b04e1eb64a329b2cc973d62e3908164e5b5ccb1f23fa3ecabfea80903c8b5ede

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b04e1eb64a329b2cc973d62e3908164e5b5ccb1f23fa3ecabfea80903c8b5ede.exe
Size

2.6MB
MD5

0e34aa1533df12297f65bddf32ff80bb
SHA1

ca6f1f568ffd8880d9b26eaa0d591058417be194
SHA256

b04e1eb64a329b2cc973d62e3908164e5b5ccb1f23fa3ecabfea80903c8b5ede
SHA512

f32574c44eb21d58de2a1dae202620d66ae4df69fe017b4828f657005b05a873ebe66432571737f78a4bc613121f6651fb86912e8d563719c7d83159ac4e0812
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSG:sxX7QnxrloE5dpUpNb3

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	b04e1eb64a329b2cc973d62e3908164e5b5ccb1f23fa3ecabfea80903c8b5ede.exe

Executes dropped EXE 2 IoCs

pid	Process
2480	sysdevopti.exe
2900	xdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1628	b04e1eb64a329b2cc973d62e3908164e5b5ccb1f23fa3ecabfea80903c8b5ede.exe
1628	b04e1eb64a329b2cc973d62e3908164e5b5ccb1f23fa3ecabfea80903c8b5ede.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe6W\\xdobloc.exe"	b04e1eb64a329b2cc973d62e3908164e5b5ccb1f23fa3ecabfea80903c8b5ede.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZAM\\optialoc.exe"	b04e1eb64a329b2cc973d62e3908164e5b5ccb1f23fa3ecabfea80903c8b5ede.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b04e1eb64a329b2cc973d62e3908164e5b5ccb1f23fa3ecabfea80903c8b5ede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1628	b04e1eb64a329b2cc973d62e3908164e5b5ccb1f23fa3ecabfea80903c8b5ede.exe
1628	b04e1eb64a329b2cc973d62e3908164e5b5ccb1f23fa3ecabfea80903c8b5ede.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe
2480	sysdevopti.exe
2900	xdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2480	1628	b04e1eb64a329b2cc973d62e3908164e5b5ccb1f23fa3ecabfea80903c8b5ede.exe	31
PID 1628 wrote to memory of 2480	1628	b04e1eb64a329b2cc973d62e3908164e5b5ccb1f23fa3ecabfea80903c8b5ede.exe	31
PID 1628 wrote to memory of 2480	1628	b04e1eb64a329b2cc973d62e3908164e5b5ccb1f23fa3ecabfea80903c8b5ede.exe	31
PID 1628 wrote to memory of 2480	1628	b04e1eb64a329b2cc973d62e3908164e5b5ccb1f23fa3ecabfea80903c8b5ede.exe	31
PID 1628 wrote to memory of 2900	1628	b04e1eb64a329b2cc973d62e3908164e5b5ccb1f23fa3ecabfea80903c8b5ede.exe	32
PID 1628 wrote to memory of 2900	1628	b04e1eb64a329b2cc973d62e3908164e5b5ccb1f23fa3ecabfea80903c8b5ede.exe	32
PID 1628 wrote to memory of 2900	1628	b04e1eb64a329b2cc973d62e3908164e5b5ccb1f23fa3ecabfea80903c8b5ede.exe	32
PID 1628 wrote to memory of 2900	1628	b04e1eb64a329b2cc973d62e3908164e5b5ccb1f23fa3ecabfea80903c8b5ede.exe	32

C:\Users\Admin\AppData\Local\Temp\b04e1eb64a329b2cc973d62e3908164e5b5ccb1f23fa3ecabfea80903c8b5ede.exe
"C:\Users\Admin\AppData\Local\Temp\b04e1eb64a329b2cc973d62e3908164e5b5ccb1f23fa3ecabfea80903c8b5ede.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2480
- C:\Adobe6W\xdobloc.exe
  C:\Adobe6W\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe6W\xdobloc.exe

Filesize
2.6MB

MD5
e2f00bff5ad71c9a9ce864c7a6aa4f66

SHA1
9184b12f6221247766a9569f643f25f3768a98e0

SHA256
9505e65e3cc4def54d867d98be1f0968003f1c0dec1dfeb5428710a60338c5d4

SHA512
4b3c3add7743a42aa4a5b4c33d6c2df801c555ed22206508e6343ada9a16618bad7e29feee27e813e9a722fa0df2f198af882a00f4ab9af65e65d479c20125c2

Download Submit
C:\LabZAM\optialoc.exe

Filesize
370KB

MD5
10bb0a5b99a622ff82da51cf937f74e6

SHA1
a484d1d12f61c92edeb6f167196c6bcad448f55e

SHA256
276409c5000f6186fff216ff80e5584efe68c11731be3d5bd1c9f9d8e3ebce59

SHA512
f13ca8f1b9ad03e205094ce67abd408f83dffdff61edbd164ba398cdf5986905bc18a375d5c5af9ad64339d34134fe5a235061d4a7761703a1d45a8f7d69f751

Download Submit
C:\LabZAM\optialoc.exe

Filesize
2.6MB

MD5
ac7afc403c5218353407689ca10fc5f9

SHA1
2b2c1c2bf2c15bf00f66b4e2138036460e0689ed

SHA256
f5ad06229607075598d71c98294084ed9e6cea0689a1060af4bf64ddc9f9038b

SHA512
642d9792eeaa41faaccf91f7cf1bd8031614f3f4e735af44ce16c2292c22bfb383d8340b10a052e56ffcd4024bbadea69d1b0f73a569457f1a1241cd5f898c6b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
e350d7d7ccc464e98640a7414f658948

SHA1
e5e096fa191f50b149591f6cddf38623a1f38fac

SHA256
a4ce2e58cfd534f287282219e77b0b4c9187d6719388108e1136f2b2b21491a5

SHA512
dade03a50a41008ffff53ba8309f1f085fcc014ba0076d4749b647f59c27087d83373abf0d269708cc52e03ac0dac969d2484b41771e9e49a059d300bfc1507a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
d8cc31f95529939aa984cae153067a4b

SHA1
24af79c0eaae3fe8147195fc46d50ecac97139fd

SHA256
01ba805588b20e0b9cde3621944bbd1cdc633ce8e2b6c48da535492a537a8251

SHA512
80934729a8a1f403629f52eb1f4f6899a8f3a65c90ccaca6b2902b67d33abfdcadbafcfca8d580d8f6e2f19507b33fdee800da04280654a2a35d93edb512c88f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
2.6MB

MD5
b99c4cc5f6fdf4cd63893d8b0966ecb5

SHA1
029bdd9b8c1752b68516825c2bd6910c11374e12

SHA256
748526990b3a7a58415a7f36927c4938f48f48320f7d6195d761cd2db4b857c4

SHA512
aa23ca9161793a717cb6a9aaa5f5cb1040219a7617e664fac060d5ba5c9968ab691e9e3bf96cb3cba695f1c348f8e33ef19d0e15d6c1ae9262359e0565c1edb2

Download Submit