e160ebd1d3d6472e33f380ffcbcb1905ac553b49f3a91b761323680c3d427570

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-03-2024 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e160ebd1d3d6472e33f380ffcbcb1905ac553b49f3a91b761323680c3d427570.exe
Size

4.1MB
MD5

d201a09e64809c33ff4e72e65c5af8a7
SHA1

032b78827a27383e3fe3f3a16b068c821ce7beee
SHA256

e160ebd1d3d6472e33f380ffcbcb1905ac553b49f3a91b761323680c3d427570
SHA512

c88b52cc6243170e4aeb12e26be9e21cb040c0c0d73f702cccc4e5be8598121536de9c8fc49f930bdac8cffb2b157b79a140dd3b9ac505b85f44f5cf03a3f3ef
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp1bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	e160ebd1d3d6472e33f380ffcbcb1905ac553b49f3a91b761323680c3d427570.exe

Executes dropped EXE 2 IoCs

pid	Process
2328	sysaopti.exe
2312	aoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2752	e160ebd1d3d6472e33f380ffcbcb1905ac553b49f3a91b761323680c3d427570.exe
2752	e160ebd1d3d6472e33f380ffcbcb1905ac553b49f3a91b761323680c3d427570.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesRT\\aoptiloc.exe"	e160ebd1d3d6472e33f380ffcbcb1905ac553b49f3a91b761323680c3d427570.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZWA\\dobaec.exe"	e160ebd1d3d6472e33f380ffcbcb1905ac553b49f3a91b761323680c3d427570.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2752	e160ebd1d3d6472e33f380ffcbcb1905ac553b49f3a91b761323680c3d427570.exe
2752	e160ebd1d3d6472e33f380ffcbcb1905ac553b49f3a91b761323680c3d427570.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe
2328	sysaopti.exe
2312	aoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2328	2752	e160ebd1d3d6472e33f380ffcbcb1905ac553b49f3a91b761323680c3d427570.exe	28
PID 2752 wrote to memory of 2328	2752	e160ebd1d3d6472e33f380ffcbcb1905ac553b49f3a91b761323680c3d427570.exe	28
PID 2752 wrote to memory of 2328	2752	e160ebd1d3d6472e33f380ffcbcb1905ac553b49f3a91b761323680c3d427570.exe	28
PID 2752 wrote to memory of 2328	2752	e160ebd1d3d6472e33f380ffcbcb1905ac553b49f3a91b761323680c3d427570.exe	28
PID 2752 wrote to memory of 2312	2752	e160ebd1d3d6472e33f380ffcbcb1905ac553b49f3a91b761323680c3d427570.exe	29
PID 2752 wrote to memory of 2312	2752	e160ebd1d3d6472e33f380ffcbcb1905ac553b49f3a91b761323680c3d427570.exe	29
PID 2752 wrote to memory of 2312	2752	e160ebd1d3d6472e33f380ffcbcb1905ac553b49f3a91b761323680c3d427570.exe	29
PID 2752 wrote to memory of 2312	2752	e160ebd1d3d6472e33f380ffcbcb1905ac553b49f3a91b761323680c3d427570.exe	29

C:\Users\Admin\AppData\Local\Temp\e160ebd1d3d6472e33f380ffcbcb1905ac553b49f3a91b761323680c3d427570.exe
"C:\Users\Admin\AppData\Local\Temp\e160ebd1d3d6472e33f380ffcbcb1905ac553b49f3a91b761323680c3d427570.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2328
- C:\FilesRT\aoptiloc.exe
  C:\FilesRT\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesRT\aoptiloc.exe

Filesize
3.2MB

MD5
40a8b51b7ee36016450b5e973bed06c3

SHA1
58cf944a793803c465c58a2f3dfcc78473d3b044

SHA256
bd6d9aff622ef4cabe50861714093f8fbe3e44ea23e465b2dd078d60efb56be5

SHA512
b0b9490eb9f2a677ae1bd6c432b7ec55815da453c967492abaa32770a53a7d282db8c39379d1643657186755658f0b85018478066ec9bf13b720b6a73b75c283

Download Submit
C:\FilesRT\aoptiloc.exe

Filesize
1.6MB

MD5
96fce34656476d1c40b2d49d3a6db969

SHA1
fe387b36e2daeb033239844ada975cd38ea84369

SHA256
00722fc52726a1f5e6ccf3e75bce761146528a88f1749500595a1bef4b6b4d6c

SHA512
73db6a2b47336cc9a43cc3bfc28b76440e91f887a1e2c04b5cc5f7ff9ffb6770a73ad1fc78dff9872fb5e0944b9861d78c0ab931e58fafd28a361919f485030c

Download Submit
C:\FilesRT\aoptiloc.exe

Filesize
1.5MB

MD5
1af0b38bea15950a399de18fc08273e5

SHA1
b3ac0222baf8700287eac91416dd78464ba2cdc8

SHA256
aec8409ff362e0ac41e40641b1963d6a2a2e9ba650227ad71cb591d38818677c

SHA512
999c1694dd8143265548b7b1c74c87660086736fc5d608b6474693768e51cfad777d4fa9abf6dee8b3b5ef59a151854682ecb4572e51761ab6c41d1f6f4764c0

