6f0bdf62dad9d4e71975c02dea1ba307f1096e1a51a9eb0d70c3d3b98b01ab51

Analysis

max time kernel
119s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f0bdf62dad9d4e71975c02dea1ba307f1096e1a51a9eb0d70c3d3b98b01ab51N.exe
Size

2.6MB
MD5

0af12e1b30d16afcb6ff3158a081ece0
SHA1

e831c5f2a383621a1bf77c04987b0aca868c97e5
SHA256

6f0bdf62dad9d4e71975c02dea1ba307f1096e1a51a9eb0d70c3d3b98b01ab51
SHA512

9a0e7f1b468d8684478aef3160d425039b27b432c7863c63f6ccaea04e6faf233a94ef51bd5b3336f498ebd8d963eca532e913b9019a8ae07f14715e5c68d93d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bSq:sxX7QnxrloE5dpUpAbV

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe	6f0bdf62dad9d4e71975c02dea1ba307f1096e1a51a9eb0d70c3d3b98b01ab51N.exe

Executes dropped EXE 2 IoCs

pid	Process
3376	sysxopti.exe
4904	devoptiloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeUF\\devoptiloc.exe"	6f0bdf62dad9d4e71975c02dea1ba307f1096e1a51a9eb0d70c3d3b98b01ab51N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB6N\\dobxloc.exe"	6f0bdf62dad9d4e71975c02dea1ba307f1096e1a51a9eb0d70c3d3b98b01ab51N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f0bdf62dad9d4e71975c02dea1ba307f1096e1a51a9eb0d70c3d3b98b01ab51N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1904	6f0bdf62dad9d4e71975c02dea1ba307f1096e1a51a9eb0d70c3d3b98b01ab51N.exe
1904	6f0bdf62dad9d4e71975c02dea1ba307f1096e1a51a9eb0d70c3d3b98b01ab51N.exe
1904	6f0bdf62dad9d4e71975c02dea1ba307f1096e1a51a9eb0d70c3d3b98b01ab51N.exe
1904	6f0bdf62dad9d4e71975c02dea1ba307f1096e1a51a9eb0d70c3d3b98b01ab51N.exe
3376	sysxopti.exe
3376	sysxopti.exe
4904	devoptiloc.exe
4904	devoptiloc.exe
3376	sysxopti.exe
3376	sysxopti.exe
4904	devoptiloc.exe
4904	devoptiloc.exe
3376	sysxopti.exe
3376	sysxopti.exe
4904	devoptiloc.exe
4904	devoptiloc.exe
3376	sysxopti.exe
3376	sysxopti.exe
4904	devoptiloc.exe
4904	devoptiloc.exe
3376	sysxopti.exe
3376	sysxopti.exe
4904	devoptiloc.exe
4904	devoptiloc.exe
3376	sysxopti.exe
3376	sysxopti.exe
4904	devoptiloc.exe
4904	devoptiloc.exe
3376	sysxopti.exe
3376	sysxopti.exe
4904	devoptiloc.exe
4904	devoptiloc.exe
3376	sysxopti.exe
3376	sysxopti.exe
4904	devoptiloc.exe
4904	devoptiloc.exe
3376	sysxopti.exe
3376	sysxopti.exe
4904	devoptiloc.exe
4904	devoptiloc.exe
3376	sysxopti.exe
3376	sysxopti.exe
4904	devoptiloc.exe
4904	devoptiloc.exe
3376	sysxopti.exe
3376	sysxopti.exe
4904	devoptiloc.exe
4904	devoptiloc.exe
3376	sysxopti.exe
3376	sysxopti.exe
4904	devoptiloc.exe
4904	devoptiloc.exe
3376	sysxopti.exe
3376	sysxopti.exe
4904	devoptiloc.exe
4904	devoptiloc.exe
3376	sysxopti.exe
3376	sysxopti.exe
4904	devoptiloc.exe
4904	devoptiloc.exe
3376	sysxopti.exe
3376	sysxopti.exe
4904	devoptiloc.exe
4904	devoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 3376	1904	6f0bdf62dad9d4e71975c02dea1ba307f1096e1a51a9eb0d70c3d3b98b01ab51N.exe	86
PID 1904 wrote to memory of 3376	1904	6f0bdf62dad9d4e71975c02dea1ba307f1096e1a51a9eb0d70c3d3b98b01ab51N.exe	86
PID 1904 wrote to memory of 3376	1904	6f0bdf62dad9d4e71975c02dea1ba307f1096e1a51a9eb0d70c3d3b98b01ab51N.exe	86
PID 1904 wrote to memory of 4904	1904	6f0bdf62dad9d4e71975c02dea1ba307f1096e1a51a9eb0d70c3d3b98b01ab51N.exe	87
PID 1904 wrote to memory of 4904	1904	6f0bdf62dad9d4e71975c02dea1ba307f1096e1a51a9eb0d70c3d3b98b01ab51N.exe	87
PID 1904 wrote to memory of 4904	1904	6f0bdf62dad9d4e71975c02dea1ba307f1096e1a51a9eb0d70c3d3b98b01ab51N.exe	87

