511bc50788beade99e3c39824de61a43b4335dd209f5cbda96d6f52f2212e799

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 22:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

511bc50788beade99e3c39824de61a43b4335dd209f5cbda96d6f52f2212e799.exe
Size

3.9MB
MD5

034f9971c7cbc5676ec4f3dfb05a6d01
SHA1

a99ddf50dc838eafded0de79566ae76cc509e9d4
SHA256

511bc50788beade99e3c39824de61a43b4335dd209f5cbda96d6f52f2212e799
SHA512

36b9a9ee34ae31c7561936d5a96206a69886fafe113bfff90091d7d49f3ba4cbf3ae958e8385b76006b0051a3526e67699bc611bc16fcbbf6d64d068677ae6df
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bSqz8:sxX7QnxrloE5dpUpGbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	511bc50788beade99e3c39824de61a43b4335dd209f5cbda96d6f52f2212e799.exe

Executes dropped EXE 2 IoCs

pid	Process
1996	sysdevbod.exe
4928	aoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc18\\aoptiec.exe"	511bc50788beade99e3c39824de61a43b4335dd209f5cbda96d6f52f2212e799.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidRN\\dobxec.exe"	511bc50788beade99e3c39824de61a43b4335dd209f5cbda96d6f52f2212e799.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4036	511bc50788beade99e3c39824de61a43b4335dd209f5cbda96d6f52f2212e799.exe
4036	511bc50788beade99e3c39824de61a43b4335dd209f5cbda96d6f52f2212e799.exe
4036	511bc50788beade99e3c39824de61a43b4335dd209f5cbda96d6f52f2212e799.exe
4036	511bc50788beade99e3c39824de61a43b4335dd209f5cbda96d6f52f2212e799.exe
1996	sysdevbod.exe
1996	sysdevbod.exe
1996	sysdevbod.exe
1996	sysdevbod.exe
4928	aoptiec.exe
4928	aoptiec.exe
1996	sysdevbod.exe
1996	sysdevbod.exe
4928	aoptiec.exe
4928	aoptiec.exe
1996	sysdevbod.exe
1996	sysdevbod.exe
4928	aoptiec.exe
4928	aoptiec.exe
1996	sysdevbod.exe
1996	sysdevbod.exe
4928	aoptiec.exe
4928	aoptiec.exe
1996	sysdevbod.exe
1996	sysdevbod.exe
4928	aoptiec.exe
4928	aoptiec.exe
1996	sysdevbod.exe
1996	sysdevbod.exe
4928	aoptiec.exe
4928	aoptiec.exe
1996	sysdevbod.exe
1996	sysdevbod.exe
4928	aoptiec.exe
4928	aoptiec.exe
1996	sysdevbod.exe
1996	sysdevbod.exe
4928	aoptiec.exe
4928	aoptiec.exe
1996	sysdevbod.exe
1996	sysdevbod.exe
4928	aoptiec.exe
4928	aoptiec.exe
1996	sysdevbod.exe
1996	sysdevbod.exe
4928	aoptiec.exe
4928	aoptiec.exe
1996	sysdevbod.exe
1996	sysdevbod.exe
4928	aoptiec.exe
4928	aoptiec.exe
1996	sysdevbod.exe
1996	sysdevbod.exe
4928	aoptiec.exe
4928	aoptiec.exe
1996	sysdevbod.exe
1996	sysdevbod.exe
4928	aoptiec.exe
4928	aoptiec.exe
1996	sysdevbod.exe
1996	sysdevbod.exe
4928	aoptiec.exe
4928	aoptiec.exe
1996	sysdevbod.exe
1996	sysdevbod.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 1996	4036	511bc50788beade99e3c39824de61a43b4335dd209f5cbda96d6f52f2212e799.exe	89
PID 4036 wrote to memory of 1996	4036	511bc50788beade99e3c39824de61a43b4335dd209f5cbda96d6f52f2212e799.exe	89
PID 4036 wrote to memory of 1996	4036	511bc50788beade99e3c39824de61a43b4335dd209f5cbda96d6f52f2212e799.exe	89
PID 4036 wrote to memory of 4928	4036	511bc50788beade99e3c39824de61a43b4335dd209f5cbda96d6f52f2212e799.exe	90
PID 4036 wrote to memory of 4928	4036	511bc50788beade99e3c39824de61a43b4335dd209f5cbda96d6f52f2212e799.exe	90
PID 4036 wrote to memory of 4928	4036	511bc50788beade99e3c39824de61a43b4335dd209f5cbda96d6f52f2212e799.exe	90

