a82d7e31b5d4f2272601bc40b56df1835d269949d0c3de46c0992c3ec9383c29

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec57cf71bd965a6d32364afbe56c6ad0N.exe
Size

2.6MB
MD5

ec57cf71bd965a6d32364afbe56c6ad0
SHA1

29d57539445e8c9cc206cdd879c760c8e5ce0527
SHA256

a82d7e31b5d4f2272601bc40b56df1835d269949d0c3de46c0992c3ec9383c29
SHA512

ba1504ce921f05b64b970cc10141904699fd374cef1b1819f4fb96a62e71c5f0564d1fd7bdb3ac8d96e8b6866ae6f385949f21acee2ac5ca0b585f7a7b7f3ea8
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bS:sxX7QnxrloE5dpUp7b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	ec57cf71bd965a6d32364afbe56c6ad0N.exe

Executes dropped EXE 2 IoCs

pid	Process
1804	sysdevdob.exe
1488	xoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc01\\xoptiec.exe"	ec57cf71bd965a6d32364afbe56c6ad0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZL0\\bodxec.exe"	ec57cf71bd965a6d32364afbe56c6ad0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec57cf71bd965a6d32364afbe56c6ad0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2612	ec57cf71bd965a6d32364afbe56c6ad0N.exe
2612	ec57cf71bd965a6d32364afbe56c6ad0N.exe
2612	ec57cf71bd965a6d32364afbe56c6ad0N.exe
2612	ec57cf71bd965a6d32364afbe56c6ad0N.exe
1804	sysdevdob.exe
1804	sysdevdob.exe
1488	xoptiec.exe
1488	xoptiec.exe
1804	sysdevdob.exe
1804	sysdevdob.exe
1488	xoptiec.exe
1488	xoptiec.exe
1804	sysdevdob.exe
1804	sysdevdob.exe
1488	xoptiec.exe
1488	xoptiec.exe
1804	sysdevdob.exe
1804	sysdevdob.exe
1488	xoptiec.exe
1488	xoptiec.exe
1804	sysdevdob.exe
1804	sysdevdob.exe
1488	xoptiec.exe
1488	xoptiec.exe
1804	sysdevdob.exe
1804	sysdevdob.exe
1488	xoptiec.exe
1488	xoptiec.exe
1804	sysdevdob.exe
1804	sysdevdob.exe
1488	xoptiec.exe
1488	xoptiec.exe
1804	sysdevdob.exe
1804	sysdevdob.exe
1488	xoptiec.exe
1488	xoptiec.exe
1804	sysdevdob.exe
1804	sysdevdob.exe
1488	xoptiec.exe
1488	xoptiec.exe
1804	sysdevdob.exe
1804	sysdevdob.exe
1488	xoptiec.exe
1488	xoptiec.exe
1804	sysdevdob.exe
1804	sysdevdob.exe
1488	xoptiec.exe
1488	xoptiec.exe
1804	sysdevdob.exe
1804	sysdevdob.exe
1488	xoptiec.exe
1488	xoptiec.exe
1804	sysdevdob.exe
1804	sysdevdob.exe
1488	xoptiec.exe
1488	xoptiec.exe
1804	sysdevdob.exe
1804	sysdevdob.exe
1488	xoptiec.exe
1488	xoptiec.exe
1804	sysdevdob.exe
1804	sysdevdob.exe
1488	xoptiec.exe
1488	xoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 1804	2612	ec57cf71bd965a6d32364afbe56c6ad0N.exe	86
PID 2612 wrote to memory of 1804	2612	ec57cf71bd965a6d32364afbe56c6ad0N.exe	86
PID 2612 wrote to memory of 1804	2612	ec57cf71bd965a6d32364afbe56c6ad0N.exe	86
PID 2612 wrote to memory of 1488	2612	ec57cf71bd965a6d32364afbe56c6ad0N.exe	87
PID 2612 wrote to memory of 1488	2612	ec57cf71bd965a6d32364afbe56c6ad0N.exe	87
PID 2612 wrote to memory of 1488	2612	ec57cf71bd965a6d32364afbe56c6ad0N.exe	87

C:\Users\Admin\AppData\Local\Temp\ec57cf71bd965a6d32364afbe56c6ad0N.exe
"C:\Users\Admin\AppData\Local\Temp\ec57cf71bd965a6d32364afbe56c6ad0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1804
- C:\Intelproc01\xoptiec.exe
  C:\Intelproc01\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc01\xoptiec.exe

Filesize
2.6MB

MD5
07b783690f5ced15dd3f94d64a220b99

SHA1
747f9168c45bce4d02cf3fa96e6b18b696be47ae

SHA256
dfc0967158ab9fddac17c308c746bbfa9ec8aa1e30de9a7731d391f26a8aecaa

SHA512
b412b561fcc7eff9b5266effcc1d5ff2ea2a9f0003bb0ffaec14083b11a7ad4fb60087deed69aed990133c91d55f40fdbddd91b264d44c569ed479c77b639995

Download Submit
C:\LabZL0\bodxec.exe

Filesize
2.6MB

MD5
8a68115cf1a27e20b12ac3bf20f602b8

SHA1
6087a7149f943bab3634c970ffe8585d546e60e0

SHA256
614c7a5874c8e704b57a916c726723e5f1b749df384f6ed633f021680263adc1

SHA512
db81d96ca15a1e820ed4ecad9c4ec0ecd5435b4e057ab8610fc341673babea03c7510d40801c267bc0559167763d7c57b594e4b1a1cd4f249db0ecfb269e545e

Download Submit
C:\LabZL0\bodxec.exe

Filesize
2.6MB

MD5
3551b804460d5d2a47f82b3e5ee5a339

SHA1
8921ff36779285ede5105d78dea6b8ba3025ad16

SHA256
4d4f110d38ab7737af210f6ad255c0d0d56bd281fb31a63b0063d9d40c912b16

SHA512
f2d0aeaca01240e5336f8625fd8b459362c2e3720e7b6353a7b47bc18f0c67bd34328cb9cb9c78d7293cdc86d58b588adad037c9ddcc6fafcf3c58c5568e701f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
5fe4bc61b0560530e56404d8af560794

SHA1
7de981b9d7abc0161f4fe6d8aee8ff726c4db817

SHA256
32c6c861e0a439cc6e8c4918706bf9fed7ac5f08f13d0d95613aa9ea19e0d4cb

SHA512
a6c7d1fc9fc92a1a0ae84d8a6b854a5c99d6093ea440f3f6dbb712fe9553534ec118580c0083a7805cf83ec04dd8ee62056108254beb2761e01ff77912829b82

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
04f8c856d833f91f5746c3d880171b81

SHA1
848b358ee7d2071f1aa0508281861cefcaac78b9

SHA256
9421d59ab728f818cae4c2ac690073b38cc31b3b07d8d71f374b6213a5fd2634

SHA512
fd58ee21f339ec90a16c44ae618c8b0fc173f081f0860ac37264dda7d330232920e8ce52f4cf733db15c61b67775133c289268884cea2ce8b9790c1e474778a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
2.6MB

MD5
9b6e8d29e111f76bedbe9c9016bd298f

SHA1
fa565c86527a0e29033da24254e4400d454ab50d

SHA256
d8711206ef1f2c6509542644daaf02cccba48c44962a1ff84682cd754816d67b

SHA512
d23da1490052fa3d7b1a2aa4a79ca6d79015346f076b61f7138b824224db83a2ff05532f3d30c84c072814fbb59ce156ffe012fe14b965aecc92d479a5d4de4a

Download Submit