d910c78b15d245f6f5066cbf6a2438446a6081866e792ec715e30bfee5736754

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d910c78b15d245f6f5066cbf6a2438446a6081866e792ec715e30bfee5736754.exe
Size

3.1MB
MD5

381829af1ad4710fa8594e2331dc1d57
SHA1

be9f042aa1737fd420fa258a2adf4c5d9e0acd18
SHA256

d910c78b15d245f6f5066cbf6a2438446a6081866e792ec715e30bfee5736754
SHA512

f008ce7f02e7a275d2608cc3566ebdbcfa11634a0dd8e90f67bc468adf1af107ad1533e7fc9c299211bcc8059e442bd04fd9c8a9c96dc160df4fca40ee779a08
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSqz8b6LNXJqI20:sxX7QnxrloE5dpUp+bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	d910c78b15d245f6f5066cbf6a2438446a6081866e792ec715e30bfee5736754.exe

Executes dropped EXE 2 IoCs

pid	Process
516	sysabod.exe
4088	aoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeMR\\aoptisys.exe"	d910c78b15d245f6f5066cbf6a2438446a6081866e792ec715e30bfee5736754.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintOS\\optiasys.exe"	d910c78b15d245f6f5066cbf6a2438446a6081866e792ec715e30bfee5736754.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4488	d910c78b15d245f6f5066cbf6a2438446a6081866e792ec715e30bfee5736754.exe
4488	d910c78b15d245f6f5066cbf6a2438446a6081866e792ec715e30bfee5736754.exe
4488	d910c78b15d245f6f5066cbf6a2438446a6081866e792ec715e30bfee5736754.exe
4488	d910c78b15d245f6f5066cbf6a2438446a6081866e792ec715e30bfee5736754.exe
516	sysabod.exe
516	sysabod.exe
4088	aoptisys.exe
4088	aoptisys.exe
516	sysabod.exe
516	sysabod.exe
4088	aoptisys.exe
4088	aoptisys.exe
516	sysabod.exe
516	sysabod.exe
4088	aoptisys.exe
4088	aoptisys.exe
516	sysabod.exe
516	sysabod.exe
4088	aoptisys.exe
4088	aoptisys.exe
516	sysabod.exe
516	sysabod.exe
4088	aoptisys.exe
4088	aoptisys.exe
516	sysabod.exe
516	sysabod.exe
4088	aoptisys.exe
4088	aoptisys.exe
516	sysabod.exe
516	sysabod.exe
4088	aoptisys.exe
4088	aoptisys.exe
516	sysabod.exe
516	sysabod.exe
4088	aoptisys.exe
4088	aoptisys.exe
516	sysabod.exe
516	sysabod.exe
4088	aoptisys.exe
4088	aoptisys.exe
516	sysabod.exe
516	sysabod.exe
4088	aoptisys.exe
4088	aoptisys.exe
516	sysabod.exe
516	sysabod.exe
4088	aoptisys.exe
4088	aoptisys.exe
516	sysabod.exe
516	sysabod.exe
4088	aoptisys.exe
4088	aoptisys.exe
516	sysabod.exe
516	sysabod.exe
4088	aoptisys.exe
4088	aoptisys.exe
516	sysabod.exe
516	sysabod.exe
4088	aoptisys.exe
4088	aoptisys.exe
516	sysabod.exe
516	sysabod.exe
4088	aoptisys.exe
4088	aoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 516	4488	d910c78b15d245f6f5066cbf6a2438446a6081866e792ec715e30bfee5736754.exe	88
PID 4488 wrote to memory of 516	4488	d910c78b15d245f6f5066cbf6a2438446a6081866e792ec715e30bfee5736754.exe	88
PID 4488 wrote to memory of 516	4488	d910c78b15d245f6f5066cbf6a2438446a6081866e792ec715e30bfee5736754.exe	88
PID 4488 wrote to memory of 4088	4488	d910c78b15d245f6f5066cbf6a2438446a6081866e792ec715e30bfee5736754.exe	92
PID 4488 wrote to memory of 4088	4488	d910c78b15d245f6f5066cbf6a2438446a6081866e792ec715e30bfee5736754.exe	92
PID 4488 wrote to memory of 4088	4488	d910c78b15d245f6f5066cbf6a2438446a6081866e792ec715e30bfee5736754.exe	92

