70c8667441113629ab4925eaf6e1c7c81b69dcdb527db9bf18a60ad2990eeef7

Analysis

max time kernel
148s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70c8667441113629ab4925eaf6e1c7c81b69dcdb527db9bf18a60ad2990eeef7.exe
Size

3.0MB
MD5

af467074d4ceb0ff5cb043a860731f5d
SHA1

f59845efe04f421ed8f96a8db0e4bd12c0da1fb6
SHA256

70c8667441113629ab4925eaf6e1c7c81b69dcdb527db9bf18a60ad2990eeef7
SHA512

a8065402e926ede60d3be997f69921f0ab15b2f2104f8b2a2ffec0596e47cde3c34b243cfd1a5bf483af98c7e7a781597b060bdd159de9dd5afa6ccbda9681ca
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bSqz8b6LNX:sxX7QnxrloE5dpUpnbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	70c8667441113629ab4925eaf6e1c7c81b69dcdb527db9bf18a60ad2990eeef7.exe

Executes dropped EXE 2 IoCs

pid	Process
2180	locdevdob.exe
1272	aoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
3056	70c8667441113629ab4925eaf6e1c7c81b69dcdb527db9bf18a60ad2990eeef7.exe
3056	70c8667441113629ab4925eaf6e1c7c81b69dcdb527db9bf18a60ad2990eeef7.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotPC\\aoptisys.exe"	70c8667441113629ab4925eaf6e1c7c81b69dcdb527db9bf18a60ad2990eeef7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBWQ\\optidevloc.exe"	70c8667441113629ab4925eaf6e1c7c81b69dcdb527db9bf18a60ad2990eeef7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3056	70c8667441113629ab4925eaf6e1c7c81b69dcdb527db9bf18a60ad2990eeef7.exe
3056	70c8667441113629ab4925eaf6e1c7c81b69dcdb527db9bf18a60ad2990eeef7.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe
2180	locdevdob.exe
1272	aoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2180	3056	70c8667441113629ab4925eaf6e1c7c81b69dcdb527db9bf18a60ad2990eeef7.exe	28
PID 3056 wrote to memory of 2180	3056	70c8667441113629ab4925eaf6e1c7c81b69dcdb527db9bf18a60ad2990eeef7.exe	28
PID 3056 wrote to memory of 2180	3056	70c8667441113629ab4925eaf6e1c7c81b69dcdb527db9bf18a60ad2990eeef7.exe	28
PID 3056 wrote to memory of 2180	3056	70c8667441113629ab4925eaf6e1c7c81b69dcdb527db9bf18a60ad2990eeef7.exe	28
PID 3056 wrote to memory of 1272	3056	70c8667441113629ab4925eaf6e1c7c81b69dcdb527db9bf18a60ad2990eeef7.exe	29
PID 3056 wrote to memory of 1272	3056	70c8667441113629ab4925eaf6e1c7c81b69dcdb527db9bf18a60ad2990eeef7.exe	29
PID 3056 wrote to memory of 1272	3056	70c8667441113629ab4925eaf6e1c7c81b69dcdb527db9bf18a60ad2990eeef7.exe	29
PID 3056 wrote to memory of 1272	3056	70c8667441113629ab4925eaf6e1c7c81b69dcdb527db9bf18a60ad2990eeef7.exe	29

C:\Users\Admin\AppData\Local\Temp\70c8667441113629ab4925eaf6e1c7c81b69dcdb527db9bf18a60ad2990eeef7.exe
"C:\Users\Admin\AppData\Local\Temp\70c8667441113629ab4925eaf6e1c7c81b69dcdb527db9bf18a60ad2990eeef7.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2180
- C:\UserDotPC\aoptisys.exe
  C:\UserDotPC\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBWQ\optidevloc.exe

Filesize
3.0MB

MD5
58f259f4b054b0e77633719b64fb364a

SHA1
f093e2263851a84dbdfc6c57bfe79b5cd90ab677

SHA256
a8f8d9151ea29973283a0da79ba614372091f107ac65231920e11d516024d13c

SHA512
66c767f425190b029d7636c873a6b3bcf5fd5014d995466efd61a0e188d590268ac4ecb8624ed37bcb89b693e2038660eb7e8ecbc03bcfecbc79edf6df344ec7

Download Submit
C:\KaVBWQ\optidevloc.exe

Filesize
3.0MB

MD5
e4d34c1a2aa4accfb0378be7fc6e5003

SHA1
0cedbd153726a31c22f9873dcc0ec7c450c3e7f3

SHA256
4711213beedac44478460a04d05da202168126cc2b22947986d693a7d0e8628b

SHA512
c026467f8ffffb256ce2c9631221df8c333599c54d6f926eb682b86080623b097a76d1ea121bc1dd79a72a82c3ef3b2d3750db946fd16787ad48187ed7ae7ec4

Download Submit
C:\UserDotPC\aoptisys.exe

Filesize
3.0MB

MD5
d61496cb22b604254f3fa10e22a5312f

SHA1
fbfdf0a8f883dfe2650868c171987dbb369affde

SHA256
a75b5d49ba2f974141e17d066111f90faabbf627140af92a5917bc961445527c

SHA512
4a0af45bf4025d2ef448807c7c935bd474f4c0ed4fb88edc42270fb7555d309e788c21f193c5f1a3ec00aa21671f1ca5f58f181f7367f8eba43ff2d85e23edb1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
ba635e34f728c6fc98925e149287a39e

SHA1
ba5dc5b47eb3d37c18e70b4c638fcffb4ccad2f6

SHA256
934484619c107c8f47dcd90543fe3dd9511008415e8d282dff1d4b4538ccc7f9

SHA512
21f67c06dec41a8a93ca1bfb66d99a7bda8d868a8209e7766ebcc9b11143db67dbc8d5568ee82644d4e798805c72da9d9a971dedff66464a049b64d392458113

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
08d4c256e7ea25d6d2c4b0fe23bc9c49

SHA1
c578de27f0d798e4599b4581c537be10f30c44cc

SHA256
2cc76cd25f2a1631941fa8c5cde00bed164514ac47f2781f0b64077e6a67acb6

SHA512
ff1a4dd06f3a70ffffc93900d3d4e95950294089ff552aab5f51c6fd4913e46413d21fa5b14007da8f5c1f5d92496e3cab69c3d1e62e088241c966ca2ba9b3e0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
3.0MB

MD5
e30c68a741888a2c3af014423b1ed4a0

SHA1
eaae18f94cf6fe101f5109431dd8db29f5222fa2

SHA256
20c3b66b85f2e051d6a49f5b4163be5e91bd30767405b34cde972dbca100b086

SHA512
b95e585dd7d8e8392f28ca9fb4cd3ebc36d55009ccc6a1279a50d1c550036de8f855b6618e4a2fb54bf96ee8f2f741a96dda47fd2ec1e663f6b9b59ab20c62c4

Download Submit