b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe
Size

2.6MB
MD5

ff52a12d312409b26607ec76a01081e0
SHA1

408a823b6ab3e46c8a334df4038a78b5fbde0ea6
SHA256

b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42
SHA512

47984476fd438e66f71e7ed7d93870b6f49e5997e403839fc180b60fbc6c4af1d1d5aea144bbda25b3112ed398df139eda882388c50e2073e584c4a0ce8d5429
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBhB/bS:sxX7QnxrloE5dpUpWb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe

Executes dropped EXE 2 IoCs

pid	Process
756	sysxdob.exe
2700	xoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv4W\\xoptisys.exe"	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ3X\\dobdevec.exe"	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptisys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2664	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe
2664	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe
2664	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe
2664	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe
756	sysxdob.exe
756	sysxdob.exe
2700	xoptisys.exe
2700	xoptisys.exe
756	sysxdob.exe
756	sysxdob.exe
2700	xoptisys.exe
2700	xoptisys.exe
756	sysxdob.exe
756	sysxdob.exe
2700	xoptisys.exe
2700	xoptisys.exe
756	sysxdob.exe
756	sysxdob.exe
2700	xoptisys.exe
2700	xoptisys.exe
756	sysxdob.exe
756	sysxdob.exe
2700	xoptisys.exe
2700	xoptisys.exe
756	sysxdob.exe
756	sysxdob.exe
2700	xoptisys.exe
2700	xoptisys.exe
756	sysxdob.exe
756	sysxdob.exe
2700	xoptisys.exe
2700	xoptisys.exe
756	sysxdob.exe
756	sysxdob.exe
2700	xoptisys.exe
2700	xoptisys.exe
756	sysxdob.exe
756	sysxdob.exe
2700	xoptisys.exe
2700	xoptisys.exe
756	sysxdob.exe
756	sysxdob.exe
2700	xoptisys.exe
2700	xoptisys.exe
756	sysxdob.exe
756	sysxdob.exe
2700	xoptisys.exe
2700	xoptisys.exe
756	sysxdob.exe
756	sysxdob.exe
2700	xoptisys.exe
2700	xoptisys.exe
756	sysxdob.exe
756	sysxdob.exe
2700	xoptisys.exe
2700	xoptisys.exe
756	sysxdob.exe
756	sysxdob.exe
2700	xoptisys.exe
2700	xoptisys.exe
756	sysxdob.exe
756	sysxdob.exe
2700	xoptisys.exe
2700	xoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 756	2664	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe	89
PID 2664 wrote to memory of 756	2664	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe	89
PID 2664 wrote to memory of 756	2664	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe	89
PID 2664 wrote to memory of 2700	2664	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe	92
PID 2664 wrote to memory of 2700	2664	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe	92
PID 2664 wrote to memory of 2700	2664	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe	92

C:\Users\Admin\AppData\Local\Temp\b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe
"C:\Users\Admin\AppData\Local\Temp\b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:756
- C:\SysDrv4W\xoptisys.exe
  C:\SysDrv4W\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4264,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4508 /prefetch:8
1⤵
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ3X\dobdevec.exe

Filesize
2.6MB

MD5
919e94938239b0b23b33442935b64d0c

SHA1
66d10dcf1137ae3dbb1a21912b481d43b154c856

SHA256
3e7881d15656ef56bd8374ff6fa2004ddeaae23c3832c5bcef93d7bd18425668

SHA512
0b8aae48b5cd835008ece70439f813e3774d424ab042f809576d17c2893ad51147d4eb66fad098979352ef6d5e03903eaeba62c8c3f31c6f4ae7fa462bb9eff5

Download Submit
C:\LabZ3X\dobdevec.exe

Filesize
7KB

MD5
c5a11c20435bf167b7ef33a92d131f4b

SHA1
c88559847d49a4715d86999f6bdf7f3a710b55a8

SHA256
186493aa3c8ae67d8a6672ff6b522c91a36ab2b4a1859de6cd024fde6cca526f

SHA512
a9ab8a378a0eb79b224d30ae559dff6a73633c0f999b60e3331479037dc18e3d1bae1bc28941f4b94b6ac102190b5899adc9a706d3a4af95dd8c65e897f34335

Download Submit
C:\SysDrv4W\xoptisys.exe

Filesize
2.6MB

MD5
5bad8fd92dd2fbded74c41ae4d678297

SHA1
3fbd63256946cbbf890e5f356f4cc4284b23d58d

SHA256
2fc0267056a9c037a94e4bc68d10d168a0976e109787edb2fc4d25f4a3e26df8

SHA512
d26bccd90d35780b796d258ab4d013893fc104b1f4b50f479c8dc428b4cc6aa5bc9e39989a627960d86a622612a611621a9558204e641c61cb6ff5e7a3da49d8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
6f298f23c14c4bf80c76b92b771ed231

SHA1
c15fa223645eb2e61e9e474745a0f7ac0600fc88

SHA256
31d0ca7baec101e4beef243ad2455f0bbdeea3a1be5b63ded9d3c1a95743c2e7

SHA512
18b897c88b27d5757e2e01c5f9e056be6da920c9baa9600675208f3a057ddbee631e370d3de7b5643b5d45aa252a618a44e4a11ae83cfccaac98999d42e1dc62

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
69755ad4ea934cd58336840ffe3feba7

SHA1
02ada0f7fa415d6f453f7f81a71891a396d706af

SHA256
e148807f0abe1b8fb2d85615d87c20675a9d867955bb4104e59676124ab11c29

SHA512
1c9d2ecc5fbc929dcb465a85ed25946c232281130b1e0a93851c05ba6126cf226224eb99d799334cbc154bbe61b0b869148db59e881b878084d31ce2b8e86d05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.6MB

MD5
0974f6f58637ca84188e47855dc37c8f

SHA1
26081d4331d31baf97e93476e0dd20d5e7b802ae

SHA256
944de5c655bedd2f3bbf489d62b6d8c242dff9725a81257150883a6c8e7e20a4

SHA512
eb698effe02aeadbac2cf110d41d67e8cafccba40b5f31483bc565272c819877b58dd4f512a5e244e81f3312c7e695a3d0fac5540625a7c2f953e2d6baa7f07c

Download Submit