5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30

General

Target

5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe
Size

3.9MB
MD5

cfd73c93a6339b5b973fa7d6180e3230
SHA1

1a3b7f6f9d10901264cb819b749d6ad759518f2c
SHA256

5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30
SHA512

7b63c5113f61d58d09b192f116fbb034b7f4715103ec541e9a2ba1e781db79752ea5f3da44dbf8c9d0e76d19e637d1a883e98da1f39ab8228a31bd8d80f4a464
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8:sxX7QnxrloE5dpUprbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe

Executes dropped EXE 2 IoCs

Processes:

sysadob.exedevoptiec.exe

pid process

1908 sysadob.exe
2292 devoptiec.exe

pid	process
1908	sysadob.exe
2292	devoptiec.exe

Loads dropped DLL 2 IoCs

Processes:

5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe

pid	process
2956	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe
2956	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocDT\\devoptiec.exe"	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidI0\\optidevloc.exe"	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exesysadob.exedevoptiec.exe

pid	process
2956	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe
2956	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe
1908	sysadob.exe
2292	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe

description	pid	process	target process
PID 2956 wrote to memory of 1908	2956	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe	sysadob.exe
PID 2956 wrote to memory of 1908	2956	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe	sysadob.exe
PID 2956 wrote to memory of 1908	2956	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe	sysadob.exe
PID 2956 wrote to memory of 1908	2956	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe	sysadob.exe
PID 2956 wrote to memory of 2292	2956	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe	devoptiec.exe
PID 2956 wrote to memory of 2292	2956	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe	devoptiec.exe
PID 2956 wrote to memory of 2292	2956	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe	devoptiec.exe
PID 2956 wrote to memory of 2292	2956	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe	devoptiec.exe

C:\Users\Admin\AppData\Local\Temp\5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe
"C:\Users\Admin\AppData\Local\Temp\5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2956

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1908

C:\IntelprocDT\devoptiec.exe
C:\IntelprocDT\devoptiec.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocDT\devoptiec.exe

Filesize
3.9MB

MD5
e0c6f3c6f531112a5b8738b7653e3c8c

SHA1
6576f970ed651725c14db31344c65717b5c67c32

SHA256
8bc5d10201b6266b7c024a92a259bafbc633ebad25e398ad4c4fe3bdbe1bbd74

SHA512
093a182b8e9e7b4b0e7f266e1cb36445ac1914be2b4f6a587f967247632055b6d4fb2b649f2269f46baba167ed1979da74497fe7087244a84c2a5b6de9810f8a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
b35e471b4a49083c15578198895cb1d1

SHA1
55636336c6f6a2bc87edd02e9091b82def55e517

SHA256
49dfb38c85afdd3afe7d985568827826211b9219e3616b604a375e9453a14304

SHA512
5f5563e078b6f3039336c28af1ee89da8cbbb6ea2b4a2b15ae77686c6c9ac95d6706ebd3cac41cd8305005c1f2ff1fd0960bb6b586e1bd15f96042ef9446ea3e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
2c05260de33091bb20929650dccd64b6

SHA1
f22b7c4ad63d7d14d3934aeeaa292b7c704115b0

SHA256
f99df0e08b6c2c9faec74325e49d723eab3e73b3bbbee494eeef2393743442c0

SHA512
f5d820a8d46e785c10990a0d28947e9fb3d4840ce12deae07757676d52d13fa9471e9d5c2b0a04b81f429a121ac81c0adce9dfb52e04791c0a5f4b4c63ab8115

Download Submit
C:\VidI0\optidevloc.exe

Filesize
2.2MB

MD5
b8f90fd8fb2b3fe06997b540bb8d8dfb

SHA1
e7582c7dd44583b86a931d0362f35ae7db4bb11e

SHA256
334e451fc5c36afcca303ba8712a78cbb5a445585fcf66fe7b786adcda42c281

SHA512
c45f7c393e6fba4c0b516c8c4e20beb8a66a5c9eaa75d54fff0c3012c09ecf3346172879acd43c707315cb2948cb85a0f04688b07199d27cc24befb05563505d

Download Submit
C:\VidI0\optidevloc.exe

Filesize
3.9MB

MD5
6164437a5afbf036379f8964081793da

SHA1
7c56dd4ddcbad1fc253f4dee0798561f68a50a92

SHA256
1b492dc39557678090626233a9de3ccb04a826cd983801765280e6e29bac1044

SHA512
b39a0befba4eec5a5eb527a9576b1dba25dd6bdbec747e5fd53b5b94a40487f7efa35cad538df3ece6704946a2889fee79611372a455ae87cae3737623ffe215

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
3.9MB

MD5
8db882642b94fb583b0320b9b39860d4

SHA1
60b06a2c80d050623de56c0c765fdfeda990d621

SHA256
95508963af9972a7f1e782d6dc740952fff6086820b97fb8c18b6466a945aa10

SHA512
6924b9d12a5bd2a130994a6650166c14dfc66985851683af0f587ef451211e65f09e99ed1f60b26139076ad66fa9ff1b81264b0f35aeeb366afabd83dc326807

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads