Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 18:30
Static task
static1
Behavioral task
behavioral1
Sample
097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe
Resource
win10v2004-20240508-en
General
-
Target
097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe
-
Size
3.6MB
-
MD5
4f86b6f135c82a8aec3bfad4551c9b93
-
SHA1
a1b9f711fd8309a2755ddaaaa4f832d5d5d534d1
-
SHA256
097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5
-
SHA512
0cc7fed23d743c903f1b0c7312e82e4c6fd5795cafb01b7ea520b21503099bec747f8ca5540e12453bf0692d88b60ee6696c060e3870752737ec63ee09dcd275
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bSqz8:sxX7QnxrloE5dpUpzbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe 097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe -
Executes dropped EXE 2 IoCs
Processes:
sysxdob.exeaoptisys.exepid process 2744 sysxdob.exe 2608 aoptisys.exe -
Loads dropped DLL 2 IoCs
Processes:
097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exepid process 620 097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe 620 097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7T\\aoptisys.exe" 097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint89\\boddevsys.exe" 097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exesysxdob.exeaoptisys.exepid process 620 097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe 620 097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe 2744 sysxdob.exe 2608 aoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exedescription pid process target process PID 620 wrote to memory of 2744 620 097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe sysxdob.exe PID 620 wrote to memory of 2744 620 097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe sysxdob.exe PID 620 wrote to memory of 2744 620 097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe sysxdob.exe PID 620 wrote to memory of 2744 620 097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe sysxdob.exe PID 620 wrote to memory of 2608 620 097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe aoptisys.exe PID 620 wrote to memory of 2608 620 097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe aoptisys.exe PID 620 wrote to memory of 2608 620 097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe aoptisys.exe PID 620 wrote to memory of 2608 620 097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe aoptisys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe"C:\Users\Admin\AppData\Local\Temp\097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2744 -
C:\Adobe7T\aoptisys.exeC:\Adobe7T\aoptisys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Adobe7T\aoptisys.exeFilesize
3.6MB
MD51ff90202215a9b855fab82869007011a
SHA1c613491a72655c320e651774e4a6588d4613746b
SHA2565adb5d768011aceeb5bb3eb6e6edcb1085cfbcfe555c8378b6066a77a9506a8d
SHA512d377fb5286de28f4e70d5dd6ff1a83b82b07d52574a1b08cc3662c8c17cb686cf224cfaa9dc451d04c58f265b22cafacd1588fb0e4c594760452ec317da41faf
-
C:\Mint89\boddevsys.exeFilesize
3.6MB
MD5015056ea8d0c20e1c4320155924fd43b
SHA13bfba8ecc41f48a874f4a62cbe11402d939df4a9
SHA256b10913cd8092d08a9a922795b6bc4bfe852574baa006fc5a4d848e2e8fb03b51
SHA512b0d63c85a80d4634ca362892faa523a262caf7a1a3adf8a7d66e9210045fee54dc2c332334d841750410d76796981ddc1df875f0f2d294a6b60ef04283fe7985
-
C:\Mint89\boddevsys.exeFilesize
3.6MB
MD581e20972eadb16717960c0963825332b
SHA17e3eecdf1f35e7402adea345b222c36ec23b8e68
SHA25689bbca538b7eae32a502b5b6271ccff3b2473b8852d464cd9d4b3540df7030be
SHA5123e1cc47cb7fbada5526104015c49fd6cd6d6b50b076c7d5a6ce3b0f1dd4894b6077f4538b5335784fb18ce9da37eab0677f808d948a53a05b64212730cce3089
-
C:\Users\Admin\253086396416_6.1_Admin.iniFilesize
171B
MD5cb91fffe65cbe6b325fae1e81e438140
SHA1320a6470d6e1b633ec9f364fd459bf3662b7f25a
SHA256def5e675798adec9b6423cf1c8e3cca706e2af4d5005c188bab597e844a311b9
SHA51238097ae2445acbfa0c2e14fc0994b3813fd81918309859daa32372349dc7791062db4f77fb5614bd6acfc62ddaa219bf80cef3621514dbefd5dee3b325f6dd4a
-
C:\Users\Admin\253086396416_6.1_Admin.iniFilesize
203B
MD5aa9e38214a4a8c4a1d489c2eaab5c8ba
SHA14a280034789be5c7fe717a57e55206f2a6dc9386
SHA2568879e50753f61202e1b57f7241fa8fe4ea8006966adc88d914043b1b556cfa5c
SHA51259967f432707efa02c3847c37bc2aea4903471709ba787b34c720799f61f87518d087b2489f6fde1961afd7470f37b4733904e563741519e53c283402589da30
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exeFilesize
3.6MB
MD554f7259d508a0aaaa05f0cdd2fda7576
SHA1dad536cbfcba0197017cd34653ef1d1e1f6a23d4
SHA256c3374fbf32be8a9eed58aa7034d848949fea61fe7e65f15c93f276b1d1831054
SHA5127e509e8f3cf97ca8d0eaf3e86cd9163ff2e23cdd25e238053acfbaae384887c814261a818a86524c460623e4b3300da06e9e33d232d750f63d8e8fa028af4ef6