ff55ed7f325774e23de32da446f4e479ba925fc5ab5020e9661c6694ab72c1d7

Analysis

max time kernel
203s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79f52222b40053bfa4f2114578a2848c_JC.exe
Size

2.5MB
MD5

79f52222b40053bfa4f2114578a2848c
SHA1

986bb2b858d535bb51a48bfd69fadb28fb10b314
SHA256

ff55ed7f325774e23de32da446f4e479ba925fc5ab5020e9661c6694ab72c1d7
SHA512

b1337e9fddab7e290f4e08b2a6779c2a799c5bd407fa6c85cbd86b589a92c20872bbf81d493c3c379378a22cec84de10f83e2380432fdb13f3fae9d838f4bb68
SSDEEP

49152:ORw+fHVKnQnbcqnq5MkE4bOo4BkZHSjpjK3LBAgvLS:ORww3ba5MkE/DBpiL

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	sysaopti.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	79f52222b40053bfa4f2114578a2848c_JC.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	79f52222b40053bfa4f2114578a2848c_JC.exe

Executes dropped EXE 2 IoCs

pid	Process
976	sysaopti.exe
4328	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvF2\\devoptisys.exe"	79f52222b40053bfa4f2114578a2848c_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintVX\\dobdevloc.exe"	79f52222b40053bfa4f2114578a2848c_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1824	79f52222b40053bfa4f2114578a2848c_JC.exe
1824	79f52222b40053bfa4f2114578a2848c_JC.exe
1824	79f52222b40053bfa4f2114578a2848c_JC.exe
1824	79f52222b40053bfa4f2114578a2848c_JC.exe
976	sysaopti.exe
976	sysaopti.exe
976	sysaopti.exe
976	sysaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
976	sysaopti.exe
976	sysaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
976	sysaopti.exe
976	sysaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
976	sysaopti.exe
976	sysaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
976	sysaopti.exe
976	sysaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
976	sysaopti.exe
976	sysaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
976	sysaopti.exe
976	sysaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
976	sysaopti.exe
976	sysaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
976	sysaopti.exe
976	sysaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
976	sysaopti.exe
976	sysaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
976	sysaopti.exe
976	sysaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
976	sysaopti.exe
976	sysaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
976	sysaopti.exe
976	sysaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
976	sysaopti.exe
976	sysaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
976	sysaopti.exe
976	sysaopti.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 976	1824	79f52222b40053bfa4f2114578a2848c_JC.exe	92
PID 1824 wrote to memory of 976	1824	79f52222b40053bfa4f2114578a2848c_JC.exe	92
PID 1824 wrote to memory of 976	1824	79f52222b40053bfa4f2114578a2848c_JC.exe	92
PID 976 wrote to memory of 4328	976	sysaopti.exe	94
PID 976 wrote to memory of 4328	976	sysaopti.exe	94
PID 976 wrote to memory of 4328	976	sysaopti.exe	94

C:\Users\Admin\AppData\Local\Temp\79f52222b40053bfa4f2114578a2848c_JC.exe
"C:\Users\Admin\AppData\Local\Temp\79f52222b40053bfa4f2114578a2848c_JC.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\SysDrvF2\devoptisys.exe
    "C:\SysDrvF2\devoptisys.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintVX\dobdevloc.exe

Filesize
2.5MB

MD5
52fe36bd0321625dda1a6968c7a4bc08

SHA1
8dd679677956f6238f366af563950cf0c8eddc38

SHA256
5d58ad8e22238577f22df109f94b39e55e6555358d8f4ce9e9f3d6ce2f4df5c9

SHA512
dcc5de6633e20cc124b6e7fcb2a4e45ed1206d2e63c4e3faf57451c2fc5beef4e44ec24e132a00ad8f4f20b679683da85337d1052eb12271126e9ef68b83bd65

Download Submit
C:\MintVX\dobdevloc.exe

Filesize
49KB

MD5
f64da58db93976a9909991384e7c4459

SHA1
97e1458da96c69c5c4590ef7002e69942df85490

SHA256
b1a1142bff989c3c07379030ffc675105f35e2a6b9c7462ca044967268820a3e

SHA512
018a7ce418e7a9f1c830ca7e92d857041f6c2c73d7e0a60e2c324387c98ff12b4ba553a9c4675cbc8038803b636d839bfeb1eb0595630ab2fb3d1b8e24ad643b