Download Submit
C:\LabZWA\dobaec.exe

Filesize
3.0MB

MD5
407e5544636c577f41d8aab18f047102

SHA1
7fcfcc625816531938d08a285ebf011af1f59234

SHA256
4739ecc37a5fe441a54f1ca5fd10853636b19462228348978bbfb9e2e2bfb11d

SHA512
993ccb5fe1f6ffb2f90d93524cad513439c15ccc440ee309efa35791f647279672aa093f0e225f5974579c930279b579c90a01c92d77ee7cf3ad970a344be31a

Download Submit
C:\LabZWA\dobaec.exe

Filesize
1.6MB

MD5
16b5a47b02db5defc52ca1f5da5da10e

SHA1
142d604e71516bf9b0c665394ff853abe4b4842a

SHA256
da42b5acfcc018279fac1af8a57f9cc43020074d8079e067143f2e44f6709360

SHA512
b680c75c5eaced26e4bbdb08d8b0c1dcf520430a9b5b2e891f43df040315ebe1a032c1449ff9f1beb9376dd54cf2a388e9b18aab8e15591059f5aa9e67bfd389

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
76e5280d1f79a471125cd09be5ce2dca

SHA1
52d4bc9b346adced3d447e9a9a67d279a8ef99e2

SHA256
8f14ca3c056c667ed97529ecde9bcc53da04b593fd0dc90468c19b63aeac070d

SHA512
9708390d9fd4e291ee829c47f26c9b74c3c36d2fc3562fe7bff1618cca252a1f1dbb37a040af2f9b10d5ff6b7da3adf6657810c1b18edf03b623fd78f08df79c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
c1dbc30193cab0ddb5439c0f164ff0bb

SHA1
714b5bbd656b838cf75787af9862869eb20c8efb

SHA256
dadeb47bf92ec3bcbcf68d2c249f8cfd1528daee215db00ac4c6654e4e1f1c98

SHA512
1a6379ce23d21b028aa2444b703b448c4761bfe7f1f7c9f0c8096ee5889bc0461b372b3f5426bcd240c1d106a0527f0208e983584ebc58d8fc7130ecc12c0ac5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.2MB

MD5
de3ad72237a8b9dd74ffc0b02a17f430

SHA1
570ad795941e9a2e436d6489e4cf29c2a597e933

SHA256
06597ee69a710386a32c0dd5c07b41ee218ff61e3b5f450000e06ede78c0abae

SHA512
d970373529e788d48063adf0a7478590bcf35610fde4d4632ff3b90b1c63ab67aabdca8843cb02c328915b762cfe878d4deb925795ff4112f0752e6d40be2da0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.0MB

MD5
90ddb472d96daed32f07e8cb8ad3c6c5

SHA1
ddb8da6268d2a1097de3bf3b270141e86b504e3d

SHA256
e0d76a89449518bfcdbdd5d401e3c949b74096c1de898d6ec7cd065e19461a87

SHA512
d7af94312a06ec8f0830cdb56fcbfbefe3cbd5a47cf0ca20ea87682af796d2185b6075c689bb0d2828be099491b6dbfe38d4dea47d2f475c31ccab0bdf2e0a04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.1MB

MD5
1de1c9597be6237b1fda838f7dace378

SHA1
3c52d789c3099fa0213aa98db4c39ee2442f0225

SHA256
ffa45ede6feb4a6ba25a9ea94b28971c26e31ed211c6c20b1bb2542d3fa81853

SHA512
6a726451fc5b1b653a0d0416a3bf0e18a1147535e759c1a38064c3ff9e29cfeb86778bb899669456cb68375e487a1ae42beb51815b3e513b2f4f2e9b76554238

Download Submit
\FilesRT\aoptiloc.exe

Filesize
1.6MB

MD5
cb8302db99c05da09ebd82946faca440

SHA1
0231a10c011c0107f02117e6482cf2c3eaf951db

SHA256
be31aaa336973abadb5fd30fd803047aee811f6b6ec623f24244abc709d261a5

SHA512
3f5e4660884afe328fade3224d56488ea135de94ac2b157ae2d359bc963249b554cafefcce59ba9f73e1299064884739e9ea3757e160dce0dcee33206efdb3f2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.2MB

MD5
00f99031245feaf2181257b58bdcb640

SHA1
608a70fb11f985d6d06fb1e735016d1bc39f2113

SHA256
a8214ca92361ccf3e27bdc7fe472293e349a4ebd1b5dba1d299f193870ead9c0

SHA512
8d56f1a01187c39798d68c9fe3745061ca5482ec1bafd2b36bddfb88382dac0eded88a855b17a07d82272c8fecd2d0ae35ca70f1dbcf8bd656897a80626a459d

Download Submit