05f73c0a6dd89c706215c0187e0133157c74edc5768d21fb76eae026eb6ab1d4

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09-09-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6666e11de1b68f98bc5eeccbed86a270N.exe
Size

2.6MB
MD5

6666e11de1b68f98bc5eeccbed86a270
SHA1

780ccff9ddf99afc2f8f80523e0db6621ee6e5b2
SHA256

05f73c0a6dd89c706215c0187e0133157c74edc5768d21fb76eae026eb6ab1d4
SHA512

178108402d4a6856bc9e5a60d18e887362226fe8f248151c38c5137cfad5c66d64d3059f51a916e0c64b0104491bcdb71d4436fbb95eb31ccc75f6e928e69801
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpyb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	6666e11de1b68f98bc5eeccbed86a270N.exe

Executes dropped EXE 2 IoCs

pid	Process
2740	sysxbod.exe
2832	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2164	6666e11de1b68f98bc5eeccbed86a270N.exe
2164	6666e11de1b68f98bc5eeccbed86a270N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocY5\\devoptiec.exe"	6666e11de1b68f98bc5eeccbed86a270N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBSJ\\boddevec.exe"	6666e11de1b68f98bc5eeccbed86a270N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6666e11de1b68f98bc5eeccbed86a270N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2164	6666e11de1b68f98bc5eeccbed86a270N.exe
2164	6666e11de1b68f98bc5eeccbed86a270N.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe
2740	sysxbod.exe
2832	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2740	2164	6666e11de1b68f98bc5eeccbed86a270N.exe	30
PID 2164 wrote to memory of 2740	2164	6666e11de1b68f98bc5eeccbed86a270N.exe	30
PID 2164 wrote to memory of 2740	2164	6666e11de1b68f98bc5eeccbed86a270N.exe	30
PID 2164 wrote to memory of 2740	2164	6666e11de1b68f98bc5eeccbed86a270N.exe	30
PID 2164 wrote to memory of 2832	2164	6666e11de1b68f98bc5eeccbed86a270N.exe	31
PID 2164 wrote to memory of 2832	2164	6666e11de1b68f98bc5eeccbed86a270N.exe	31
PID 2164 wrote to memory of 2832	2164	6666e11de1b68f98bc5eeccbed86a270N.exe	31
PID 2164 wrote to memory of 2832	2164	6666e11de1b68f98bc5eeccbed86a270N.exe	31

C:\Users\Admin\AppData\Local\Temp\6666e11de1b68f98bc5eeccbed86a270N.exe
"C:\Users\Admin\AppData\Local\Temp\6666e11de1b68f98bc5eeccbed86a270N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2740
- C:\IntelprocY5\devoptiec.exe
  C:\IntelprocY5\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocY5\devoptiec.exe

Filesize
1.2MB

MD5
ef5565b99aa76a8aff972aca7bf441f7

SHA1
316feac427633e0f229d4929fac7c9237916de88

SHA256
f3dbdc83e4b9db12425ab3ca192fc838e8377760de54db3069027477c9fd6b7a

SHA512
e6e4259a3ca7162b67eace05519e2fb300b49f4dd0051cc076037e58fc67a60473b4aff7ad2b62d50755d4a863090cd4c603fe489ea59ad7d0c1d4ed1c725d27

Download Submit
C:\IntelprocY5\devoptiec.exe

Filesize
2.6MB

MD5
15f6c944e0cba2f17d251ef94031e2e7

SHA1
45a915b7ecb5b1c26ccaf87a0663306b0eab582c

SHA256
c730ff99465ebdd2d9b13a3816d6b1eb79cb94ed874f1c857568385c01229270

SHA512
a131f0fa77a33aea360e67dce5f483d9a15b2a2e3d428ab9903fce62df63bc66ca54b59adf7229e76ec8f4d9dac06b6b76f6b3e594f3b3ed9d38aef349ecc247

Download Submit
C:\KaVBSJ\boddevec.exe

Filesize
2.6MB

MD5
f56e2ed6531492b52ca354a105ce269a

SHA1
bab8d1ff8ecafb231fe867af1418874b098c07ea

SHA256
a39c531f086bb7f709a86daa4ed14b75a654887d2757cbb68a8608b6cb9ce4d0

SHA512
730e1b2b9d56eabd3ae2e054a91e926a7a85e081e47a018fbba5ca6d5efa65ce914e2a5a840de258c50997c1e1bc6aabbcc5a5a66d41069455225cd34589e153

Download Submit
C:\KaVBSJ\boddevec.exe

Filesize
2.6MB

MD5
c70744f40d9f0ce7af19eeaf8b9f2260

SHA1
6f93dabe000f992cea81da45d88293012c9199e3

SHA256
970558d7e92dc526eae249206f2007ffc8ca6b1a9171079ef603ad6ea5a300a5

SHA512
974f435da79ab31b008e18996840b9a9b9bf8899ae93bca4cc452fe07231fd4885878f565751f968a07a48d71466b638d74ed720895d5df8eb0680fc116d5cc0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
eb75e05f5a764e42064c33490d6aa233

SHA1
d245c0c972e0d0b5a39c40399e6519edaf94c6c6

SHA256
47e66cfc68ac39460e164ab2b1266f6af99c93b52efc3d7aa7464909d01f43aa

SHA512
220d455d6f6548b3ff5e5f986720ea660faf95df13c76237c30a9250ab5ee1a96ee9c72ca07ab8ef5778ff11a1e7778ef22772b1498cb32a082b51afac9afa7f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
6bc910946cfa7d0e9a976f22e74beb97

SHA1
1d5270cf299bf70ecb4044983b7e783e9a013c0f

SHA256
1dd8749dfe83d2d03cfc6d9f0e308302ae2592165c1232d436f6079f22068da1

SHA512
d675c2a97bde4103752c1e20331be8f1002b011e2f8b4f5048cbb8a4fdc90d92b11bb4039a7b87643440f7c2a466440a3fa0b797b3660d3c0643b673f1b67236

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
2.6MB

MD5
62b9ef998a726ea73412f1223b022ac1

SHA1
c512dad30b004043bdc87e19ef263d5c8852296f

SHA256
fbe06ccc2b9d696dd1b7e034b30af3a7b03598e621163292713b9c1c8234d5f5

SHA512
8322da5e6afc9f1219197d927699eb98ecd5951f2b26e55bd1f8786322d316764a7833e1fa263c5fec07ee868930bf798e7a96dedf214754c747141b7ac7882a

Download Submit