674af389b221f9224e71ded84e99e4a3ffaf9923a6093bf996ef3853ceef9cf9

Analysis

max time kernel
119s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

674af389b221f9224e71ded84e99e4a3ffaf9923a6093bf996ef3853ceef9cf9N.exe
Size

2.6MB
MD5

bbccf5921ee79227a8edc88a24af9320
SHA1

01ba185f0eca095ca1cac57ab8ea53633b52f465
SHA256

674af389b221f9224e71ded84e99e4a3ffaf9923a6093bf996ef3853ceef9cf9
SHA512

384d3d921bd49ba9c97e015a7fe0191c68a13530c97cfc1e346a159ae826881dd7c2b9e59b316832c0f6c223becffa88bd97d66bea750e599be5def93162e46b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bSO:sxX7QnxrloE5dpUpObB

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	674af389b221f9224e71ded84e99e4a3ffaf9923a6093bf996ef3853ceef9cf9N.exe

Executes dropped EXE 2 IoCs

pid	Process
212	sysabod.exe
3000	xoptisys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotR8\\xoptisys.exe"	674af389b221f9224e71ded84e99e4a3ffaf9923a6093bf996ef3853ceef9cf9N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBGN\\optidevloc.exe"	674af389b221f9224e71ded84e99e4a3ffaf9923a6093bf996ef3853ceef9cf9N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptisys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	674af389b221f9224e71ded84e99e4a3ffaf9923a6093bf996ef3853ceef9cf9N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2104	674af389b221f9224e71ded84e99e4a3ffaf9923a6093bf996ef3853ceef9cf9N.exe
2104	674af389b221f9224e71ded84e99e4a3ffaf9923a6093bf996ef3853ceef9cf9N.exe
2104	674af389b221f9224e71ded84e99e4a3ffaf9923a6093bf996ef3853ceef9cf9N.exe
2104	674af389b221f9224e71ded84e99e4a3ffaf9923a6093bf996ef3853ceef9cf9N.exe
212	sysabod.exe
212	sysabod.exe
3000	xoptisys.exe
3000	xoptisys.exe
212	sysabod.exe
212	sysabod.exe
3000	xoptisys.exe
3000	xoptisys.exe
212	sysabod.exe
212	sysabod.exe
3000	xoptisys.exe
3000	xoptisys.exe
212	sysabod.exe
212	sysabod.exe
3000	xoptisys.exe
3000	xoptisys.exe
212	sysabod.exe
212	sysabod.exe
3000	xoptisys.exe
3000	xoptisys.exe
212	sysabod.exe
212	sysabod.exe
3000	xoptisys.exe
3000	xoptisys.exe
212	sysabod.exe
212	sysabod.exe
3000	xoptisys.exe
3000	xoptisys.exe
212	sysabod.exe
212	sysabod.exe
3000	xoptisys.exe
3000	xoptisys.exe
212	sysabod.exe
212	sysabod.exe
3000	xoptisys.exe
3000	xoptisys.exe
212	sysabod.exe
212	sysabod.exe
3000	xoptisys.exe
3000	xoptisys.exe
212	sysabod.exe
212	sysabod.exe
3000	xoptisys.exe
3000	xoptisys.exe
212	sysabod.exe
212	sysabod.exe
3000	xoptisys.exe
3000	xoptisys.exe
212	sysabod.exe
212	sysabod.exe
3000	xoptisys.exe
3000	xoptisys.exe
212	sysabod.exe
212	sysabod.exe
3000	xoptisys.exe
3000	xoptisys.exe
212	sysabod.exe
212	sysabod.exe
3000	xoptisys.exe
3000	xoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 212	2104	674af389b221f9224e71ded84e99e4a3ffaf9923a6093bf996ef3853ceef9cf9N.exe	87
PID 2104 wrote to memory of 212	2104	674af389b221f9224e71ded84e99e4a3ffaf9923a6093bf996ef3853ceef9cf9N.exe	87
PID 2104 wrote to memory of 212	2104	674af389b221f9224e71ded84e99e4a3ffaf9923a6093bf996ef3853ceef9cf9N.exe	87
PID 2104 wrote to memory of 3000	2104	674af389b221f9224e71ded84e99e4a3ffaf9923a6093bf996ef3853ceef9cf9N.exe	90
PID 2104 wrote to memory of 3000	2104	674af389b221f9224e71ded84e99e4a3ffaf9923a6093bf996ef3853ceef9cf9N.exe	90
PID 2104 wrote to memory of 3000	2104	674af389b221f9224e71ded84e99e4a3ffaf9923a6093bf996ef3853ceef9cf9N.exe	90

