9e07639e1f063dc70b20af9bfb469658064915b0c814494f12cc28c1348613e8

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
15-06-2024 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89606ea9cc1e017b813d55868d8bd980.exe
Size

4.1MB
MD5

89606ea9cc1e017b813d55868d8bd980
SHA1

aff596ddbb9d76ad31411df9166ba17bea8c4ca3
SHA256

9e07639e1f063dc70b20af9bfb469658064915b0c814494f12cc28c1348613e8
SHA512

c95df2d0739539a6edaf8cf29477590be14183d7a910131d1cdceb3ad195dd11067ae69fe3be2a15db4e28af6ee0737a4c539730cbfbde5449ffeddf51605fde
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpcbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	89606ea9cc1e017b813d55868d8bd980.exe

Executes dropped EXE 2 IoCs

pid	Process
1820	sysdevopti.exe
2116	devdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2076	89606ea9cc1e017b813d55868d8bd980.exe
2076	89606ea9cc1e017b813d55868d8bd980.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesEZ\\devdobsys.exe"	89606ea9cc1e017b813d55868d8bd980.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintJU\\optiaec.exe"	89606ea9cc1e017b813d55868d8bd980.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2076	89606ea9cc1e017b813d55868d8bd980.exe
2076	89606ea9cc1e017b813d55868d8bd980.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe
1820	sysdevopti.exe
2116	devdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1820	2076	89606ea9cc1e017b813d55868d8bd980.exe	28
PID 2076 wrote to memory of 1820	2076	89606ea9cc1e017b813d55868d8bd980.exe	28
PID 2076 wrote to memory of 1820	2076	89606ea9cc1e017b813d55868d8bd980.exe	28
PID 2076 wrote to memory of 1820	2076	89606ea9cc1e017b813d55868d8bd980.exe	28
PID 2076 wrote to memory of 2116	2076	89606ea9cc1e017b813d55868d8bd980.exe	29
PID 2076 wrote to memory of 2116	2076	89606ea9cc1e017b813d55868d8bd980.exe	29
PID 2076 wrote to memory of 2116	2076	89606ea9cc1e017b813d55868d8bd980.exe	29
PID 2076 wrote to memory of 2116	2076	89606ea9cc1e017b813d55868d8bd980.exe	29

C:\Users\Admin\AppData\Local\Temp\89606ea9cc1e017b813d55868d8bd980.exe
"C:\Users\Admin\AppData\Local\Temp\89606ea9cc1e017b813d55868d8bd980.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1820
- C:\FilesEZ\devdobsys.exe
  C:\FilesEZ\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesEZ\devdobsys.exe

Filesize
4.1MB

MD5
e9de8a5192f874e625f24f16601170c3

SHA1
b8748f22aff775c12063d4bd8dd75fc5ea5c66e5

SHA256
68f848621f367fb93e21130c233de92241959e1089e83f5c4ca6607e79c15600

SHA512
de9f84001736aa7ee69d6aaa05a6f801e48e348f90a596d949edc85d99f1ee740c3b67779c7ca9385b3eae7f4492d755e0924ef5e7bcd29bdbd76d662c37439d

Download Submit
C:\MintJU\optiaec.exe

Filesize
1.3MB

MD5
aa2813e8a11fe4c66e7a64fef7d1d25c

SHA1
d0f2e7de997f9a815bf3f1e034b2be53b0c3ff80

SHA256
7e77da94c3ac5651de80847124aa581e8b691b68de87a2681b6b1ca16ad33e24

SHA512
b0a8f6fbbeb3cfe5d6962c471ff0afc3de2d0510bba4fda947f1d271b0b7e76dcb4af3ba1de0df65a426311937f782c0be43de725055d3720e601c80426d6590

Download Submit
C:\MintJU\optiaec.exe

Filesize
4.1MB

MD5
c9ab3d1f866a35b1876479e38bf8ad51

SHA1
05b0c94a81ec56fd1223340b17cdb07ec2769cf0

SHA256
7d0dcfe0d8d325c857b7f693c426c65e8730d51e49923aa8f061a81e3387d9c6

SHA512
a1bb2ec3354b1459c42756e554c540edbc05097e9ad16e52af36823eff188f777a5c5a0df29bf0639d4c277e52198587224b685721a25aa0b555ca73cf45f343

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
4aef7c640d2c0fe97d8c68f00b2ea0cc

SHA1
612ee62fa408a0978f0f58fc99e1507a3465ab9a

SHA256
d5be60a54d7a3b7f74c2b6c0571f4efa9a82737ee136bd893c9afc58f1c50772

SHA512
256d57c893383f7d3116ccd12d2889eb88920b4a63c0afd91c47cf23770f5d1509b990741b90801ac1ecbb119553328001f7e00caafa906e2b23c89845190942

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
0c945f5e8bd6eaf20d98368268c10169

SHA1
aa65417cc8ff6d7db4429a518ce99fccf4186e07

SHA256
9c753c245e3741e16cb5c038014dda2cdbc74e122bf31dc4dc1d7e7c64007268

SHA512
eec04e2741a6b7af560af1fb754d5fcb6344d2d6e4f5ab7c6a95045466da9704e09d02fd0968ad209357f562f0628bee0fe9ad40ee08999e43ad25f2635967e1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
4.1MB

MD5
159306e8f492fbab6e230f819bc1fc86

SHA1
ff25b2c7c516583a98e0baf3e30db59e5762d60c

SHA256
985dec05a31a902d5e49cc5b46cdfff3eeca0622bb83d8ecb207fcb07fcaeeeb

SHA512
827cf60c327a3b9c0578a32fc82f6ee23cebca84bf3109efe0e67970446713cf5563fa1ab6215fcbdfa86f8c87ac85326f1a122d8ca43943936dece7395438ba

Download Submit