Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:16
Static task
static1
Behavioral task
behavioral1
Sample
921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe
Resource
win10v2004-20240508-en
General
-
Target
921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe
-
Size
3.6MB
-
MD5
946e96ca62b871e3e14e970df293a6d1
-
SHA1
677c41095bb811335f9c32d2817b9f3939ee37ea
-
SHA256
921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d
-
SHA512
3a1fcb107c961178251074d3eaaf65ff0b7b809b0ed012bca9b8c28e56aa166c3d258b8b613ef9a871fa83c4edd0f0012a71771e88ff4fea971e7726d3f95f03
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpZbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe -
Executes dropped EXE 2 IoCs
Processes:
sysabod.exeaoptisys.exepid process 2712 sysabod.exe 4372 aoptisys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe8Y\\aoptisys.exe" 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZEQ\\optiasys.exe" 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exesysabod.exeaoptisys.exepid process 1064 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe 1064 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe 1064 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe 1064 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe 2712 sysabod.exe 2712 sysabod.exe 4372 aoptisys.exe 4372 aoptisys.exe 2712 sysabod.exe 2712 sysabod.exe 4372 aoptisys.exe 4372 aoptisys.exe 2712 sysabod.exe 2712 sysabod.exe 4372 aoptisys.exe 4372 aoptisys.exe 2712 sysabod.exe 2712 sysabod.exe 4372 aoptisys.exe 4372 aoptisys.exe 2712 sysabod.exe 2712 sysabod.exe 4372 aoptisys.exe 4372 aoptisys.exe 2712 sysabod.exe 2712 sysabod.exe 4372 aoptisys.exe 4372 aoptisys.exe 2712 sysabod.exe 2712 sysabod.exe 4372 aoptisys.exe 4372 aoptisys.exe 2712 sysabod.exe 2712 sysabod.exe 4372 aoptisys.exe 4372 aoptisys.exe 2712 sysabod.exe 2712 sysabod.exe 4372 aoptisys.exe 4372 aoptisys.exe 2712 sysabod.exe 2712 sysabod.exe 4372 aoptisys.exe 4372 aoptisys.exe 2712 sysabod.exe 2712 sysabod.exe 4372 aoptisys.exe 4372 aoptisys.exe 2712 sysabod.exe 2712 sysabod.exe 4372 aoptisys.exe 4372 aoptisys.exe 2712 sysabod.exe 2712 sysabod.exe 4372 aoptisys.exe 4372 aoptisys.exe 2712 sysabod.exe 2712 sysabod.exe 4372 aoptisys.exe 4372 aoptisys.exe 2712 sysabod.exe 2712 sysabod.exe 4372 aoptisys.exe 4372 aoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exedescription pid process target process PID 1064 wrote to memory of 2712 1064 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe sysabod.exe PID 1064 wrote to memory of 2712 1064 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe sysabod.exe PID 1064 wrote to memory of 2712 1064 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe sysabod.exe PID 1064 wrote to memory of 4372 1064 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe aoptisys.exe PID 1064 wrote to memory of 4372 1064 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe aoptisys.exe PID 1064 wrote to memory of 4372 1064 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe aoptisys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe"C:\Users\Admin\AppData\Local\Temp\921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2712 -
C:\Adobe8Y\aoptisys.exeC:\Adobe8Y\aoptisys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4372
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5a5a15541ec157e6f374dee7a2df1ef66
SHA1143fc139c109670d653ef9a5d5030e471f537f60
SHA256191b3149356b644438ec74ab6638f910f7cec8a5edfacd491936482d17105bb2
SHA512f811b26c5bab7fca1fa1b583a818f28ad926d5a29026df58a74ee0a7ca126e2b7eb24007e9381a4fc2b700b55171990be3145c91b2372e837632cd827995b72e
-
Filesize
3.6MB
MD53b04baaa0077bf5f637736bad50dbdc3
SHA193fcccfa45ed679c6dbc0ae9f2d9232cd9f138c0
SHA256362c4581c8b54d3d1d84cf0bc43d3e8b0416910cafb4df8b1905e245406547a2
SHA512c4fedd9c3db33a983bd629c047a976f534527fc2062a352245c70bbe4f36a93828d5524f01a144eeca82a5bad7bb04617ab63053bddb0a8131c33c04b82adf13
-
Filesize
2.7MB
MD5f8651c2de1f960cbb34b41821705e9e3
SHA195c0dd987fcd99d1d83a9edd71f133b28d933049
SHA2560ee497104812bdd5a87de0c0cef7c6709662ae719c03971a245775857ccf4f34
SHA5125ebde0c9e5604485476f6cdce6b6e3fe8a8bc79f033d1d36845f3ec3b34f598b4e517288ed6dc75a083d3c61e7656272b49ba772f5f3c60f5b22a7ac4048be60
-
Filesize
202B
MD59ae30b057b99bdf9266ab5df90f26207
SHA17f3f11eebd84602f8ca4a36d9e54fa2f49b42139
SHA25693f9207c0abbac64bd37122ef69d68ea0f54ae9aefa0732bc31864cf9925c27c
SHA51263ae93fab8a173d9ecdbcf7d90331e452e5dd49fab38163f02af33626012db53f875bc9766e0588678fd983c71a383474b9a9ac7f24bb0104d5e9dee311276ff
-
Filesize
170B
MD5297b332f8b054711989abe75574a965f
SHA1ac81589c42e8f8a771a0122df6a8743c446c7e88
SHA256f16dd6f5847a16d53e3d14827c2d2ef2bd5d314b551f8437233fc35277a3d133
SHA51234e38e8e3d4abc0ded9334ce97536599249016331d64d3893f4eb675194217a2620e51c0f6310771c82316907ebe88428c0c49fd29dbcd2362db7352c836cc98
-
Filesize
3.6MB
MD5b8d48d99a340f2cb7ca0fcc6631547ca
SHA1e8a1f78f07c6e569de45bc23e35ed921729fec30
SHA2568aaa7d2df4e3df7a988cc0f6e973bbb3dc196e086e3d50f49a50c4f14cc031dc
SHA5124bdadde970417d91df37ee80fbb8b4d0ce80f3528617cf281b1a6f5300eeacd78c936c1a077ef4147597a5118c3c7349c35368db27c6cfcb5916dab7bf0f2e85