a59b9f126aef09615e765cf2390d628316aa2b9e942b5ffb62068e946cf58f32

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 01:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a59b9f126aef09615e765cf2390d628316aa2b9e942b5ffb62068e946cf58f32.exe
Size

2.6MB
MD5

215bc811c0dfbf36565a6b190e9e27dc
SHA1

13fa341837494826e4f52be5f668c80fd405acae
SHA256

a59b9f126aef09615e765cf2390d628316aa2b9e942b5ffb62068e946cf58f32
SHA512

9582b4a040b351d213aec97aee92c79e95dc5c8ab0be6d370707d17d001a17098c13ab26b9187c752d2bd6a5ad74defb06b4131a0d21b53e6ad0947d842253c4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bS:sxX7QnxrloE5dpUpFb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	a59b9f126aef09615e765cf2390d628316aa2b9e942b5ffb62068e946cf58f32.exe

Executes dropped EXE 2 IoCs

pid	Process
1708	sysdevopti.exe
2656	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2272	a59b9f126aef09615e765cf2390d628316aa2b9e942b5ffb62068e946cf58f32.exe
2272	a59b9f126aef09615e765cf2390d628316aa2b9e942b5ffb62068e946cf58f32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKV\\devoptiec.exe"	a59b9f126aef09615e765cf2390d628316aa2b9e942b5ffb62068e946cf58f32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxOJ\\optixec.exe"	a59b9f126aef09615e765cf2390d628316aa2b9e942b5ffb62068e946cf58f32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2272	a59b9f126aef09615e765cf2390d628316aa2b9e942b5ffb62068e946cf58f32.exe
2272	a59b9f126aef09615e765cf2390d628316aa2b9e942b5ffb62068e946cf58f32.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe
1708	sysdevopti.exe
2656	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 1708	2272	a59b9f126aef09615e765cf2390d628316aa2b9e942b5ffb62068e946cf58f32.exe	28
PID 2272 wrote to memory of 1708	2272	a59b9f126aef09615e765cf2390d628316aa2b9e942b5ffb62068e946cf58f32.exe	28
PID 2272 wrote to memory of 1708	2272	a59b9f126aef09615e765cf2390d628316aa2b9e942b5ffb62068e946cf58f32.exe	28
PID 2272 wrote to memory of 1708	2272	a59b9f126aef09615e765cf2390d628316aa2b9e942b5ffb62068e946cf58f32.exe	28
PID 2272 wrote to memory of 2656	2272	a59b9f126aef09615e765cf2390d628316aa2b9e942b5ffb62068e946cf58f32.exe	29
PID 2272 wrote to memory of 2656	2272	a59b9f126aef09615e765cf2390d628316aa2b9e942b5ffb62068e946cf58f32.exe	29
PID 2272 wrote to memory of 2656	2272	a59b9f126aef09615e765cf2390d628316aa2b9e942b5ffb62068e946cf58f32.exe	29
PID 2272 wrote to memory of 2656	2272	a59b9f126aef09615e765cf2390d628316aa2b9e942b5ffb62068e946cf58f32.exe	29

C:\Users\Admin\AppData\Local\Temp\a59b9f126aef09615e765cf2390d628316aa2b9e942b5ffb62068e946cf58f32.exe
"C:\Users\Admin\AppData\Local\Temp\a59b9f126aef09615e765cf2390d628316aa2b9e942b5ffb62068e946cf58f32.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1708
- C:\IntelprocKV\devoptiec.exe
  C:\IntelprocKV\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxOJ\optixec.exe

Filesize
2.6MB

MD5
358a10825b5d12e3f33e0ef2bb7af785

SHA1
226a91e66603c028f1e957f487e8278cfa8c5c48

SHA256
37a277b118d6152531048defba1b2d24b420d7e277bb32e0a0d4c4e2885a49cf

SHA512
03761c8b47ccfac9623338ce27bfdb73a6ebef7c8dfc37baac4d6e82bdc75e836cefb31f6789f56f3486b05e3263a55ecf000cee6ed6d249a08f81f4204c8a3f

Download Submit
C:\GalaxOJ\optixec.exe

Filesize
2.6MB

MD5
3a532e3c9c3039168825c92962ecff0b

SHA1
db05b960b16d01de5717d0c37233687092c664cb

SHA256
a1ad125efe09189325e36e62b70d535044d747b34629bac8cef86156022af5c6

SHA512
d199041eb7d43d3f2e00bb6d541796d7fcb2d70b9544e1eebf62d14d352e33c1b821ca329ed940ba469907d00ac9872bf191b2caa8cd30335623e6e42f68320f

Download Submit
C:\IntelprocKV\devoptiec.exe

Filesize
2.6MB

MD5
ee555a19014d79c9cff3e1d2a1ab1798

SHA1
67b1746cd630fdb1201ea710988e84a7e0789090

SHA256
ad9ff06c51fe243b0a721312df9ec026578469cad5efbacbcf2dfb474be0043e

SHA512
42a5326b9f8c7ff93545ce51035f3182b9e112c6ca19f0fdbc8deb372cb07c3078529a30173b79a00e6c2933a9e4ebb6da486aef3e9cc57a7ce52d05910dc599

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
178B

MD5
a72f271d711944151e060193adbc43ba

SHA1
787d211e9d9d0e9b77eb076da12549cee9ba8e24

SHA256
1a993d91a6c63c115efd83a2fe8a1fa8d011c65b0a7292d356d45faedd43bbb8

SHA512
370afe8f0f607b3c8cb562a5fe56e135b14fe276d610cbe7fce836855f6ce70c91d934aefd217006dc1a1627007a58a731d10ac28e2b8c4174179602d4c947c8

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
210B

MD5
cc20558e38f5eb2cb4847ae63fd7573f

SHA1
fe1e029ede8e5ef3f4324e44f3bcdcefff9e7a66

SHA256
f43f444cf2d97442207d594f001c38a6a0761d5ace1f1e0248774b779107ac13

SHA512
8a1ce0c94e7f6e521048f5673e6959675a5bab566fef1b835b15458521e97bb3a2eecd4a78b79a0fe31c63c17e53d1b5236e60d79ecf8aaaa894ad22ab5b0191

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
2.6MB

MD5
879aa9f06c6fce07faa0e66d195cef01

SHA1
5f3114e163dc3b7342a432559902f79869f94595

SHA256
154e9ee97668a25749f41136125f6b642f71ffef64e9768f68a3533608f0b669

SHA512
8ed34e958d36f35ef89d9abed16086ab34e638e59f33e95dd3dc6f1a95aab865c948e588e7b05bb110bcf5a38feff6c1e2dab19a27d968f5afe816778bc2780a

Download Submit