0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe
Size

3.9MB
MD5

2050253ec7997ee98060c1375716ce9c
SHA1

99fb10d0c4624774b32ffd62f3ee808bdb51f42e
SHA256

0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e
SHA512

f8f77388194ad58c19f01d7a34da5ef10949d8f89917a8d0c4c0659dba30798af637849ad7a0d01b304c1eac3baf5daaea3b0935c918af22211b17553d656317
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bSqz8:sxX7QnxrloE5dpUpSbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe

Executes dropped EXE 2 IoCs

pid	Process
5060	sysdevopti.exe
3036	aoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv3K\\aoptiec.exe"	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBGF\\dobxec.exe"	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1496	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe
1496	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe
1496	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe
1496	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe
5060	sysdevopti.exe
5060	sysdevopti.exe
3036	aoptiec.exe
3036	aoptiec.exe
5060	sysdevopti.exe
5060	sysdevopti.exe
3036	aoptiec.exe
3036	aoptiec.exe
5060	sysdevopti.exe
5060	sysdevopti.exe
3036	aoptiec.exe
3036	aoptiec.exe
5060	sysdevopti.exe
5060	sysdevopti.exe
3036	aoptiec.exe
3036	aoptiec.exe
5060	sysdevopti.exe
5060	sysdevopti.exe
3036	aoptiec.exe
3036	aoptiec.exe
5060	sysdevopti.exe
5060	sysdevopti.exe
3036	aoptiec.exe
3036	aoptiec.exe
5060	sysdevopti.exe
5060	sysdevopti.exe
3036	aoptiec.exe
3036	aoptiec.exe
5060	sysdevopti.exe
5060	sysdevopti.exe
3036	aoptiec.exe
3036	aoptiec.exe
5060	sysdevopti.exe
5060	sysdevopti.exe
3036	aoptiec.exe
3036	aoptiec.exe
5060	sysdevopti.exe
5060	sysdevopti.exe
3036	aoptiec.exe
3036	aoptiec.exe
5060	sysdevopti.exe
5060	sysdevopti.exe
3036	aoptiec.exe
3036	aoptiec.exe
5060	sysdevopti.exe
5060	sysdevopti.exe
3036	aoptiec.exe
3036	aoptiec.exe
5060	sysdevopti.exe
5060	sysdevopti.exe
3036	aoptiec.exe
3036	aoptiec.exe
5060	sysdevopti.exe
5060	sysdevopti.exe
3036	aoptiec.exe
3036	aoptiec.exe
5060	sysdevopti.exe
5060	sysdevopti.exe
3036	aoptiec.exe
3036	aoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 5060	1496	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe	84
PID 1496 wrote to memory of 5060	1496	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe	84
PID 1496 wrote to memory of 5060	1496	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe	84
PID 1496 wrote to memory of 3036	1496	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe	87
PID 1496 wrote to memory of 3036	1496	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe	87
PID 1496 wrote to memory of 3036	1496	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe	87

C:\Users\Admin\AppData\Local\Temp\0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe
"C:\Users\Admin\AppData\Local\Temp\0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5060
- C:\SysDrv3K\aoptiec.exe
  C:\SysDrv3K\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBGF\dobxec.exe

Filesize
3.9MB

MD5
100dadb30b408c4fdb4b1dcda6db6656

SHA1
1b7a973b5e7db160bb8532e0aa8c5e76db30a184

SHA256
2d82a005ecf57f805743bb56cb75c19db9525a22b285eff5d3d5aa85cdd19196

SHA512
72cb26803d41de7c282121be6e80b5ae29ef711130ce03e26cb01c9bfb9b7d29515bc09e2c5e9a4739cdf9c00f544a5b0d91c1bc4ac451ca71ce7859dafc8ab1

Download Submit
C:\KaVBGF\dobxec.exe

Filesize
3.9MB

MD5
3a4274258cc455d2b47e0498798eabc6

SHA1
200d42e4be2428106f2c657e342ec3c396a197eb

SHA256
9a6f75083209b8c3eda76d388a21a4d9174c4e511db24d2c963436d3a3120803

SHA512
a2749f41f17bf1e8c98caeae9953ca5f95721e6e7ecee80fd3efb34d2a6fabd5170670c07d7e6df3315cfd02753cf9b86367e38de9e4d9466e37bbe10b40f83e

Download Submit
C:\SysDrv3K\aoptiec.exe

Filesize
3.9MB

MD5
c14b6e3d3840bbfd556cbc4e4e6ad7b9

SHA1
2ff0042f7349ee1640cc42a54ae0e6c6f90c2095

SHA256
d6ce120aff09d835f65e8a422bc791e0583c61bfd01f0118ed8c1e7daebb72b8

SHA512
c3758783582ef19f99268175c1a02f71d27386c067b62409b78b542658a920692061093ade852eef2b3ea733c7fa3d80e2d75d303c1c2512b1121ca04b4383af

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
905bff650f3e9af8b7aecdaaf73397fa

SHA1
8fce2c1fef392ec6525f2783df2c91e28cbc11ea

SHA256
9ef597c530eaffcc723da14a9f4ea50dcaed460244e6e4def546857aea3578f4

SHA512
c8757973e1a274fcdd7f953c6bb376656d2878f76e8c3b407eb6fe03c7f0bde91a96306b0e0f151b23ced1f4cbab986f900aa6d4a86e42b38956b2b61ff70778

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
53e02105d63f651a12ad99d434b0c691

SHA1
924e21bac279ccbd29f0b92f391a5dec77d9f17a

SHA256
db79ea91b52d41329fea356cef307ea80fe18f3e37cc651b8722fe53dbedfe39

SHA512
c854abeb05b9c84cfc806c52007cfed82e4a8e90fe95d6074873b4b6eeb78ae60ca6e6421f2617aa59d1fcec2b90efe8ff6aef90121a68dfd2e08bbefeba519e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
3.9MB

MD5
f1be0900ef4b2d5b66b2995bf706c516

SHA1
4282c51c71e05a480528896da9f11eb71b103a97

SHA256
aebc2abac60be5fc08b98c755262b8b23e62f276a24d4672f48a785561061778

SHA512
20ee8c752275c9893ce463c5e0dff62684c3a0edd903914130e4382f97eca82e2d3e590fc69f39c7d9c3899b119637e4ff9bc2c0a82a9f1976acf1321d4a9df3

Download Submit