a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c

Analysis

max time kernel
150s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe
Size

3.6MB
MD5

2ca12f725a468868769d47d28290f996
SHA1

f1eee4694d69a8dcd83a02da7f1bc192e5fa1a31
SHA256

a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c
SHA512

24f6966419e1121c0ff62dece6af0700d126d8634a1084872cf2cda5890bdd3cc0d6f8f47129901218e3b2ba64eb9dba7644c5488e769ca410d9f6ed5a2a1362
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpEbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe

Executes dropped EXE 2 IoCs

pid	Process
4692	sysadob.exe
4360	devoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvY8\\devoptiec.exe"	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintGL\\optiasys.exe"	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1856	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe
1856	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe
1856	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe
1856	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe
4692	sysadob.exe
4692	sysadob.exe
4360	devoptiec.exe
4360	devoptiec.exe
4692	sysadob.exe
4692	sysadob.exe
4360	devoptiec.exe
4360	devoptiec.exe
4692	sysadob.exe
4692	sysadob.exe
4360	devoptiec.exe
4360	devoptiec.exe
4692	sysadob.exe
4692	sysadob.exe
4360	devoptiec.exe
4360	devoptiec.exe
4692	sysadob.exe
4692	sysadob.exe
4360	devoptiec.exe
4360	devoptiec.exe
4692	sysadob.exe
4692	sysadob.exe
4360	devoptiec.exe
4360	devoptiec.exe
4692	sysadob.exe
4692	sysadob.exe
4360	devoptiec.exe
4360	devoptiec.exe
4692	sysadob.exe
4692	sysadob.exe
4360	devoptiec.exe
4360	devoptiec.exe
4692	sysadob.exe
4692	sysadob.exe
4360	devoptiec.exe
4360	devoptiec.exe
4692	sysadob.exe
4692	sysadob.exe
4360	devoptiec.exe
4360	devoptiec.exe
4692	sysadob.exe
4692	sysadob.exe
4360	devoptiec.exe
4360	devoptiec.exe
4692	sysadob.exe
4692	sysadob.exe
4360	devoptiec.exe
4360	devoptiec.exe
4692	sysadob.exe
4692	sysadob.exe
4360	devoptiec.exe
4360	devoptiec.exe
4692	sysadob.exe
4692	sysadob.exe
4360	devoptiec.exe
4360	devoptiec.exe
4692	sysadob.exe
4692	sysadob.exe
4360	devoptiec.exe
4360	devoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 4692	1856	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe	86
PID 1856 wrote to memory of 4692	1856	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe	86
PID 1856 wrote to memory of 4692	1856	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe	86
PID 1856 wrote to memory of 4360	1856	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe	87
PID 1856 wrote to memory of 4360	1856	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe	87
PID 1856 wrote to memory of 4360	1856	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe	87

C:\Users\Admin\AppData\Local\Temp\a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe
"C:\Users\Admin\AppData\Local\Temp\a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4692
- C:\SysDrvY8\devoptiec.exe
  C:\SysDrvY8\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintGL\optiasys.exe

Filesize
3.6MB

MD5
b27e7551a0ddd80cee9525583ac48c75

SHA1
fe134ac71db1a25fb488fe2accc192e16f3e580d

SHA256
e626c13f43e2d7fc55f023b0b62502092f99568aac8f2313038c3bb31747c0fa

SHA512
b1cf6509295c9e6a908bd9139ee03de8d22b8154f1f592f5e530f9043369876cd550d23e8bd9b81bcb91347981af87a613c196daf3f3247c2038a0016e1d3d22

Download Submit
C:\MintGL\optiasys.exe

Filesize
3.6MB

MD5
c858d346f37094a50af708874aaebae1

SHA1
9fb72a8fd3631463a64bf3e17054545495462c50

SHA256
04529788bdd37dd26042382b92533b4f212eec096ede92c8d031e56bb06bf806

SHA512
9463cd11ea4cadff22188a2f34006113e024b4c7935778d29ff895721e8caa98285f8255f2eaebb8ae971f9430b42a0ee57e1fe23b84f282e5098a1ee3c152c3

Download Submit
C:\SysDrvY8\devoptiec.exe

Filesize
3.6MB

MD5
48eb2c8e431637acdb35a056e4b0165d

SHA1
2610e627e7ee1188509d3f27f37d93d79c9865f1

SHA256
37de3da79db5608e8261ecf6cb77e1b8a25740fcf28a3b4dd71b562615c08b46

SHA512
052a49738c7982c315f23ec90c59eeb1058e180eb9a34404af9ce43d070dc56f576eda82086add1163d1a7c9f4b40a943c2c50467e9df5578e079b39449b3d68

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
4fc31d1fc98acc95d7e91eb4b713062c

SHA1
50b3adc487c550deb34b95898a22c6e4ca262251

SHA256
bf6a8642ae0e0189dfa44684f333c187b88cdfa7cbf0102c2b64428c38148fcd

SHA512
0f270a2b2898f928c8b73c284cf9447d76054fef3f193eed29c4f60ac2a2d57c5ff98fc83b3fcd66b28b9b5f845c9038a34f31b0edfdb445e630d59b4396e0a5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
b1487b3cb2b821ebd6eb8293872e5b0a

SHA1
f94191bd94413342757040c732cf60278b3e30b7

SHA256
77b2e3e80a7f3efaab26aa98a9443145e27409580252a5d2c239c3d93167dc10

SHA512
d8865935dee38b913aa7d6eed22cf31afbf115b0d1684ad25fd88fb0101e2f34a034a9e3818bc77fd5d1988c0700a9c5ce09557ab0382d033654105d4c8f2445

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
3.6MB

MD5
4296fcb99f03a7322368a3b1753aa9e9

SHA1
93fdec724d2a57a3ed38a1cea76bc11349a8e5ae

SHA256
aeb348ad2c066b59e9606cb711a5856226043eead36126a7bd86a1a0e8a1cf92

SHA512
a376fefee9551cabdd321e14bc0e3c10198be5173c6e1d329aa22ddd54fa1c24b3813afa27da0bd6b6ecee04d673a5e8b65a1e7c2882d7dda888d150aea04fc6

Download Submit