94169c3fedcbd2c834e8ce2a48333b74a449a4a2316c89c47ecc0d83c2f6e7af

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 04:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

94169c3fedcbd2c834e8ce2a48333b74a449a4a2316c89c47ecc0d83c2f6e7afN.exe
Size

2.6MB
MD5

a9dc8306fa9122fafceb1ac3aed38020
SHA1

c1438db051ce7ad7ee21efefb4c7197f65177226
SHA256

94169c3fedcbd2c834e8ce2a48333b74a449a4a2316c89c47ecc0d83c2f6e7af
SHA512

ce0a97166a9a5c592e333f8e5344a20fda5882f6404c20da4b152314ea4be95c1951f45b62c1f470dad65b9730b25541b8adfbcb78cf1f4143f5a27fc505c931
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bS:sxX7QnxrloE5dpUpsb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	94169c3fedcbd2c834e8ce2a48333b74a449a4a2316c89c47ecc0d83c2f6e7afN.exe

Executes dropped EXE 2 IoCs

pid	Process
1228	sysxdob.exe
2816	aoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1624	94169c3fedcbd2c834e8ce2a48333b74a449a4a2316c89c47ecc0d83c2f6e7afN.exe
1624	94169c3fedcbd2c834e8ce2a48333b74a449a4a2316c89c47ecc0d83c2f6e7afN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocQW\\aoptiec.exe"	94169c3fedcbd2c834e8ce2a48333b74a449a4a2316c89c47ecc0d83c2f6e7afN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBOD\\dobxsys.exe"	94169c3fedcbd2c834e8ce2a48333b74a449a4a2316c89c47ecc0d83c2f6e7afN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94169c3fedcbd2c834e8ce2a48333b74a449a4a2316c89c47ecc0d83c2f6e7afN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1624	94169c3fedcbd2c834e8ce2a48333b74a449a4a2316c89c47ecc0d83c2f6e7afN.exe
1624	94169c3fedcbd2c834e8ce2a48333b74a449a4a2316c89c47ecc0d83c2f6e7afN.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe
1228	sysxdob.exe
2816	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 1228	1624	94169c3fedcbd2c834e8ce2a48333b74a449a4a2316c89c47ecc0d83c2f6e7afN.exe	29
PID 1624 wrote to memory of 1228	1624	94169c3fedcbd2c834e8ce2a48333b74a449a4a2316c89c47ecc0d83c2f6e7afN.exe	29
PID 1624 wrote to memory of 1228	1624	94169c3fedcbd2c834e8ce2a48333b74a449a4a2316c89c47ecc0d83c2f6e7afN.exe	29
PID 1624 wrote to memory of 1228	1624	94169c3fedcbd2c834e8ce2a48333b74a449a4a2316c89c47ecc0d83c2f6e7afN.exe	29
PID 1624 wrote to memory of 2816	1624	94169c3fedcbd2c834e8ce2a48333b74a449a4a2316c89c47ecc0d83c2f6e7afN.exe	30
PID 1624 wrote to memory of 2816	1624	94169c3fedcbd2c834e8ce2a48333b74a449a4a2316c89c47ecc0d83c2f6e7afN.exe	30
PID 1624 wrote to memory of 2816	1624	94169c3fedcbd2c834e8ce2a48333b74a449a4a2316c89c47ecc0d83c2f6e7afN.exe	30
PID 1624 wrote to memory of 2816	1624	94169c3fedcbd2c834e8ce2a48333b74a449a4a2316c89c47ecc0d83c2f6e7afN.exe	30

C:\Users\Admin\AppData\Local\Temp\94169c3fedcbd2c834e8ce2a48333b74a449a4a2316c89c47ecc0d83c2f6e7afN.exe
"C:\Users\Admin\AppData\Local\Temp\94169c3fedcbd2c834e8ce2a48333b74a449a4a2316c89c47ecc0d83c2f6e7afN.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1228
- C:\IntelprocQW\aoptiec.exe
  C:\IntelprocQW\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocQW\aoptiec.exe

Filesize
2.6MB

MD5
d7f3a733ba20d8edc2bc0216204026ca

SHA1
d89040ea875770481f1e30428c418a85f501e444

SHA256
bcf69129554bdf5a06d17602c7eeaf4fc201aaf7a8e6ea923058b239b9cf06f4

SHA512
f3727c5653fd8237ccee1414ac9143f86238d3f78346c1ea168fe71f7d0fd58e88d400e0566a08fadd3278530547bd83db9b22e4b26c017d8037a935157ec62c

Download Submit
C:\KaVBOD\dobxsys.exe

Filesize
2.6MB

MD5
5d3802594f1294b347caa9e58fe1cde9

SHA1
a3c05ed7b6ed2b12adafeba869eb5521d8693a0e

SHA256
0f3e46e33b9505b18c7360ea8e1c70cfd2e8fe1fba68b8fb1804da6592005792

SHA512
2fa53791ae0a59f9d06a28ed54216b6bb18a1f0a3c407562631e13faa50a6da986f41b179332cf3f200b3ef167781544dcc307c8b4b99f6a38a2c492f09509ba

Download Submit
C:\KaVBOD\dobxsys.exe

Filesize
2.6MB

MD5
2238532e5f1251ae59601df177c83104

SHA1
efde80ab6b704fe57aff5aae69ae2853772a45aa

SHA256
703dc69ff8e82a3268b213128a3c3ab9303d1382f1affe7461cb5f4b45de3ee6

SHA512
7d12cc0675081d3af3b0aa6ed0e13d0737654a5330f875f7334706dcc08254b952cb153b2c84bc6ae773668e0f9deb2820553c1c8232e7f58d43fc9556b70443

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
91af1dff2b8567860e24b54055fa7faf

SHA1
a9a470d9d6d9b3aa97935508359693a0587f24af

SHA256
3c924d539e3c891dd53c34741274bda528e1cc100c6a26d92b33c0413caf7c62

SHA512
23b3d7f7c2d40e72eab9f9ebdf677d6b8984c70f66b386b3aec5ed4ce63eea59c9b790d9c7c1ba8b31bcbe95cb125c54c651031a189122f1331865368635f399

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
1dfd76c1b4ac2542758fad52d8f6dbb6

SHA1
af430a29788985790303637a81792a591e4cbd2b

SHA256
dd4f9324e64c6809e96b0b6d932a83120c868bafc45bf88d1bbaee780e8f25ed

SHA512
05113aef440244ebc586cd7a8dd6dda98c6de0c5aef54d85f3f416a9db993262574a70904979c9bcabac3b9c9f8d579a89f845975c32c1760a94ad72d4f3d560

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.6MB

MD5
679fadd00c1fc099a44b436e75fa5d8e

SHA1
2476bbd6edf9a1577416493f61322189f525952f

SHA256
bc24bd675f46e7bc79a02b483950ec8ce9cbc862bd3d0e82f7bbb740045343ce

SHA512
44b3d6204fa7187a83c6f5de4f3119e376a2752492b672b1986df6472726d9021a1827cfd39b0acda650e47dfb0406ebbc473c5ac9378e47b181503e3be7cc9c

Download Submit