5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54

General

Target

5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe
Size

2.6MB
MD5

2203c5fd720df2de5a72372ddcbdda13
SHA1

4ae371fb653954094da9d1a328d43ce680802422
SHA256

5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54
SHA512

8d1eb95e7d18f68e80f95ae638e692cbdf4a544b8687549d613a912aa71985ea9ba6bcfc0398f2be9f03d16c1865cdb0a094bccce2a8dffe3e49b04f96571ff6
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bS:sxX7QnxrloE5dpUp7b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe

Executes dropped EXE 2 IoCs

Processes:

sysdevbod.exeaoptiec.exe

pid process

4532 sysdevbod.exe
3884 aoptiec.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4532	sysdevbod.exe
3884	aoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotGZ\\aoptiec.exe"	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLV\\dobxsys.exe"	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exesysdevbod.exeaoptiec.exe

pid	process
4044	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe
4044	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe
4044	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe
4044	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe
4532	sysdevbod.exe
4532	sysdevbod.exe
3884	aoptiec.exe
3884	aoptiec.exe
4532	sysdevbod.exe
4532	sysdevbod.exe
3884	aoptiec.exe
3884	aoptiec.exe
4532	sysdevbod.exe
4532	sysdevbod.exe
3884	aoptiec.exe
3884	aoptiec.exe
4532	sysdevbod.exe
4532	sysdevbod.exe
3884	aoptiec.exe
3884	aoptiec.exe
4532	sysdevbod.exe
4532	sysdevbod.exe
3884	aoptiec.exe
3884	aoptiec.exe
4532	sysdevbod.exe
4532	sysdevbod.exe
3884	aoptiec.exe
3884	aoptiec.exe
4532	sysdevbod.exe
4532	sysdevbod.exe
3884	aoptiec.exe
3884	aoptiec.exe
4532	sysdevbod.exe
4532	sysdevbod.exe
3884	aoptiec.exe
3884	aoptiec.exe
4532	sysdevbod.exe
4532	sysdevbod.exe
3884	aoptiec.exe
3884	aoptiec.exe
4532	sysdevbod.exe
4532	sysdevbod.exe
3884	aoptiec.exe
3884	aoptiec.exe
4532	sysdevbod.exe
4532	sysdevbod.exe
3884	aoptiec.exe
3884	aoptiec.exe
4532	sysdevbod.exe
4532	sysdevbod.exe
3884	aoptiec.exe
3884	aoptiec.exe
4532	sysdevbod.exe
4532	sysdevbod.exe
3884	aoptiec.exe
3884	aoptiec.exe
4532	sysdevbod.exe
4532	sysdevbod.exe
3884	aoptiec.exe
3884	aoptiec.exe
4532	sysdevbod.exe
4532	sysdevbod.exe
3884	aoptiec.exe
3884	aoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe

description	pid	process	target process
PID 4044 wrote to memory of 4532	4044	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe	sysdevbod.exe
PID 4044 wrote to memory of 4532	4044	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe	sysdevbod.exe
PID 4044 wrote to memory of 4532	4044	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe	sysdevbod.exe
PID 4044 wrote to memory of 3884	4044	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe	aoptiec.exe
PID 4044 wrote to memory of 3884	4044	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe	aoptiec.exe
PID 4044 wrote to memory of 3884	4044	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe	aoptiec.exe

C:\Users\Admin\AppData\Local\Temp\5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe
"C:\Users\Admin\AppData\Local\Temp\5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4044

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4532

C:\UserDotGZ\aoptiec.exe
C:\UserDotGZ\aoptiec.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintLV\dobxsys.exe
Filesize
2.6MB

MD5
655b58a6db2cbe186ae662b16abf65e4

SHA1
624556ccad0d4908776d0829909b60b9441a1453

SHA256
41bc984a40569299dbbaa440ae5583db88711124421ad05a87251a36390e6a86

SHA512
154cbce2a32cb374c80bd6023e8ad065feaeb2d4e7f34f648c98cbcebdf30e12d765940c258d4ae8b85db8be1eee69da5d08828e445243afc830df66be08911d

Download Submit
C:\MintLV\dobxsys.exe
Filesize
4KB

MD5
b61f1c7ad73efe910c92dd7a7c9a7a0e

SHA1
da9ddf3e1877afc7efd9c8d203fc7f7be3458ddd

SHA256
b362504c75e4817110ee35bd9d522710e988aa3feb5cfb08054cbe0cfa6e45f0

SHA512
224073e4b1011e45541352166fffbcb47dc06282baa16dc5279ee78e858f642e1495bf79dc1ee547b1db3adc2c1a1fbb08ea75a50ef49d2a238000e931ebc155

Download Submit
C:\UserDotGZ\aoptiec.exe
Filesize
2.6MB

MD5
90611c3e333e7dfc767dbf075f3f0ba6

SHA1
184149a4343382072f2c843e6e0e4dabd748c561

SHA256
277796883d3b9ff70d1010c341365a455ec471e38f750eeee452e3a6d74a3693

SHA512
beaede2b55cc03d0f8c30f935fefec673385cd6a3670baa0a94c679443cec4be2a9a3b65ef72543e84ec67e813870a89b3317c4947507f0540a58f62c3996900

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
204B

MD5
5f3cac8a20af7abb9804396779164eed

SHA1
c4a6c4e40586f0cf0d131d4ce6497f3ca817cd00

SHA256
7516b5e033f712dd67a63148e6be1747004fdd3a3be3ac9d4399ed7146644373

SHA512
df0e66754d5d0baf5033129bcb7d98bbc5904ac77ed937f889c5e889d998f5bc90959cf077127f3ba48a25274ce6d11fe3a7260da5b2e217401347f0d11fecd4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
172B

MD5
d1bea6dd4e69ac5e7133a97080c012be

SHA1
7451f85cc201ffae7c19794ba5c479352af2b8ef

SHA256
e1f91f19fb1a94bff1c4d1fa1369ac7d2400ba830315a5c76774802ef1353942

SHA512
0bcbfd4667474037b663eeaae1e76b28ca01c6cc8d24cac8ba88d26392d71280801c3e3fcfb5c4117fc54d91d178178c93bb60d5cdbb6798ce771c3f1a0b9f5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
Filesize
2.6MB

MD5
989fc7310ccf35999e4277f7415d8c45

SHA1
6c81ca8169f4fe6a3fee9400a8234db9d3ef8d27

SHA256
db5b1dc5feebd7c1fac03d57a8fed9d3e6dbb987b39e17d9c77e0cf013fa1f90

SHA512
e1220b398c940ad6635339b1c9c39e114e540321df34c6cfc984ab7a717f28268660fc78efbcc935ccf096da68d3505573c1810a8d1334572049dcb823a7c665

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads