2e15ebb0e0666de76d9131f54a92aa65f8d10edde5acab9620004aa0339cbf8e

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 03:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

78c68415d52f10ccc8cb5ba02d0f42d0N.exe
Size

2.6MB
MD5

78c68415d52f10ccc8cb5ba02d0f42d0
SHA1

ea9953903b431ea8336d43385c7286f703155006
SHA256

2e15ebb0e0666de76d9131f54a92aa65f8d10edde5acab9620004aa0339cbf8e
SHA512

a95388bd43b81bf396bf81e9fc2a5c9b142e4fd3ef9eb23e999c4b50ada46a3e78e4e63c0431eb4f22c571236d0900964c2f8b5eaca914c9f2a7c9b7da3cb7d7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUpHb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	78c68415d52f10ccc8cb5ba02d0f42d0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2364	sysxbod.exe
2200	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2068	78c68415d52f10ccc8cb5ba02d0f42d0N.exe
2068	78c68415d52f10ccc8cb5ba02d0f42d0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc7H\\xoptiec.exe"	78c68415d52f10ccc8cb5ba02d0f42d0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintRX\\optiaec.exe"	78c68415d52f10ccc8cb5ba02d0f42d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78c68415d52f10ccc8cb5ba02d0f42d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxbod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2068	78c68415d52f10ccc8cb5ba02d0f42d0N.exe
2068	78c68415d52f10ccc8cb5ba02d0f42d0N.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe
2364	sysxbod.exe
2200	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2364	2068	78c68415d52f10ccc8cb5ba02d0f42d0N.exe	29
PID 2068 wrote to memory of 2364	2068	78c68415d52f10ccc8cb5ba02d0f42d0N.exe	29
PID 2068 wrote to memory of 2364	2068	78c68415d52f10ccc8cb5ba02d0f42d0N.exe	29
PID 2068 wrote to memory of 2364	2068	78c68415d52f10ccc8cb5ba02d0f42d0N.exe	29
PID 2068 wrote to memory of 2200	2068	78c68415d52f10ccc8cb5ba02d0f42d0N.exe	30
PID 2068 wrote to memory of 2200	2068	78c68415d52f10ccc8cb5ba02d0f42d0N.exe	30
PID 2068 wrote to memory of 2200	2068	78c68415d52f10ccc8cb5ba02d0f42d0N.exe	30
PID 2068 wrote to memory of 2200	2068	78c68415d52f10ccc8cb5ba02d0f42d0N.exe	30

C:\Users\Admin\AppData\Local\Temp\78c68415d52f10ccc8cb5ba02d0f42d0N.exe
"C:\Users\Admin\AppData\Local\Temp\78c68415d52f10ccc8cb5ba02d0f42d0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2364
- C:\Intelproc7H\xoptiec.exe
  C:\Intelproc7H\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc7H\xoptiec.exe

Filesize
2.6MB

MD5
135298cc705ba3ab00e766e0629a0adf

SHA1
92e23dba31810a60c966386142fe5fb30f1581a0

SHA256
9ff33bfe8e0211585fd0d3559e103cb8763de7a4ef23bfb017cb1b4ae7deecad

SHA512
a408234bf9df8c1ebee254351762a97c4bd45325e69fe03cb7741bff8c8366ae88e23b53cf1323db49c10714fed9b6f55d363b1e307bfcc86637289343c69560

Download Submit
C:\MintRX\optiaec.exe

Filesize
2.1MB

MD5
e3538e4fb99454bab84b47b97e942ff7

SHA1
643e86b258f270e32328aad71fd011eaeb5a9201

SHA256
facbeccee39c60937b9d676932f5201e5204fd2f0c197d56cdb4bbe99ff3d29d

SHA512
3c1096c0c96500565125100af49383153fea1b2a61584d32afe4d7310bf1c5b746066e342fbb58495211482ed48b22771fa8a701abbbb702dd5fd2ddc18a1b39

Download Submit
C:\MintRX\optiaec.exe

Filesize
2.6MB

MD5
0032b70e93797f9ac6cca0de9d787a99

SHA1
312f269eb461a6524b590d5a06db3510338c54b8

SHA256
3a22305ff9071364505d9c8fa9cc10fd5d868ab250f5039a0bf866ac7f15c699

SHA512
73b94edc691d2ce4ec8f37771f552868747395ed5e189539ab2db411adec4873742ea778cfc1ee0c5c2fb9bf6c04ca64f8028467567fed7d5bb8db0e2f24a675

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
c68a2a88b781489bf3ce055c95908dbe

SHA1
a804ecaddfb054398d8d9a2f1ac7ec2ecddf4d03

SHA256
4e8b61a3ca397acaf94434dfa9c697c71de3b3d50c3547a6601488b83ff0921a

SHA512
cb7b45679a3b5f23bca9ba0b9749f1faa58c4aa577d0eccf9b6cde70ce180d0b73d91a74c25226f744a0cb95cd9f8dbf10a4a7ce8235b6e770a1bff0779023d9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
32933fedccf7904cf7402a37787cc9c8

SHA1
45f01c31bda6b4809286e0330ab9fc891399ed3e

SHA256
135a8589e8014ea411eadf83be6a05114f82af354992b675384a3c91d2a3ae76

SHA512
7878c6f7f53a15500edce6928a9f95d63b3952cc0310d85301e4d3e0966b7037494d221371fc9927a2097be7e35fa11b1ec9c7ca4f647c0456ed1edd081b7ea7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
2.6MB

MD5
cd2f70d777a4ff1c958b60ef2b61e4ab

SHA1
7c1b57290e3025d18eca7ffff7fd7009f311b042

SHA256
ffa1644102ac452e00b905f4e96c727a36e2461071177042ad1277179be45cb5

SHA512
dea008689ba2076010ded4117d8c0904dc29f3e5d87105ae6a951b9bb9433d7f0c61f39f134608c10cfc28f3049f93876fd770fde49212451c9ab531dac885c5

Download Submit