f2897cdbf09740f2af7a294e7090076e55e4017eef17c71796cdbeaf324a2a94

Analysis

max time kernel
149s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2897cdbf09740f2af7a294e7090076e55e4017eef17c71796cdbeaf324a2a94.exe
Size

3.0MB
MD5

8c63ba81f9a94f6722a9e39a7fed5e71
SHA1

dc16f83d05fb76c6904ce8b4b7e1ecf86a358935
SHA256

f2897cdbf09740f2af7a294e7090076e55e4017eef17c71796cdbeaf324a2a94
SHA512

a494e406e5784263dbcd8cec4f9d18b0d0ecadae4250402ca0f7f70280cb4a28be08b6236730fb8d279b8575004421e20e68e2277301186e4b18c32a601f6150
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBSB/bSqz8b6LNX:sxX7QnxrloE5dpUpxbVz8eLF

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	f2897cdbf09740f2af7a294e7090076e55e4017eef17c71796cdbeaf324a2a94.exe

Executes dropped EXE 2 IoCs

pid	Process
2840	sysxbod.exe
2888	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2376	f2897cdbf09740f2af7a294e7090076e55e4017eef17c71796cdbeaf324a2a94.exe
2376	f2897cdbf09740f2af7a294e7090076e55e4017eef17c71796cdbeaf324a2a94.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocQA\\xoptiec.exe"	f2897cdbf09740f2af7a294e7090076e55e4017eef17c71796cdbeaf324a2a94.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB5Z\\optidevec.exe"	f2897cdbf09740f2af7a294e7090076e55e4017eef17c71796cdbeaf324a2a94.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2897cdbf09740f2af7a294e7090076e55e4017eef17c71796cdbeaf324a2a94.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2376	f2897cdbf09740f2af7a294e7090076e55e4017eef17c71796cdbeaf324a2a94.exe
2376	f2897cdbf09740f2af7a294e7090076e55e4017eef17c71796cdbeaf324a2a94.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe
2840	sysxbod.exe
2888	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2840	2376	f2897cdbf09740f2af7a294e7090076e55e4017eef17c71796cdbeaf324a2a94.exe	29
PID 2376 wrote to memory of 2840	2376	f2897cdbf09740f2af7a294e7090076e55e4017eef17c71796cdbeaf324a2a94.exe	29
PID 2376 wrote to memory of 2840	2376	f2897cdbf09740f2af7a294e7090076e55e4017eef17c71796cdbeaf324a2a94.exe	29
PID 2376 wrote to memory of 2840	2376	f2897cdbf09740f2af7a294e7090076e55e4017eef17c71796cdbeaf324a2a94.exe	29
PID 2376 wrote to memory of 2888	2376	f2897cdbf09740f2af7a294e7090076e55e4017eef17c71796cdbeaf324a2a94.exe	30
PID 2376 wrote to memory of 2888	2376	f2897cdbf09740f2af7a294e7090076e55e4017eef17c71796cdbeaf324a2a94.exe	30
PID 2376 wrote to memory of 2888	2376	f2897cdbf09740f2af7a294e7090076e55e4017eef17c71796cdbeaf324a2a94.exe	30
PID 2376 wrote to memory of 2888	2376	f2897cdbf09740f2af7a294e7090076e55e4017eef17c71796cdbeaf324a2a94.exe	30

C:\Users\Admin\AppData\Local\Temp\f2897cdbf09740f2af7a294e7090076e55e4017eef17c71796cdbeaf324a2a94.exe
"C:\Users\Admin\AppData\Local\Temp\f2897cdbf09740f2af7a294e7090076e55e4017eef17c71796cdbeaf324a2a94.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2840
- C:\IntelprocQA\xoptiec.exe
  C:\IntelprocQA\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocQA\xoptiec.exe

Filesize
3.0MB

MD5
84244226eb2860515f3cd93bc6bbd58d

SHA1
368a6cf6f5b92edb889ddd6acf79d503ef2e58c8

SHA256
3bbf1c8020ddd206d001ec16359262acf9773c9d4b46f2fcd038c170cab3517e

SHA512
844ee8aa4840576d5b2044804a950ac78162dd35ca66b3a5396c172e779e28426c15d5e236e9e497fadd5fab75942baea3e4d810b139b069a86f2a0fe0d17a10

Download Submit
C:\KaVB5Z\optidevec.exe

Filesize
1.8MB

MD5
5f56cd14a7959bb3ef7c4ba2068597b0

SHA1
940f6e5f63b389a331d1c601710fbc8630743852

SHA256
afa755b16d2c49b41651d22a1aac301992bcb690b0c6fde777fb7ff7d5e5b580

SHA512
1c82509c99fb08cccf54fbd17787a7e3ff49b848af0d052cabeb64ea6ba3d22aaad3cac701200773fb6e2965622926b70a6ddb6e07f7bf34c2d04b6b905d1fdb

Download Submit
C:\KaVB5Z\optidevec.exe

Filesize
3.0MB

MD5
6dcabbb837b2e06e1d850a6cf4975cac

SHA1
d89846ec645b7729f18bedff7fa8a860b65472de

SHA256
684e4b9528a29681589561b075b3b99c194cbd8c0d747f8e2166fe16b3e34f2e

SHA512
2d3c9e45671b96eeb734bd2f4a1653da84c4a804cbaac6137e95b5e944bc40e10348d4fd9b32859b1a10ace0447a88a85f56fbe11b2e4270b4789a861964c96f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
1e923a70687e5bd59979586eeeb93b3b

SHA1
4a487fc050297479a79a06b4ae6b91e1d455c935

SHA256
7a4a2f90cfaa60a981191ab2cd7b2c678348fddd21a1e012d480b4226afd2f5c

SHA512
c288827f0eb3d1d22b209e352d78b952511ec067b7b0f6e4e892517979adecc640dcc4fbd75c4e75ab24e841e6dece75cd5f45fdcbda3254ba6d9abbf85736db

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
84415b08cd4928576eecea4b73a0df42

SHA1
0c0b41dae27d70698593dc6931162e79eb464bfc

SHA256
8a3c4463ac33514b9b3cf4d07767f73f30651a02f254c1a6e6a4752001f8821d

SHA512
d0372248c204666f9e3d29abf63e982393d81a537f6e719b44d7183971c2f08549fc33e928ecb7f8ba1c01b870353524769075f8dcd3062f8776705a63070292

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
3.0MB

MD5
55e30df492af305d0c12098a43461af0

SHA1
ace5d5e4f29b931f9eb10c6fcbf694cd8752c70c

SHA256
6112dff22ba8a7d044726746bd53ea34c7fe969e750f936a66cae28042c18d08

SHA512
50a434c2a9446ef99b4cc8231dbfb1bca8bb5af30d527c7982f7cbaafdfe5ec6a1b00488d7b17520f0dadf915cd25dd7f950bd5f1a0a5b1f23da94ed1c790e8d

Download Submit