097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5

General

Target

097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe
Size

3.6MB
MD5

4f86b6f135c82a8aec3bfad4551c9b93
SHA1

a1b9f711fd8309a2755ddaaaa4f832d5d5d534d1
SHA256

097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5
SHA512

0cc7fed23d743c903f1b0c7312e82e4c6fd5795cafb01b7ea520b21503099bec747f8ca5540e12453bf0692d88b60ee6696c060e3870752737ec63ee09dcd275
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bSqz8:sxX7QnxrloE5dpUpzbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe

Executes dropped EXE 2 IoCs

Processes:

sysxdob.exeaoptisys.exe

pid process

2744 sysxdob.exe
2608 aoptisys.exe

pid	process
2744	sysxdob.exe
2608	aoptisys.exe

Loads dropped DLL 2 IoCs

Processes:

097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe

pid	process
620	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe
620	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7T\\aoptisys.exe"	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint89\\boddevsys.exe"	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exesysxdob.exeaoptisys.exe

pid	process
620	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe
620	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe
2744	sysxdob.exe
2608	aoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe

description	pid	process	target process
PID 620 wrote to memory of 2744	620	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe	sysxdob.exe
PID 620 wrote to memory of 2744	620	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe	sysxdob.exe
PID 620 wrote to memory of 2744	620	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe	sysxdob.exe
PID 620 wrote to memory of 2744	620	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe	sysxdob.exe
PID 620 wrote to memory of 2608	620	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe	aoptisys.exe
PID 620 wrote to memory of 2608	620	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe	aoptisys.exe
PID 620 wrote to memory of 2608	620	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe	aoptisys.exe
PID 620 wrote to memory of 2608	620	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe	aoptisys.exe

C:\Users\Admin\AppData\Local\Temp\097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe
"C:\Users\Admin\AppData\Local\Temp\097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:620

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2744

C:\Adobe7T\aoptisys.exe
C:\Adobe7T\aoptisys.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2608

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe7T\aoptisys.exe
Filesize
3.6MB

MD5
1ff90202215a9b855fab82869007011a

SHA1
c613491a72655c320e651774e4a6588d4613746b

SHA256
5adb5d768011aceeb5bb3eb6e6edcb1085cfbcfe555c8378b6066a77a9506a8d

SHA512
d377fb5286de28f4e70d5dd6ff1a83b82b07d52574a1b08cc3662c8c17cb686cf224cfaa9dc451d04c58f265b22cafacd1588fb0e4c594760452ec317da41faf

Download Submit
C:\Mint89\boddevsys.exe
Filesize
3.6MB

MD5
015056ea8d0c20e1c4320155924fd43b

SHA1
3bfba8ecc41f48a874f4a62cbe11402d939df4a9

SHA256
b10913cd8092d08a9a922795b6bc4bfe852574baa006fc5a4d848e2e8fb03b51

SHA512
b0d63c85a80d4634ca362892faa523a262caf7a1a3adf8a7d66e9210045fee54dc2c332334d841750410d76796981ddc1df875f0f2d294a6b60ef04283fe7985

Download Submit
C:\Mint89\boddevsys.exe
Filesize
3.6MB

MD5
81e20972eadb16717960c0963825332b

SHA1
7e3eecdf1f35e7402adea345b222c36ec23b8e68

SHA256
89bbca538b7eae32a502b5b6271ccff3b2473b8852d464cd9d4b3540df7030be

SHA512
3e1cc47cb7fbada5526104015c49fd6cd6d6b50b076c7d5a6ce3b0f1dd4894b6077f4538b5335784fb18ce9da37eab0677f808d948a53a05b64212730cce3089

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
171B

MD5
cb91fffe65cbe6b325fae1e81e438140

SHA1
320a6470d6e1b633ec9f364fd459bf3662b7f25a

SHA256
def5e675798adec9b6423cf1c8e3cca706e2af4d5005c188bab597e844a311b9

SHA512
38097ae2445acbfa0c2e14fc0994b3813fd81918309859daa32372349dc7791062db4f77fb5614bd6acfc62ddaa219bf80cef3621514dbefd5dee3b325f6dd4a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
203B

MD5
aa9e38214a4a8c4a1d489c2eaab5c8ba

SHA1
4a280034789be5c7fe717a57e55206f2a6dc9386

SHA256
8879e50753f61202e1b57f7241fa8fe4ea8006966adc88d914043b1b556cfa5c

SHA512
59967f432707efa02c3847c37bc2aea4903471709ba787b34c720799f61f87518d087b2489f6fde1961afd7470f37b4733904e563741519e53c283402589da30

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
Filesize
3.6MB

MD5
54f7259d508a0aaaa05f0cdd2fda7576

SHA1
dad536cbfcba0197017cd34653ef1d1e1f6a23d4

SHA256
c3374fbf32be8a9eed58aa7034d848949fea61fe7e65f15c93f276b1d1831054

SHA512
7e509e8f3cf97ca8d0eaf3e86cd9163ff2e23cdd25e238053acfbaae384887c814261a818a86524c460623e4b3300da06e9e33d232d750f63d8e8fa028af4ef6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads