73c17409cb9514828e06522fec9c823c324c39e992db2f45b17e855e81f0bd78

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73c17409cb9514828e06522fec9c823c324c39e992db2f45b17e855e81f0bd78N.exe
Size

2.6MB
MD5

5b23ddde0f2f5a9a0610ebedaa2886d0
SHA1

b04e45075999a89ea7e872905a5e96851389bdaa
SHA256

73c17409cb9514828e06522fec9c823c324c39e992db2f45b17e855e81f0bd78
SHA512

50192825ef3d62c884380ba141139fc6a1193f98549d212e0cd7641ddf871b01eef354cf45e1ee6d6d251e5c4e2aa8ba835fbef0e9fdbb4f85e3ef0d8f87203c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bS:sxX7QnxrloE5dpUpab

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	73c17409cb9514828e06522fec9c823c324c39e992db2f45b17e855e81f0bd78N.exe

Executes dropped EXE 2 IoCs

pid	Process
2568	sysxdob.exe
2584	devoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2096	73c17409cb9514828e06522fec9c823c324c39e992db2f45b17e855e81f0bd78N.exe
2096	73c17409cb9514828e06522fec9c823c324c39e992db2f45b17e855e81f0bd78N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeIM\\devoptisys.exe"	73c17409cb9514828e06522fec9c823c324c39e992db2f45b17e855e81f0bd78N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBNZ\\optidevloc.exe"	73c17409cb9514828e06522fec9c823c324c39e992db2f45b17e855e81f0bd78N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptisys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73c17409cb9514828e06522fec9c823c324c39e992db2f45b17e855e81f0bd78N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxdob.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2096	73c17409cb9514828e06522fec9c823c324c39e992db2f45b17e855e81f0bd78N.exe
2096	73c17409cb9514828e06522fec9c823c324c39e992db2f45b17e855e81f0bd78N.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe
2568	sysxdob.exe
2584	devoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2568	2096	73c17409cb9514828e06522fec9c823c324c39e992db2f45b17e855e81f0bd78N.exe	30
PID 2096 wrote to memory of 2568	2096	73c17409cb9514828e06522fec9c823c324c39e992db2f45b17e855e81f0bd78N.exe	30
PID 2096 wrote to memory of 2568	2096	73c17409cb9514828e06522fec9c823c324c39e992db2f45b17e855e81f0bd78N.exe	30
PID 2096 wrote to memory of 2568	2096	73c17409cb9514828e06522fec9c823c324c39e992db2f45b17e855e81f0bd78N.exe	30
PID 2096 wrote to memory of 2584	2096	73c17409cb9514828e06522fec9c823c324c39e992db2f45b17e855e81f0bd78N.exe	31
PID 2096 wrote to memory of 2584	2096	73c17409cb9514828e06522fec9c823c324c39e992db2f45b17e855e81f0bd78N.exe	31
PID 2096 wrote to memory of 2584	2096	73c17409cb9514828e06522fec9c823c324c39e992db2f45b17e855e81f0bd78N.exe	31
PID 2096 wrote to memory of 2584	2096	73c17409cb9514828e06522fec9c823c324c39e992db2f45b17e855e81f0bd78N.exe	31

C:\Users\Admin\AppData\Local\Temp\73c17409cb9514828e06522fec9c823c324c39e992db2f45b17e855e81f0bd78N.exe
"C:\Users\Admin\AppData\Local\Temp\73c17409cb9514828e06522fec9c823c324c39e992db2f45b17e855e81f0bd78N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2568
- C:\AdobeIM\devoptisys.exe
  C:\AdobeIM\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeIM\devoptisys.exe

Filesize
2.6MB

MD5
bf01dec9fbdc0003ecbdc8b673632ade

SHA1
a0ae1ab697c4f332d38cd279c3a6d6b64a7c28c5

SHA256
4ded2574fcef82c85651d0fd6e116bc2997e8c52fa39b20eae3b6f9bb094489e

SHA512
379a62269853e876b26e51b700d528aedc4c9493cd308b88d7b00d6efd6e0c93523ef83413d0bf5696fe53b7776ebed9e53ac4dda794d27f42723a9bd3d72d5b

Download Submit
C:\KaVBNZ\optidevloc.exe

Filesize
2.6MB

MD5
12ef27876f61ecd1c70630c1dfcc7db2

SHA1
f1c5d525502534ae3751c80ffc3f5e33414b9f9e

SHA256
252bb415ed0f07f95c5265a0ce8d3a480bb2d602b47392c99ab4441f8689f48f

SHA512
a40c5f440dc073e771d7fb2eee6c86a07ad66603d8da2239ad9ad62095382469812f19ab69357cd8f8ba02f94ec1ea9738b89b8290f88bc4680292eafdc04432

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
54f4ee32093e7219d3343fd8e172cbaf

SHA1
e20e38c930b70e0a22ff863ed04681154236540c

SHA256
497c77623c7292507c9abb9582c31bb318479040b2f0e7dc888d385d4ce467d0

SHA512
cd3206ae4506de1d3ec805b3d8bf94795d99cfc6377194d2e21dea82acea7be19bb8c95e14d05c831143cde2ceffe3a22d134336b707b5f8d126b2de9d435fd1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
0d4bf74564c7ac381fffa9fc3fae140b

SHA1
e7c7e90d090641f7ccff0818e37c2700b69b53a8

SHA256
b7c95179918538ef0e48dd070c41308bfffc5f0d3aab74453f13cfedc3a9d6ee

SHA512
ca9e004b63c8ce7cb89b71064128c894fb35be2660997fae3338b58c1d63c4accc2fafd214c17d5d6a75b55ca6ebb7acad49e4af1dae8a7c2b740e6afd7d24f2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.6MB

MD5
19a3188eedf11eb89e6f94e116b7c017

SHA1
32f392bce7c4a9dea62d72195826471ac864a1bf

SHA256
4b60d206bf35fd3946a06e8b8c19474afa5981c800843fb20eb3b05679f373b9

SHA512
29fa2bb606c40cc5b65ae39689ec372434e596f27c9d217bf3e4232cec8046cf0f4f79685d3183eb8022a76f18687dba72ddeee295a796b3bd2745556a83845f

Download Submit