C:\Users\Admin\AppData\Local\Temp\511bc50788beade99e3c39824de61a43b4335dd209f5cbda96d6f52f2212e799.exe
"C:\Users\Admin\AppData\Local\Temp\511bc50788beade99e3c39824de61a43b4335dd209f5cbda96d6f52f2212e799.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1996
- C:\Intelproc18\aoptiec.exe
  C:\Intelproc18\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3804 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc18\aoptiec.exe

Filesize
301KB

MD5
fcfd4110e9ff4ac46089874d92e190da

SHA1
a9c5414eeaddc052bab47a17e6bf2728c0e27a73

SHA256
474ec594f6750ec293c5581b1e9ab829a97247805fd547c287e0bbbb9e1f57ca

SHA512
f397338328046e24f8293fc15d11558741ff43e3a00bb7a37e35f4e0e45590cf4fd44a40880fdac4391a56d8e7db98281d81ab3ecc486884ae8f01e8932e561d

Download Submit
C:\Intelproc18\aoptiec.exe

Filesize
3.9MB

MD5
eb1ff7ca73a2afb8bd86be4ef6dbf452

SHA1
1256db12e2aaeb3d8d8ee4235b20dd3f69dbfc7d

SHA256
96fcd4d54c9e1245ad88368fc4bf6039075230b5dd9655c84394a8c32ecf4256

SHA512
d500978c903358334e0f03be068661d66f593576213c9dc88aec30cafc5088298464152b9538b79471cd83ecbfc3d25e7fb852d4c9edb42b299e2b490bd64d20

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
acf2cffead6474cc6225b543160d2208

SHA1
475d5b7be7428a2489540b1720de4b34da35330a

SHA256
c829580eb0bb29a972d5a701fcfd17d4bd8543827833ea31c3dcf397c87c6a5d

SHA512
38ca8d27fb7db380829d3ec779ae3c61b3fe087cc0223f20cd1598a4c92c161c48c7f2be67c4960e57f2b0114de056789f1302d97bd23f527d71c471298b5f35

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
0d49db815f736a69d70844cef76fb8d2

SHA1
c198dc2520a31045fa01384921cae3f3177c1ee4

SHA256
a23fc7cbdb6e32448cc3a0fe6cccf10d742c8fb22fe84d8f4d62b2c6635297ad

SHA512
71def97c6518dea308b9c1f851231f1c6e13cbbc7752840175583b8ea4babd5e1a67eed83cb59ce2daecf5d93c900a66cc04f20a10e0814c30a71790e2aafe94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
3.9MB

MD5
ee9a1a4ac4f5c13bf616a290d3e5379c

SHA1
0f5c691bd188a5108d43db4b14f68e07c0a4fd10

SHA256
3655238da03a4c2673ab09f44f56d6f111ab8fc7ca579f16b4ca79c603feb6f2

SHA512
99a223f5b0ca8b13c45ba7b1800884b9f04db7c91dcef20f15e9b3308e722cc40376e67382f4da66fd4f96e2de162300bc9c030ca12606f31b670f22b6bf664f

Download Submit
C:\VidRN\dobxec.exe

Filesize
18KB

MD5
f3611b180f53e7b766446f16c0eb47e8

SHA1
b0a5575b4fca6d2ca1ebf68f998124b33189a5e8

SHA256
da3c4283fe87c6da829e4d3b09eadb3c7290c393ca69be154a4623b54548802f

SHA512
80c0937e80f63fa08bcb017f6504125ff30072a3ed9a2185ea5271bf5c0c20edbe958b500cc16a99d3c0072a1a1468864aa5250c977a0ad30c63af750b7b5ca1

Download Submit
C:\VidRN\dobxec.exe

Filesize
3.9MB

MD5
4a618b67fa7852d9cb812f970a9483b6

SHA1
e48d4eb6c7c3ff5c080d770e8e92279511887ffd

SHA256
6b5c6daa46a40cd4cbcdecbfc57649b4661526dea043c47dc931ae7adf8121e9

SHA512
eb0ee05f2e08f8ad2f15c7bcf7e8b2ccc956d31491d9fa60c845a5aa82b19a8f14ef14b262c9cb8ce69b916cf70b82826e24f24f7b9b1d3a2c93830007439a64

Download Submit