1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe
Size

4.0MB
MD5

b9918b8a5af2690286d9d02ac190e48b
SHA1

28fe6e317e00d8447b86d88b20444d3854fad150
SHA256

1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e
SHA512

dcf7c7bc1f63bae070059984cd11e3ce4b2d28dde39d6d01e8298bfe513998146e2a3d27d87fe0172633cc6a1c255be65e2d7158ea1b4d8d33181d377bebf3f7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpDbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe

Executes dropped EXE 2 IoCs

pid	Process
2452	sysaopti.exe
2712	aoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
3056	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe
3056	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocC2\\aoptisys.exe"	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ2V\\optixloc.exe"	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3056	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe
3056	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe
2452	sysaopti.exe
2712	aoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2452	3056	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe	28
PID 3056 wrote to memory of 2452	3056	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe	28
PID 3056 wrote to memory of 2452	3056	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe	28
PID 3056 wrote to memory of 2452	3056	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe	28
PID 3056 wrote to memory of 2712	3056	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe	29
PID 3056 wrote to memory of 2712	3056	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe	29
PID 3056 wrote to memory of 2712	3056	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe	29
PID 3056 wrote to memory of 2712	3056	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe	29

C:\Users\Admin\AppData\Local\Temp\1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe
"C:\Users\Admin\AppData\Local\Temp\1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2452
- C:\IntelprocC2\aoptisys.exe
  C:\IntelprocC2\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocC2\aoptisys.exe

Filesize
13KB

MD5
fbe3105945c809e8bf6e00f7fef8ce54

SHA1
e4b4b6a33f2126392c845abd1669f10511f5c42f

SHA256
588c56e8f6a9d537a5bc2c80903c4b2fdfd2efb06c55c8a6c1e1039a485fae2d

SHA512
50cbba09c9369cf432e58eac2131517db247d9a0625def1f06f2359a45a2015fe879017f05ad29c35b344e132039515dfda1d9d5a69c9cf07dc94b14c9bd5a79

Download Submit
C:\LabZ2V\optixloc.exe

Filesize
8KB

MD5
1c31992317278cbfbb062cd4732b9020

SHA1
b2953bc21d0bbd03b25aba4e7b3d56cc63708195

SHA256
0b2e7da6fe13e1abfc05dc31898f9758e2b90fe94d3847eff578d06e33ba20b0

SHA512
a5b02c17136be2ad9ac5c6a2585c1d7c84233d35eef6ba3067f7e8ca22977de16026663f8caeff0cd96ab4385a960bba9a5ec07876508d7fcf403cee572a75bb

Download Submit
C:\LabZ2V\optixloc.exe

Filesize
9KB

MD5
bceeb783568178019cfa9ce19da30a69

SHA1
3918c6d01f7a27b2a71133015ea935c5555085ff

SHA256
41737594ceef89e9d4d0389deb11f042ea5d02e903e1359b3110a565e7c0b1bd

SHA512
7f5f1ad508c1398430e588ab45f558d602b62af4ef7015ce011fe61ef27edee18de0252583558376c713ddc3fdba30604a1b0746cd79acd745c19075f7a1bbf0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
a8df4d1c14fd2d37f1f42fe9a602788a

SHA1
dab24f9f4b8f1a5c3a57af74cf5fcf08cad6c0eb

SHA256
26b862fd5819fd2a3511d68e92b6ffa7d4c9f56bcb5bac99ecab1d43535addbb

SHA512
0c6c7c7c88c77fe2d36ebd3792a700300c4951afaa463ca072d878df9521346bee7298191c120f92e96c676b804a6689eabdb571fee8a63782ec3cf633795680

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
e3f74a19c0a371b44762bc4e7fb7c911

SHA1
efc83abed818780745a1f0564a442e2c6ab08ee3

SHA256
8778b6b1e53c14c9f414012782f579560332444bf55c28419272e49498c3e7d6

SHA512
0790d1bc3bdd481c6ecbb547577de56b2404122f5b78b3c9c5aa75899d7f7c19bbe69f9cd7d81d6d0ec8f4ca26ef335c7ea3ff75eed01bc1c185cb5ebb9c968b

Download Submit
\IntelprocC2\aoptisys.exe

Filesize
4.0MB

MD5
f485463470c5b342b411e40c4c3ff809

SHA1
8d28466aa499fda3737048690ddda8c41619c8c8

SHA256
13f6ff5a55baf7e5120fdeee7919bf1706c7e4af64066e9d25d8c89d11d83895

SHA512
d97ad462a3ab5be353718b9b4590e31d0f2e52ccb1d1e2df45509b4cd2aa93b8f8d2c214b1bdfce26a65f8595bda83ddb4794fb6125fe9d361899656468f2477

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
4.0MB

MD5
ada20c6889d26c207d40a92b0da5d483

SHA1
a111df0b6b22e99b4b7f0471552f3f5b9be61f17

SHA256
29ebf70758b6cca30bcf318f2b130fcd90eaf5fac61b52f2e350a7096d0633e8

SHA512
980e730d815a90c5d7c9fceeb546a1c53f4d471296ae3b86f98d2fa21b75cd0d96d560ec543af93257fc77f5013ad44d398d5062eee70b5abc96d036c003a00b

Download Submit