3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2

Analysis

max time kernel
150s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe
Size

2.6MB
MD5

f2b732029b7d0d90984c2257a1f69e4e
SHA1

1d98d0465855ca94725b21b0fe22a76e82fc43de
SHA256

3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2
SHA512

8c3fa8dfaf1e202cdb20daf23417685bd65e6789e7472b680fc130b1e6ed860d68ccffb973bea6a71566c78646b5e52a0b25cf97d4e4c49d613c4af0f76fd973
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bS:sxX7QnxrloE5dpUpYb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe

Executes dropped EXE 2 IoCs

pid	Process
4828	sysxbod.exe
4016	devdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintYN\\optiasys.exe"	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv87\\devdobec.exe"	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5000	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe
5000	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe
5000	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe
5000	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe
4828	sysxbod.exe
4828	sysxbod.exe
4016	devdobec.exe
4016	devdobec.exe
4828	sysxbod.exe
4828	sysxbod.exe
4016	devdobec.exe
4016	devdobec.exe
4828	sysxbod.exe
4828	sysxbod.exe
4016	devdobec.exe
4016	devdobec.exe
4828	sysxbod.exe
4828	sysxbod.exe
4016	devdobec.exe
4016	devdobec.exe
4828	sysxbod.exe
4828	sysxbod.exe
4016	devdobec.exe
4016	devdobec.exe
4828	sysxbod.exe
4828	sysxbod.exe
4016	devdobec.exe
4016	devdobec.exe
4828	sysxbod.exe
4828	sysxbod.exe
4016	devdobec.exe
4016	devdobec.exe
4828	sysxbod.exe
4828	sysxbod.exe
4016	devdobec.exe
4016	devdobec.exe
4828	sysxbod.exe
4828	sysxbod.exe
4016	devdobec.exe
4016	devdobec.exe
4828	sysxbod.exe
4828	sysxbod.exe
4016	devdobec.exe
4016	devdobec.exe
4828	sysxbod.exe
4828	sysxbod.exe
4016	devdobec.exe
4016	devdobec.exe
4828	sysxbod.exe
4828	sysxbod.exe
4016	devdobec.exe
4016	devdobec.exe
4828	sysxbod.exe
4828	sysxbod.exe
4016	devdobec.exe
4016	devdobec.exe
4828	sysxbod.exe
4828	sysxbod.exe
4016	devdobec.exe
4016	devdobec.exe
4828	sysxbod.exe
4828	sysxbod.exe
4016	devdobec.exe
4016	devdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 4828	5000	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe	82
PID 5000 wrote to memory of 4828	5000	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe	82
PID 5000 wrote to memory of 4828	5000	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe	82
PID 5000 wrote to memory of 4016	5000	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe	83
PID 5000 wrote to memory of 4016	5000	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe	83
PID 5000 wrote to memory of 4016	5000	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe	83

C:\Users\Admin\AppData\Local\Temp\3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe
"C:\Users\Admin\AppData\Local\Temp\3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4828
- C:\SysDrv87\devdobec.exe
  C:\SysDrv87\devdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintYN\optiasys.exe

Filesize
1.8MB

MD5
5f56cd14a7959bb3ef7c4ba2068597b0

SHA1
940f6e5f63b389a331d1c601710fbc8630743852

SHA256
afa755b16d2c49b41651d22a1aac301992bcb690b0c6fde777fb7ff7d5e5b580

SHA512
1c82509c99fb08cccf54fbd17787a7e3ff49b848af0d052cabeb64ea6ba3d22aaad3cac701200773fb6e2965622926b70a6ddb6e07f7bf34c2d04b6b905d1fdb

Download Submit
C:\MintYN\optiasys.exe

Filesize
2.6MB

MD5
68d3d4e5f64e52b333a02cb6ebfad470

SHA1
4f254b85b9f7bdd0df640c2a7a6c93a5c95236da

SHA256
9342407d0997f59b345324702988864d2cce8d3172ab1a697ccc9a82bb7794ed

SHA512
31d27919d874e6f69d44c22bfdb657e4394f78f0b9b277b8a487ab324bbea2b0308226aad25b1b3bb05c8a0741af76b10055e264d749399f409ed7f2b3a0b06b

Download Submit
C:\SysDrv87\devdobec.exe

Filesize
2.6MB

MD5
c46d5902a8b7dc7d8193a4acf956a7d5

SHA1
a73c432aa9ae09956035197561a2dfd7dea16270

SHA256
9e68a3c76a5da72a61607e05c481cf88e9adecbb61ef3c9c02c2d3c06eded100

SHA512
3f6c07e14660ae19ee83fa1c747707446e9069e67dd0cde380f6b0e34e02bbd8b9e127f577617e5b793c9415dbe31aaa2395bcf98c686e4c3ed7ac17774c509f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
9e7d057e1c486258ce0cf947d3d44f6e

SHA1
ab9b38f5d5574b3dcb4bc4674b791fcbfca399f2

SHA256
fa9525f60b328c003473fce413681d0dc32d5cae699e3812fb0fd33c6f85a94b

SHA512
41d1627719d8b0831eb1f7fd65ff51cd8d6fc423ac8841ae1e19517382d7854c9e2e0a405b66ba3e68d7582f38f805fb369bc8fe3804bd5fc1f4a238c1dd4304

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
ad5407c2ec688aa847d4b973670ace2e

SHA1
5180db9235fcff6e31ab926ec739109b49242311

SHA256
8f8e5ef6fefb485c51d633e697e1051e8299507dc4920d9554c968836311d26a

SHA512
8d3799032be229bdd1f00e78e0b032d19f48caa3bfa7a3de84912adbc74f555b98b20d3ca217c5f9f12650266aea46f9c79433184466bf28dba5397fb151e242

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
2.6MB

MD5
918dbe9405b96d4c8685fbe2966c3c1b

SHA1
89dd3b08b0d71356d5b6efb7083dcf6f52954148

SHA256
4596c8b238d0a712b49ab7ef535654685a0278d38be0d3cb4a3b15bdbfae5bf2

SHA512
fc54a9e268e13b7871eb5546b30947def6e5495ca6e6261c282a1da43fe7544c06d6b8946d16be4b22a38fed1053d1930ad9a2d2d4386dacce3a08e832d203be

Download Submit