C:\Users\Admin\AppData\Local\Temp\674af389b221f9224e71ded84e99e4a3ffaf9923a6093bf996ef3853ceef9cf9N.exe
"C:\Users\Admin\AppData\Local\Temp\674af389b221f9224e71ded84e99e4a3ffaf9923a6093bf996ef3853ceef9cf9N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:212
- C:\UserDotR8\xoptisys.exe
  C:\UserDotR8\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBGN\optidevloc.exe

Filesize
2.6MB

MD5
865d531ccc8d7aaa41ca5978f6681b3b

SHA1
a18ec4ffc748d2d3ce17996157f97bc66e4dcbdf

SHA256
555bafce92ed9b50483c8530e45b1f5463f8b3168d3d3ef398fe1453fe2e1bab

SHA512
412000cebdd0befcb2dbcb5172f5c57c22df72b31355119626193619efc293f4b575335a205fa15e8fb7475182907cd6f1eeda851dd956cb09f8df5190596ff0

Download Submit
C:\KaVBGN\optidevloc.exe

Filesize
2.6MB

MD5
d3a6a701a542ca4c26df1ba181a6d18f

SHA1
28dfc6fdc18e00e01104657d54683140cf3718c5

SHA256
2bdf1f85012e07d37f00d482bc75358a658c7ac17ad18a1fa2277ea0af327966

SHA512
d63174638d7419f5f38a2711fc60a9a16035c992fb09421d35b2f4f08441fb8d65482df4f99a52b1745577f8fedaafecc323906c41a2830249d12c9f1d85083d

Download Submit
C:\UserDotR8\xoptisys.exe

Filesize
2.6MB

MD5
f6fac0307f26e84264ad5fbe534bf4c5

SHA1
217a8ad5ead3f6c904ffb4b2857c3bbfd65596f9

SHA256
9311b6450075114dd1f4542d1fd50896d903add20de039e8e9b5e7a9aeec6f64

SHA512
5365f7d28d324f371de8744a3d5c652c473bb5b1be195ba7ab9301e7f42c1e9134a8abe1e814e0ff0415be3674858af82f3ba286275c85e91aade54aae524b86

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
261cfd1eea9e8c20161886b269915bc9

SHA1
401220c366c9df786ecc1cb683b87e0febbb058e

SHA256
5c9b98b8c0292d8bed3a3bd2605b6643273e4a357d11a8493cf37a0f67c17678

SHA512
0b49ceb86d2a9d983c857ea966d9e8338330ea578cdc3244c05e21a294fe63a19cda5090710ab86c187b314c8d758a6f8cf501c2f8b0e5a529acf49edc3c5f9e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
71fef6c5a7c141e4be15071cde472add

SHA1
4e99e1f43e5210251a07b7b29043b5633cdbcbf0

SHA256
8a29ea35142eeb2d8f70fb7d64bf54ab70f2ac798b213f6f3a0639a2b2cbae74

SHA512
9913a145f77ce0b32fdcb477a8a1568b00723d1f81d31621d86642d24355824c977f0baabdbdf4d23d2d574d8d3cdb659e1343adbd20dc87519e12a0206ec506

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
2.6MB

MD5
a5178fda915461c8baa8c91e006db3fa

SHA1
06d31499a26bafe481cc8af0ff068a50f78b6589

SHA256
4c087c005d590a89fa229b03cd7736f1003f504277ecae0ab6f4ae80b27445a0

SHA512
bdc0b5bce2341b9a0ebe80b3f2138a730fdeeb33623089a17f1b9f6412c8c3f42f1744d82d37378c13f5f741fa6bee07b4543e123632a0b57d859b11ecbc8410

Download Submit