Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-06-2024 00:16

General

  • Target

    921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe

  • Size

    3.6MB

  • MD5

    946e96ca62b871e3e14e970df293a6d1

  • SHA1

    677c41095bb811335f9c32d2817b9f3939ee37ea

  • SHA256

    921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d

  • SHA512

    3a1fcb107c961178251074d3eaaf65ff0b7b809b0ed012bca9b8c28e56aa166c3d258b8b613ef9a871fa83c4edd0f0012a71771e88ff4fea971e7726d3f95f03

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpZbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe
    "C:\Users\Admin\AppData\Local\Temp\921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2712
    • C:\Adobe8Y\aoptisys.exe
      C:\Adobe8Y\aoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4372

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Adobe8Y\aoptisys.exe

    Filesize

    3.6MB

    MD5

    a5a15541ec157e6f374dee7a2df1ef66

    SHA1

    143fc139c109670d653ef9a5d5030e471f537f60

    SHA256

    191b3149356b644438ec74ab6638f910f7cec8a5edfacd491936482d17105bb2

    SHA512

    f811b26c5bab7fca1fa1b583a818f28ad926d5a29026df58a74ee0a7ca126e2b7eb24007e9381a4fc2b700b55171990be3145c91b2372e837632cd827995b72e

  • C:\LabZEQ\optiasys.exe

    Filesize

    3.6MB

    MD5

    3b04baaa0077bf5f637736bad50dbdc3

    SHA1

    93fcccfa45ed679c6dbc0ae9f2d9232cd9f138c0

    SHA256

    362c4581c8b54d3d1d84cf0bc43d3e8b0416910cafb4df8b1905e245406547a2

    SHA512

    c4fedd9c3db33a983bd629c047a976f534527fc2062a352245c70bbe4f36a93828d5524f01a144eeca82a5bad7bb04617ab63053bddb0a8131c33c04b82adf13

  • C:\LabZEQ\optiasys.exe

    Filesize

    2.7MB

    MD5

    f8651c2de1f960cbb34b41821705e9e3

    SHA1

    95c0dd987fcd99d1d83a9edd71f133b28d933049

    SHA256

    0ee497104812bdd5a87de0c0cef7c6709662ae719c03971a245775857ccf4f34

    SHA512

    5ebde0c9e5604485476f6cdce6b6e3fe8a8bc79f033d1d36845f3ec3b34f598b4e517288ed6dc75a083d3c61e7656272b49ba772f5f3c60f5b22a7ac4048be60

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    9ae30b057b99bdf9266ab5df90f26207

    SHA1

    7f3f11eebd84602f8ca4a36d9e54fa2f49b42139

    SHA256

    93f9207c0abbac64bd37122ef69d68ea0f54ae9aefa0732bc31864cf9925c27c

    SHA512

    63ae93fab8a173d9ecdbcf7d90331e452e5dd49fab38163f02af33626012db53f875bc9766e0588678fd983c71a383474b9a9ac7f24bb0104d5e9dee311276ff

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    297b332f8b054711989abe75574a965f

    SHA1

    ac81589c42e8f8a771a0122df6a8743c446c7e88

    SHA256

    f16dd6f5847a16d53e3d14827c2d2ef2bd5d314b551f8437233fc35277a3d133

    SHA512

    34e38e8e3d4abc0ded9334ce97536599249016331d64d3893f4eb675194217a2620e51c0f6310771c82316907ebe88428c0c49fd29dbcd2362db7352c836cc98

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

    Filesize

    3.6MB

    MD5

    b8d48d99a340f2cb7ca0fcc6631547ca

    SHA1

    e8a1f78f07c6e569de45bc23e35ed921729fec30

    SHA256

    8aaa7d2df4e3df7a988cc0f6e973bbb3dc196e086e3d50f49a50c4f14cc031dc

    SHA512

    4bdadde970417d91df37ee80fbb8b4d0ce80f3528617cf281b1a6f5300eeacd78c936c1a077ef4147597a5118c3c7349c35368db27c6cfcb5916dab7bf0f2e85