085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/04/2024, 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe
Size

3.1MB
MD5

4c5d0fbae00c38eed59d9199f4e2dcbf
SHA1

e5e072dfa48b7afb272108d63f11897a818cce82
SHA256

085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b
SHA512

c8372a26491237538d9df3f4e20c2589991534fb7e38cdbbd98e39b6a34379974bae865b74de818551d3e27c2f0d78fc94c8800565502c2fb6889e99033a5f28
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bSqz8:sxX7QnxrloE5dpUpsbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe

Executes dropped EXE 2 IoCs

pid	Process
2484	sysdevbod.exe
3036	aoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2204	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe
2204	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocMC\\aoptiec.exe"	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintHY\\optixloc.exe"	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2204	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe
2204	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe
2484	sysdevbod.exe
3036	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2484	2204	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe	28
PID 2204 wrote to memory of 2484	2204	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe	28
PID 2204 wrote to memory of 2484	2204	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe	28
PID 2204 wrote to memory of 2484	2204	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe	28
PID 2204 wrote to memory of 3036	2204	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe	29
PID 2204 wrote to memory of 3036	2204	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe	29
PID 2204 wrote to memory of 3036	2204	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe	29
PID 2204 wrote to memory of 3036	2204	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe	29

C:\Users\Admin\AppData\Local\Temp\085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe
"C:\Users\Admin\AppData\Local\Temp\085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2484
- C:\IntelprocMC\aoptiec.exe
  C:\IntelprocMC\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocMC\aoptiec.exe

Filesize
3.1MB

MD5
f17f9948dcb9be9cac69635ee703c234

SHA1
4c0aa750b67e171e1aa73556aa5c0fc62753ed26

SHA256
8add0b98ad33826fdf7e2df91d3a6d6ad3e6c69bf6da77f131f96a688958f05f

SHA512
5263d5aeff2e905af422f096b854e8a9b5cfd905a6f91ddd9ddbdb2513e63816ce478b1407df5f648f0a3857f885738a2a0b6e620916fc7317eab6c60b9c992f

Download Submit
C:\MintHY\optixloc.exe

Filesize
1.9MB

MD5
eeb51321b8c3387256b13c7b8835430d

SHA1
b36f4521fab652fbb0aefbcc8275a4b7ba2daacf

SHA256
26acb767111dde1c5555a2387960dae3c4bcd89271ec57866eab83dc121ebd15

SHA512
07c8b8f993112464f90bb084eac2303657a134a154a50b7b5f0a51ff839fc51aa3947708eed09d7f73030a773e036d291a5b9f859a5359d0bd4c5abe36492ab8

Download Submit
C:\MintHY\optixloc.exe

Filesize
73KB

MD5
dc15e86e319ef185540511b77b43aa8f

SHA1
8a43b3cafc32391559f9308331f6eeb2dc06f750

SHA256
511c0ba1c55934b3abb666a5d065ba70ec22b6f46bcd10f359acf311132fb4e6

SHA512
c2c2794a0105d7e9a74f5ba6beb99c6e6fab698f142944719234ee326b39f342b36164b40a802c4d2352002fc8aa637a11ef4632c81ab1cad3cc933d6142a667

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
471b8d3fd51f67f0bea31c828be0b065

SHA1
debf51b4597d75f2af9dbec2908f6d0c6c7f5494

SHA256
65cd88e23cf6e7cba5da6d62c65121aaace9740ba9063d6361186ff91051ae2b

SHA512
a1fb0df7faed3e9fe4f185267ba992fc5143e8d44cdb0915af554db7c07ddeca4b7ae19e74bb8b0937dd6303978a10ee44223f13e9c0807b7978ba99403d4939

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
ef92727a42fecac19f90a892dc86e2db

SHA1
53f4975ebdf686c736dd19902f1e659f08dac183

SHA256
79f8dd512e2ccb9dd30f23cd79cfc43791f38e27ebe3a1fc11ec58b2c105d436

SHA512
8086727cdaef208852ad3bbc5b04b7bcda3bb9b20563bc8f0caf97b7ecd92c2b41ae1366419cb2a5b5342275e6e017ebd9ca9c6ef4a57a19a3cd6c30a36453bf

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
3.1MB

MD5
7021c233cea00c12963e8bd945220c3b

SHA1
358926ece243899faa23f2e5f929f8bc8b38764b

SHA256
37f293dee7f07fe83a0a0c3b8513805201842b04b133bd931a0f4a0b583b11d2

SHA512
6f9f2ffe7b9c68b3321f894aba2197a251c03aa8b07393c8e1bff434f964718efd004cc1dda314513998379f9cb686942771288092adad339d8ead00e162fe31

Download Submit