773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9

Analysis

max time kernel
119s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe
Size

2.6MB
MD5

b53073527df4d7478f36adc5224fba20
SHA1

93d72e92facc83a99cfb53ca4bcf4d2e8920f0f0
SHA256

773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9
SHA512

381318224b5183b5368a8a3f365b18265f3db892846397969535fdaf6be5d00abb33f9b5fc785d344662b22cbd264ba47cb3ca08d6881a790e32aaa49311ae78
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bS:sxX7QnxrloE5dpUpIb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe

Executes dropped EXE 2 IoCs

pid	Process
2316	sysxdob.exe
1812	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
3012	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe
3012	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeOF\\xoptiec.exe"	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBZC\\optialoc.exe"	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3012	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe
3012	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe
2316	sysxdob.exe
1812	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2316	3012	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe	31
PID 3012 wrote to memory of 2316	3012	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe	31
PID 3012 wrote to memory of 2316	3012	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe	31
PID 3012 wrote to memory of 2316	3012	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe	31
PID 3012 wrote to memory of 1812	3012	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe	32
PID 3012 wrote to memory of 1812	3012	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe	32
PID 3012 wrote to memory of 1812	3012	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe	32
PID 3012 wrote to memory of 1812	3012	773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe	32

C:\Users\Admin\AppData\Local\Temp\773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe
"C:\Users\Admin\AppData\Local\Temp\773b22c2d4eeb2521b311651c2473836f78502f768f54dbfc114a1e7784955d9N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2316
- C:\AdobeOF\xoptiec.exe
  C:\AdobeOF\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeOF\xoptiec.exe

Filesize
2.6MB

MD5
44613f265dd7547bda31750a9a4c0293

SHA1
2e3c0db8e94c84196e817e8c8dc2375f4d332852

SHA256
b31e50d69a4b8d974d249127ea5ac3d1eb68c1620485360ef830c4ffb52c4d12

SHA512
0b7020b02bc4280109385aa16de4e78f5d5869f3d91e05944ddb64157488c332e13baac4f813a923bc0f6beea6a82ce651490af409a3203fb5e82b0577173687

Download Submit
C:\KaVBZC\optialoc.exe

Filesize
2.6MB

MD5
17b915ed3e39c2a5e1ee0d7072d7bcab

SHA1
4c8036fd5ce4a219ac05d430aca3ff131dd5e554

SHA256
772db35809db01382fde2892a8d0a289dc8e0dc73a1a40d4bee02a21a3a29f0a

SHA512
0efa3d2cef92a22e03137d0dd75f7fa642f8b495d4235071613b588057fc2ef54bc985a3c035d612fd9401bb811321b622bf8658df66b728623a2510ecf6b8f9

Download Submit
C:\KaVBZC\optialoc.exe

Filesize
2.6MB

MD5
709bdba1c39004ab02c96d9a0550299e

SHA1
a6885342a925b835608779695c26379f4e6bbe4d

SHA256
8b4526c940163ce36de979993666b2c9fe133b5e998cd4a6fa4bbfb235c3c846

SHA512
52f32fbb04600a3ee1f4dca179a9734538830930659cf319166f8529f68d2ab48b8e654ef3c5921a31395f9d2c35e9488fda5ee5937f2aa66774af069993ed7e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
a8d5bbecd89433f611d32dc4b11f337a

SHA1
c3425f4a1a5e2a7887110a0b0501306cbae3242b

SHA256
b259cab3d4a008c4848ea058cf5f23545a0e8f4d51a1a94f3efe082f8e20d317

SHA512
fba03c220d88cab0c3a8e9f1bf5305c96ffa00671d6a4a4924d0431687c5b20856594320c6adcf1867947b5f386b019ceb4a1fc8bf4e5735f9f808fbc9c01237

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
ac93743274a42d246f65a5cfe7f05302

SHA1
03b0fc45ffe4b8b575c3f1ce02d2c33b9bc55939

SHA256
200cc9f02641fb08b61cb15e644ed18727ad4e748fb8d66aa40f044747098061

SHA512
a7288d434ef62761567ffa837a7f94d2f57188731943e16a0c34bb18679ed6e29eb1c92f64b798257b345e92a41c863df1a402d263d76464ec2c08f5b3912887

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.6MB

MD5
2d86766b437a739e4b6261f362ae88e8

SHA1
93ae8a06e8b009c98d6724e504588beb5c875d7c

SHA256
95dbd4fa1823881f7720d561b4a1a688e832b2257676d3f0ef0f242a1053fc68

SHA512
21591bb090b2fb97d747e74baffac916d7ea5975147afe9fe30861221a3f40587ef477817f15ade38b2de45e832dd5528664124e45bf32d90a387789ff8fd03b

Download Submit