Download Submit
C:\SysDrvF2\devoptisys.exe

Filesize
50KB

MD5
aab62f79b768991d4cf63543eed5b4a9

SHA1
9a4b58aebadefcae222a719af7d0f4f051ee97e5

SHA256
2fb5837f311388fdfc3ab268592d26b5dfb9be7d804c436186aeee1c50816163

SHA512
7998a87c2153dd8c6615c477517a5d2d4ba8c9bbc580234112b11328abdd76642b9aadce8a1541615b889b511a507a6a0642a0333d309f9f884c2fe2e1005920

Download Submit
C:\SysDrvF2\devoptisys.exe

Filesize
2.5MB

MD5
8805de5755127bd7a5fffac543fd0cd6

SHA1
b77da8a91ab6dcbe24f76417fea7b738ba0d3c60

SHA256
f6d6e1972e2d8a5b774129467255fefbc9675e1d0ef39ee68834204fb70c6665

SHA512
e3d814e91adc23aba7761b5832ab377e4b5a106a5e4c5e081b9aa0fbae5b137618ba9cfa83997cba66a9ea1d16a7afd437dae2346ee77be4dc5b04752098c5f9

Download Submit
C:\SysDrvF2\devoptisys.exe

Filesize
2.5MB

MD5
8805de5755127bd7a5fffac543fd0cd6

SHA1
b77da8a91ab6dcbe24f76417fea7b738ba0d3c60

SHA256
f6d6e1972e2d8a5b774129467255fefbc9675e1d0ef39ee68834204fb70c6665

SHA512
e3d814e91adc23aba7761b5832ab377e4b5a106a5e4c5e081b9aa0fbae5b137618ba9cfa83997cba66a9ea1d16a7afd437dae2346ee77be4dc5b04752098c5f9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
196B

MD5
df0e8a85e89abc3be14f9b1bbe71077d

SHA1
9cda22559bcc9a63a7ebc339146275c5f379e8fd

SHA256
c58defc74d31624ccbbee8ee0a47503db6958c1cc9e57fe0c9efc9dc4b5dbef7

SHA512
cb02f36e34067788897af85f8101de713c1328caf8a0a0fcb29e0f19282a5a43add2371d09a5b641aa982fe3f356beea11561eaea04283aae45c2c8cbd617d29

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
228B

MD5
9c9f17d9830b7a9d550c791d4b2d0c7c

SHA1
be1c3da2ac838e215d6ba5f369ca3098578ac330

SHA256
28f83896a9a10ad4ca4b5955914300799e2e2152677bcada0aede8720280dd42

SHA512
f55f24da02aa7dffa86ff785a223d7f63e4ce65cd1792b218d045802d5d1fd11ee595bd422a21fb77afc71d1abb680d37f2a7d2e9fa5ce03972c3e847bed1d56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
2.5MB

MD5
06df9850944d281b4a08a6226fcd8dc5

SHA1
6dfbe6c277dc0fbaa17e37d155d524a6cef303f5

SHA256
15c0a3dfcfa7d05d8bca42810e584ee79e3d1ffcd0b83dc5981a2b09d382f934

SHA512
1cdcf3b63f60847f335b4bc3665727e8f5cbdb617d43a5373c65d0a10e35640df3ef4bad2576eb7a02befbcb60fd45e651da98350a3cd9cc24d9c206807ae0e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
2.5MB

MD5
06df9850944d281b4a08a6226fcd8dc5

SHA1
6dfbe6c277dc0fbaa17e37d155d524a6cef303f5

SHA256
15c0a3dfcfa7d05d8bca42810e584ee79e3d1ffcd0b83dc5981a2b09d382f934

SHA512
1cdcf3b63f60847f335b4bc3665727e8f5cbdb617d43a5373c65d0a10e35640df3ef4bad2576eb7a02befbcb60fd45e651da98350a3cd9cc24d9c206807ae0e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
2.5MB

MD5
06df9850944d281b4a08a6226fcd8dc5

SHA1
6dfbe6c277dc0fbaa17e37d155d524a6cef303f5

SHA256
15c0a3dfcfa7d05d8bca42810e584ee79e3d1ffcd0b83dc5981a2b09d382f934

SHA512
1cdcf3b63f60847f335b4bc3665727e8f5cbdb617d43a5373c65d0a10e35640df3ef4bad2576eb7a02befbcb60fd45e651da98350a3cd9cc24d9c206807ae0e5

Download Submit