49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7db

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe
Size

2.6MB
MD5

19f901d1634b31531c8b304ed1108150
SHA1

933d7b4f38cbb48002a60cb8a36691f9e6695e04
SHA256

49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7db
SHA512

37cc10694f8e4546d8284294a448e2bdc497b0c9aecd0c66adb280149766f770d9c25633d8b73d3a0c093b655a2aa91e824c16e1a5518ddaed9b2ae23000ed3e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bS:sxX7QnxrloE5dpUpKb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe

Executes dropped EXE 2 IoCs

pid	Process
3024	sysdevopti.exe
2788	xdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2572	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe
2572	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocA1\\xdobloc.exe"	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid2C\\optiasys.exe"	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2572	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe
2572	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe
3024	sysdevopti.exe
2788	xdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 3024	2572	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe	30
PID 2572 wrote to memory of 3024	2572	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe	30
PID 2572 wrote to memory of 3024	2572	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe	30
PID 2572 wrote to memory of 3024	2572	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe	30
PID 2572 wrote to memory of 2788	2572	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe	31
PID 2572 wrote to memory of 2788	2572	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe	31
PID 2572 wrote to memory of 2788	2572	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe	31
PID 2572 wrote to memory of 2788	2572	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe	31

C:\Users\Admin\AppData\Local\Temp\49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe
"C:\Users\Admin\AppData\Local\Temp\49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3024
- C:\IntelprocA1\xdobloc.exe
  C:\IntelprocA1\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocA1\xdobloc.exe

Filesize
2.6MB

MD5
3297dc9a2fee21013d50552de8e7e8d1

SHA1
74e38cfaf6b4796d2a54e4336cb399d55170d071

SHA256
d2856c3738048ddccf22f87f50784e91f65f8464ee6d6d7cf5f0d285afbe0f5f

SHA512
f43bf0f44c60221443f6a07882530f39801928d496a6b21c726be91121fff88bf3d697b42b59de2aaa2b2a2d69d3155be166f51a0cf133370503071c7f2510a7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
43075c6cbee8296eb25cf1304b87406c

SHA1
5503132aed7a624f77abe92bd62d02a641c3394e

SHA256
cb1fcd06a6d5144309b12181b3651863bbd368e569fa080dc76153f38b1fcfcc

SHA512
545dc2a5e7df004c6c540ddcc7ab5a88a49b24ede5e03e3bb2e9db85566c41b7fb2cc68b6e1dfcb945a114d24899d70101a9eb5ad4928a0da28ff769690833c9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
434460850f31d67e95730a0bdd27ee01

SHA1
8f5f73f98f2dccb2cc975d2de22aaf7f7cb8a755

SHA256
9fe2e8d0c2a637f09f6428617f0b63e9b5d2b5d87114399804db26a194f88f34

SHA512
f1e71443016525c7bfcda038a8fe7e8935e92312059755633452c44301804119432f5eaf808aa25cc563fe679a2decaabd06edfb43607fbfa5c64366406c9ec5

Download Submit
C:\Vid2C\optiasys.exe

Filesize
2.6MB

MD5
41aa5117da76a97617d87addf021d24a

SHA1
6664a3a8f28392edb39ea1ae4a515f895eca6259

SHA256
a628f41fce35e4e5229297aabbd1de6f8280872a735b30dcf482a0145ee02995

SHA512
05eeab11b0bc09894ad84594b1acbea26c10a818e2a9972cf81201c6d3abf8dd8b20b61eea75cf1726cf4ca413ddf38a8d54aab0603a36a087521a73a5607086

Download Submit
C:\Vid2C\optiasys.exe

Filesize
2.6MB

MD5
3684859bd82734cf891f1215660eff76

SHA1
2ec0c1c2ede29b21a6deccf095a543e9ffde1166

SHA256
c412b6cb44b3cb7b6ceeef72b149c33230c9ba942a603235bcb9c17fd94af9a3

SHA512
7275398ace1825efcdf6175d24c051130306f918b097c9cc4a0ab65b631ab9770eae42ace879f714735191f604e391385dcb8c2c8702ca489f8d5290d736dbf0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
2.6MB

MD5
6310e0f0395644a1bd2d4bec762f9b02

SHA1
f7972b89c70da3f42a62c4b447b715142a16cdb0

SHA256
a4360fc511ad6ce3a02f814c07522b5dd02c5b31aba60ddd7a3c4e3d816eb9fd

SHA512
c41b00469dac883d632bca2035bc5b97a4ab763a08ec70a2a47716cb43fc7ee249d93b00b82ec12fef192d64dd73862bc5cbf2c177b96a79f93433484f1d4ba5

Download Submit