d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe
Size

3.1MB
MD5

eb4f6c93fefecb40da195f50fd9cf5ae
SHA1

b66afc8d52b794b2e4dd089b7ae10125da41ba75
SHA256

d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37
SHA512

909e9df085a88d2a61be9f74b95466efb98de386c030ef20edcf7082bebb6496a517586be7d172f8d743fd835f6fac82a75b644d625f729b6e37db27397e1887
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8:sxX7QnxrloE5dpUpRbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe

Executes dropped EXE 2 IoCs

pid	Process
4292	locdevdob.exe
4100	xoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7S\\xoptisys.exe"	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint4M\\optiasys.exe"	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1720	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe
1720	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe
1720	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe
1720	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe
4292	locdevdob.exe
4292	locdevdob.exe
4100	xoptisys.exe
4100	xoptisys.exe
4292	locdevdob.exe
4292	locdevdob.exe
4100	xoptisys.exe
4100	xoptisys.exe
4292	locdevdob.exe
4292	locdevdob.exe
4100	xoptisys.exe
4100	xoptisys.exe
4292	locdevdob.exe
4292	locdevdob.exe
4100	xoptisys.exe
4100	xoptisys.exe
4292	locdevdob.exe
4292	locdevdob.exe
4100	xoptisys.exe
4100	xoptisys.exe
4292	locdevdob.exe
4292	locdevdob.exe
4100	xoptisys.exe
4100	xoptisys.exe
4292	locdevdob.exe
4292	locdevdob.exe
4100	xoptisys.exe
4100	xoptisys.exe
4292	locdevdob.exe
4292	locdevdob.exe
4100	xoptisys.exe
4100	xoptisys.exe
4292	locdevdob.exe
4292	locdevdob.exe
4100	xoptisys.exe
4100	xoptisys.exe
4292	locdevdob.exe
4292	locdevdob.exe
4100	xoptisys.exe
4100	xoptisys.exe
4292	locdevdob.exe
4292	locdevdob.exe
4100	xoptisys.exe
4100	xoptisys.exe
4292	locdevdob.exe
4292	locdevdob.exe
4100	xoptisys.exe
4100	xoptisys.exe
4292	locdevdob.exe
4292	locdevdob.exe
4100	xoptisys.exe
4100	xoptisys.exe
4292	locdevdob.exe
4292	locdevdob.exe
4100	xoptisys.exe
4100	xoptisys.exe
4292	locdevdob.exe
4292	locdevdob.exe
4100	xoptisys.exe
4100	xoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 4292	1720	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe	94
PID 1720 wrote to memory of 4292	1720	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe	94
PID 1720 wrote to memory of 4292	1720	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe	94
PID 1720 wrote to memory of 4100	1720	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe	97
PID 1720 wrote to memory of 4100	1720	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe	97
PID 1720 wrote to memory of 4100	1720	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe	97

C:\Users\Admin\AppData\Local\Temp\d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe
"C:\Users\Admin\AppData\Local\Temp\d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4292
- C:\Adobe7S\xoptisys.exe
  C:\Adobe7S\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe7S\xoptisys.exe

Filesize
3.1MB

MD5
dfe952747387642fa440055247044c8a

SHA1
0043ec7e8073cef8340f0587bf8afdb976da9a69

SHA256
748e4f8e9a0e3487da133a2b53bd7dc4329d729d1ccd3ebae901a73b2df914ca

SHA512
c34c56330893dae4eeef26bd01659dfe16daca57624ad13654cdf85f4da9b603327abdb3f0f567e01fca0e210a78b7639058d54616ec2f70570162d12ade4cbd

Download Submit
C:\Mint4M\optiasys.exe

Filesize
3.1MB

MD5
50a61ccd7e412ddbd0aadbd071f66bf3

SHA1
190376d4e3aebe5db31829aac0dd1e9bb8e83ff5

SHA256
dd4beb8171268e57893a67531686770dc01d567c9e4027ecd4fb70e99611ce57

SHA512
dabb2637c22bf22a673673f1ed403c29afdd8ae09db0f7dca279490c29bbdeec1db57c033216f965a32ec467daddf833cb8d45385e70ca1291decc5c8cf3587c

Download Submit
C:\Mint4M\optiasys.exe

Filesize
3.1MB

MD5
6867348b77cd34e223d16981a7de184d

SHA1
d039862d71b75ee61ef44d5ec653d7e5808309a4

SHA256
86a61a8641d934dc60b67130d2981370e11df26ad921ab8a20277c1e3e16acd5

SHA512
5ff5739500efd1f19eb2f1aeff5daf9000f80553a485f8cc2aadd1e52408f9a82b15579b77780b03d1ae003d4668912b1fb1b8e2cd2f706295d2746c98ee0ff6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
583d47cb63f20784b90b99f4caa4cf27

SHA1
c7953a07fc8d7f60a4edd0bdde74c051d21605a9

SHA256
19fa191f81f7045a36ceca36baa597e372bb94b75a0e3d6548538d89971b1900

SHA512
297a61715173adb9ec8c3fe481b3fdf26212f6bf19fe42bd30855e500a56b4e849d81b2099622dd561c6211bbf912e89a98548587ebfd9a041e7fd7bb04094a5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
62f42898600ed1c96364c0092a6a7006

SHA1
072d83ac79e1e17f79d789db1bb0e6cfb12c93e6

SHA256
a353c9b5bb77d8905454c70a34311d36ac06b5650d907d4aae829b9ed04cc175

SHA512
b3595f15960ee7e8140900d30625c2794b2a257e06d348c524e72c527ea180d9fc6dd16acf1a03d7026f5f8749e5e3183bddf6c259a18f8720cca59bfa18299d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
3.1MB

MD5
d4ceecac757944662dbbc1decd27f94d

SHA1
a825ed8e82809767e929b529582fcddb76c296c6

SHA256
1ca2fca5155b2be7234eccee982b95849016c3a26d444eb6392ed6c04e6b5431

SHA512
2fab3110554582f2ca6e1ae6eb8d7a5873b42b0792d08257e06fcaf92b9ce73f3af9e68d903685f769a357034cbb8ee6246f5d4688bbd3104dd50c8950bbea42

Download Submit