Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:38
Static task
static1
Behavioral task
behavioral1
Sample
71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe
Resource
win10v2004-20241007-en
General
-
Target
71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe
-
Size
2.6MB
-
MD5
7b919496c5c7313e14132f0f81ad2830
-
SHA1
89071682b1c40fad2fc93e56ab79a90707152c79
-
SHA256
71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76
-
SHA512
d5a4109ba24d3847dc8b07dc58afe3c3414df9e83ab27633ef3c0fb0ef5f38c8f6c901f83033394e12fe8071644162ba7db8b038d8f6d54a54fcf10cd485f0d3
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSq:sxX7QnxrloE5dpUphbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe -
Executes dropped EXE 2 IoCs
pid Process 2420 sysxbod.exe 4552 xoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocW2\\xoptiec.exe" 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBE3\\dobasys.exe" 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1440 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe 1440 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe 1440 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe 1440 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe 2420 sysxbod.exe 2420 sysxbod.exe 4552 xoptiec.exe 4552 xoptiec.exe 2420 sysxbod.exe 2420 sysxbod.exe 4552 xoptiec.exe 4552 xoptiec.exe 2420 sysxbod.exe 2420 sysxbod.exe 4552 xoptiec.exe 4552 xoptiec.exe 2420 sysxbod.exe 2420 sysxbod.exe 4552 xoptiec.exe 4552 xoptiec.exe 2420 sysxbod.exe 2420 sysxbod.exe 4552 xoptiec.exe 4552 xoptiec.exe 2420 sysxbod.exe 2420 sysxbod.exe 4552 xoptiec.exe 4552 xoptiec.exe 2420 sysxbod.exe 2420 sysxbod.exe 4552 xoptiec.exe 4552 xoptiec.exe 2420 sysxbod.exe 2420 sysxbod.exe 4552 xoptiec.exe 4552 xoptiec.exe 2420 sysxbod.exe 2420 sysxbod.exe 4552 xoptiec.exe 4552 xoptiec.exe 2420 sysxbod.exe 2420 sysxbod.exe 4552 xoptiec.exe 4552 xoptiec.exe 2420 sysxbod.exe 2420 sysxbod.exe 4552 xoptiec.exe 4552 xoptiec.exe 2420 sysxbod.exe 2420 sysxbod.exe 4552 xoptiec.exe 4552 xoptiec.exe 2420 sysxbod.exe 2420 sysxbod.exe 4552 xoptiec.exe 4552 xoptiec.exe 2420 sysxbod.exe 2420 sysxbod.exe 4552 xoptiec.exe 4552 xoptiec.exe 2420 sysxbod.exe 2420 sysxbod.exe 4552 xoptiec.exe 4552 xoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1440 wrote to memory of 2420 1440 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe 86 PID 1440 wrote to memory of 2420 1440 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe 86 PID 1440 wrote to memory of 2420 1440 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe 86 PID 1440 wrote to memory of 4552 1440 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe 89 PID 1440 wrote to memory of 4552 1440 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe 89 PID 1440 wrote to memory of 4552 1440 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe"C:\Users\Admin\AppData\Local\Temp\71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2420
-
-
C:\IntelprocW2\xoptiec.exeC:\IntelprocW2\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4552
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5f4e89a8c5dafd38705cf1003d467ceac
SHA1488e5e729369980da30f6fb4f9b7abf8d62f9e67
SHA25613f2c31e0c3f3a3214824360bb8e0afefa5d52aaef30ca959cd5cfc174ea311d
SHA512050152a36fee7fdef1b6b6d17915b41abb817fd4477dad0f4662603370a03bdc4863aa2b55a8580f32e7008f3fa63cb4ec54fe94049758aaee7fd3a1a6b11cf3
-
Filesize
64KB
MD5ef5e2c0a10a0c476399752793307c66d
SHA1ca0ec1078bc1cdc291089a6e3da8956ae39575b0
SHA256a406994fc3942ae3c0e08cefc8ed56487ef52092d68cc1d6906058630c91fb4a
SHA512d024de1f0de4779bdbcc760240beb617d171b6c0c26ab571855df697530ac741253ee01b1a78ce55b057f1a6be8f0dbcbcc5b9d0b3c50a17c43575a229cb025b
-
Filesize
2.6MB
MD588bc026ea133367d667040a0e1a65653
SHA142957668ee60a878f2d637bda35c5512c30557f0
SHA256290cdc3fd3458f95b3361950db53f54b3c2b8ee25738eadfb4040eec0c825d10
SHA512aa765a31319604edba9c1c533037066ff86459f380471ab78306687f48e851ffa8caaaf84e43aed96c3dbb4c1a9a7e500bac0c8b87cdedfcb4b564df1dce2ade
-
Filesize
204B
MD536e2047d39ca005d49da809e2d9f4d25
SHA12ad600cdf442f48ab02493b2aaae463246665a48
SHA25660f9f321509afdfe5e73acfa4e6dd1af33b775c7d2f7df147feb84a14a150183
SHA51298d95ffee14a7ea3dd0d35d53025b52fd657787880e70bfc41ce28d2b8fb796f043b4657f264a1787af57c36a5b50d0fbb8ad58372a7546fbe1d766dd5a1560d
-
Filesize
172B
MD5aee34f829e3a69bccd1132cab5efa56c
SHA18ef42fa41625a4600e856053a07b83c98545a8f6
SHA256d2c85259c7718c3593401a9780fdf5c9bb443b19eecf9d0e0607bf92705eb223
SHA512349e629531c4bcb393c3195963d142e1a9131f01316d10d5e50bcec96707bba9c810f47b6e1059066f321368e298529d71335294e296e1254bbb2b8c7ae26375
-
Filesize
2.6MB
MD506e3e6fd614d5926484e07f2f4a323d3
SHA1dbc17212bed2c2f5b9d2321091b9921b98742b34
SHA2562b494f7a1335169768abfd311e3729ae7d9235ba66f31cb2238f1150c136ab84
SHA512b660efc0f87524a378218b7a60b4a89e589b124cede2fe1df16bc3ee5b188856f9e06695e4eb14265b8520ba45956c5df1d2dad5348eafeb6bd267037abee3b5