C:\Users\Admin\AppData\Local\Temp\6f0bdf62dad9d4e71975c02dea1ba307f1096e1a51a9eb0d70c3d3b98b01ab51N.exe
"C:\Users\Admin\AppData\Local\Temp\6f0bdf62dad9d4e71975c02dea1ba307f1096e1a51a9eb0d70c3d3b98b01ab51N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3376
- C:\AdobeUF\devoptiloc.exe
  C:\AdobeUF\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeUF\devoptiloc.exe

Filesize
2.6MB

MD5
2d28440464b00a6d8446ec8a8f328164

SHA1
cdeaeee626ac91d9b55ffd26ebea3239c272f086

SHA256
7cf3e995f435eb06bbb2e1656ffed12bb70967745cd52ed68cc0164692b52455

SHA512
a5106dc2167dd54f598e63a930c1d44a7214809774025b426e34c017294ff10996b135eefbdef02b744122dea7e07d48352007d085372819fada1890a1931049

Download Submit
C:\KaVB6N\dobxloc.exe

Filesize
2.6MB

MD5
b53ea6513f1025564cb4a4a67a76e04b

SHA1
7ab98449046cd3bc189ab872d52bf59a13d99e60

SHA256
21045c58453f0b9e5cc39df69f6451122565f757d15d3dd624a2d73993c79fb2

SHA512
9d67215f081ba9ec8af4c30df1d166524ade3152a1ca62174766b846cf1d3526d14a5dd5d48051c133a5a29c19e9e581460521609cf6178b417badab5dad5d1f

Download Submit
C:\KaVB6N\dobxloc.exe

Filesize
736KB

MD5
c9df5150e157c0f635ca3e86431490b0

SHA1
d3fc56a2b763fd837c653c280071441e03659792

SHA256
2053577de5f99fc9897698cd099ea3f2ba30280f9bdb36cb9f5f3340ece6bc06

SHA512
d512148d3efbd0db78981085fba7a989f2d5a82e33e947573e0a1cc953036efd2362340c414061a3e34656289d446ccbcfdf699dd0e6a21758838bcef36b171f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
d58c0d709a1394bfbd61af5476e239fc

SHA1
b339b2d62cf6f98e85f5046f32d0529b08bf59cf

SHA256
ffe6c2a21b2c78210b03f8f797100e5c5d6b72199da123ad04cbdffa30afc5c3

SHA512
180d4c9c8fe6850e437aa17eb01cc8477a67fa93c1dfc862a512eaf8fb5fa980d2594babe33332a7ba998d728cfdee3c0dfb243d44e28ec47c3e90a4317553cd

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
c0f428cc224434af12b185e47470a961

SHA1
076bbbe7899bbb5fa469d50e6fc4129cde510cef

SHA256
749ee1a341fdf7b93eb3781accfe0c4e2288b6dedcfae1ef7823c7ca144d5b04

SHA512
c2210689e0ac98bd69032aa61fc6f7382460db86a6587bf4989d6101bc7bf1d3ff9cc71d52162e2ad5b8babf954a962cc8ebf47d01cf88f371bb7bb6062fa81f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

Filesize
2.6MB

MD5
de120f40e8d4fec8208b993a7b5b5051

SHA1
8b81a9aaaed690518d674f5fb6a761a575fbc0db

SHA256
cb40e0da2744c5185019a52dd0654df19031732f3ebeec6f906fc7b867b9b56f

SHA512
a84f7abb079b8abae2863b7439fc87122cc851c8f53b0b3a1c849f4105c4e04bc001ae5b43b17a32744089706bb46aded8b2c56c631c9893bb4647f18b0d81be

Download Submit