C:\Users\Admin\AppData\Local\Temp\d910c78b15d245f6f5066cbf6a2438446a6081866e792ec715e30bfee5736754.exe
"C:\Users\Admin\AppData\Local\Temp\d910c78b15d245f6f5066cbf6a2438446a6081866e792ec715e30bfee5736754.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:516
- C:\AdobeMR\aoptisys.exe
  C:\AdobeMR\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeMR\aoptisys.exe

Filesize
3.1MB

MD5
f20cfe87431dc41d597e7850df0326c0

SHA1
1285e89ffac763ff96c34713f052bc8aa3716aca

SHA256
7104dac91db4bc44d5b96d21fa3bf232e14add6ba650219831071fd1437f9eab

SHA512
2638b6f14005adc60ab3d3280043e9d454b23091e343fedb2b0452a34c5a12203532d1bd65246d9f7f4c35f790a9e57c8df595e8f59dc02b01916fe437f22002

Download Submit
C:\MintOS\optiasys.exe

Filesize
3.1MB

MD5
f8660cfe82435eccec3622a3607322d7

SHA1
c304ecd1244f174b671b2a60a874e538cc4d12ed

SHA256
d2dd0300be6504adbb49d42d5223862acd183bb1f92fa7b6bf38ffb06000738a

SHA512
0f0819e35de6dcf3ff74b6e1fc29d11af4e3a72faf0f2aab5b065959b254f3ff19d33c3fc661f0e4d27d90fdda41df1a1d20d928b2e9f7a5cdf65a73fd03cc82

Download Submit
C:\MintOS\optiasys.exe

Filesize
3.1MB

MD5
0a24a18398e9aed77a06efde9c0f2270

SHA1
180e9faa3b36a392abab762dcef5d94266a84101

SHA256
54f3e4db9c865b4b93633b529610a55033a0bba323640ec0404f99ece2bf9ca5

SHA512
8b8fe77bad01b5574e1de93c8d7096fbaed4c09e1ad2b0f030d61d97100e969d0d2c67123152789d7742772fb2b2df465f75a1309fe8a43d8776cd7c0d77a29c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
25a75862211966774f962c3e49b57c54

SHA1
1b0629f90b292c35848e595de3a1f0b540b0fb2e

SHA256
805793dd27e7da1cb498cb69655ec059d2a7c750b6d849d1b5a8d9e05efb847d

SHA512
efed921ce9b2ab125abaa6224dc68a2759e37b5445f14da68390e457a1b083f0279d67c6a5fab66ff1004e4c6d3440baefa137a6afe5d999838a6ef04b0fdf30

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
351604c66154b38db1711737d6ad1ee8

SHA1
b350d1042fac8b609795495c75695bc1fad851fc

SHA256
1b0d1da8fdad0f59e165514d651c7dcc76a15987483731d53f6d72c8ab0e5f4a

SHA512
a67ee3db55522693acfd624b1ef520656622c12fc41b5d699395a8271aaf42d2d593c4105b91a1bd915e171e2b5c4655fd29b307dedfab72741cc1a9bd5e3e85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
3.1MB

MD5
fec51777047ad8f4c96db2b20207e2f3

SHA1
d5c8ae8cfab9a5a3e97906806d4b15b2c326375d

SHA256
051d1fdbc0faf890f45deaf70845f3cdcd32ab29de42c6d176d3ac6d8480d31d

SHA512
26ce52aae987f54a0c916246a6dc67fcf0f51ff9164e9e7a8a2717f55c9e4fb6b5fb8bca35cb9cfe99576fc2174828e65a723fd1fc23165ba435e2b7a9999c49

Download Submit