80da5ed3fb9298da4bfb703c5f96fd3a2bffc829619c1a40a9a206611bd31fb7240c93cd53461e94f74a54f3

Download Submit