06df7ac7bd09d04d143bc5a924026ee7736238aa5c1b51a222f699f78ab539c2

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06df7ac7bd09d04d143bc5a924026ee7736238aa5c1b51a222f699f78ab539c2.exe
Size

4.0MB
MD5

d9372568d01f4bf994e6d1a5d69089ff
SHA1

ad3e60e119a8433de2ac6349f7aa625c14b549d3
SHA256

06df7ac7bd09d04d143bc5a924026ee7736238aa5c1b51a222f699f78ab539c2
SHA512

bbe1c185926c65198b5046773ab494b5a7834ce8d586a244729bc0aacaee5b9aca56e82286e84034c8d5aefaa2ce8ce0f5fe9391114f5a0844a515ec778d3877
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBsB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpTbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	06df7ac7bd09d04d143bc5a924026ee7736238aa5c1b51a222f699f78ab539c2.exe

Executes dropped EXE 2 IoCs

pid	Process
1664	sysdevopti.exe
2344	aoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2424	06df7ac7bd09d04d143bc5a924026ee7736238aa5c1b51a222f699f78ab539c2.exe
2424	06df7ac7bd09d04d143bc5a924026ee7736238aa5c1b51a222f699f78ab539c2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files9T\\aoptisys.exe"	06df7ac7bd09d04d143bc5a924026ee7736238aa5c1b51a222f699f78ab539c2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidOR\\bodaloc.exe"	06df7ac7bd09d04d143bc5a924026ee7736238aa5c1b51a222f699f78ab539c2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2424	06df7ac7bd09d04d143bc5a924026ee7736238aa5c1b51a222f699f78ab539c2.exe
2424	06df7ac7bd09d04d143bc5a924026ee7736238aa5c1b51a222f699f78ab539c2.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe
1664	sysdevopti.exe
2344	aoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 1664	2424	06df7ac7bd09d04d143bc5a924026ee7736238aa5c1b51a222f699f78ab539c2.exe	28
PID 2424 wrote to memory of 1664	2424	06df7ac7bd09d04d143bc5a924026ee7736238aa5c1b51a222f699f78ab539c2.exe	28
PID 2424 wrote to memory of 1664	2424	06df7ac7bd09d04d143bc5a924026ee7736238aa5c1b51a222f699f78ab539c2.exe	28
PID 2424 wrote to memory of 1664	2424	06df7ac7bd09d04d143bc5a924026ee7736238aa5c1b51a222f699f78ab539c2.exe	28
PID 2424 wrote to memory of 2344	2424	06df7ac7bd09d04d143bc5a924026ee7736238aa5c1b51a222f699f78ab539c2.exe	29
PID 2424 wrote to memory of 2344	2424	06df7ac7bd09d04d143bc5a924026ee7736238aa5c1b51a222f699f78ab539c2.exe	29
PID 2424 wrote to memory of 2344	2424	06df7ac7bd09d04d143bc5a924026ee7736238aa5c1b51a222f699f78ab539c2.exe	29
PID 2424 wrote to memory of 2344	2424	06df7ac7bd09d04d143bc5a924026ee7736238aa5c1b51a222f699f78ab539c2.exe	29

C:\Users\Admin\AppData\Local\Temp\06df7ac7bd09d04d143bc5a924026ee7736238aa5c1b51a222f699f78ab539c2.exe
"C:\Users\Admin\AppData\Local\Temp\06df7ac7bd09d04d143bc5a924026ee7736238aa5c1b51a222f699f78ab539c2.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1664
- C:\Files9T\aoptisys.exe
  C:\Files9T\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files9T\aoptisys.exe

Filesize
4.0MB

MD5
54e1890ccf9314262d3259b5ed97417a

SHA1
5c7b2bb2068f73c90140915c0d9e48c2e761d28a

SHA256
cc9e32a2932362f94459251e6d1df8b1dbf4a6358a026fd02d87280f411de2cb

SHA512
8e5cdb2a712c567ec951a772e4a2b1554317048a70868ca4ecc646bd8f7f44b745ba4d5f4fd04e768ea4e354e7c36d3793592c27e9b2356896c898260842fed7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
865c81db14e8293b7e1b61ba5f9c3f6a

SHA1
45fc5149d1af2358050ee2636d75110c9bbfbd0b

SHA256
2a3fb035ee26be9152293ce855183bff6e1616be25ee259f53c1e98ec9fba9c5

SHA512
ddc7a13eb3957aa61f6bce789404ee6c7ea33397033cabd3af68c25876920e7a33ae2a6df77b00de20fa5f3ca1632b9ac672ae25b0b56e1f31af3390ef6947b6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
70c1e1857b51cad2a9499689913db8a6

SHA1
ae1633482794c4591634cb38edae21030b4cd743

SHA256
330842302036aa202b0cb006e9dddd784cf686b3e467c149ff8a31773df3bd1a

SHA512
9521e6a95d3bcd4c47f14cb76e137627da93f3e3b1edfdde444098919b0d136b6f2f3ef5b018a6adf3059f982152769f53c9fa538c40680a1636ce257a641297

Download Submit
C:\VidOR\bodaloc.exe

Filesize
4.0MB

MD5
753d963ec28c94686084f6ee5af44245

SHA1
89c3f4facea9008106d890b506e6226e37fdd569

SHA256
e59c4fa744c44c2b44f730d5d1207f6c6a50023f00a1669de25bee3aad52d66a

SHA512
1f7bb6ac32a44f40aa6c400c34672db1b92f7afb698115e9cad92624d55ee1a0d4c563287fc11db5cc43b1662465819cac296da07d9623d394a18b794d33fd66

Download Submit
C:\VidOR\bodaloc.exe

Filesize
4.0MB

MD5
c68442412c994ef65b4f11e8ba8064bb

SHA1
9c73cfb30a190c81b64b2d21a3e2685811254ae5

SHA256
6d2c1be446c6656325e12fd731f37d1a182cacf5e33c41b0ed9e8a5e78d96f40

SHA512
51d9fa828a48b528b53e3ce034634fe1441ffe1ddebb691d097ab858b421973f4f7502c6b702048cdf0b0c695976c9cb27704920a76ba1b1b61b4619dc55d68b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
4.0MB

MD5
1fe256a6099da93324169153a35669ea

SHA1
bbf818f4b40271d88419f24a1a17b4fbe10463a5

SHA256
a145c83a3d7e28cf04a8afb983c25313b323e7ed22294c02936a2f5e896904e7

SHA512
ae691783319ca8367b2ea60d0c29003a32b1e9e78f8749d311d7b872dfadfe96f03c9aea8564dc0a55097ecec570d34b93b5f87e44257f340b0a5f21f4d4d769

Download Submit