3c8b90140c4ff23427921325f784be37d9410e91a4fd23ad1c7484e85b10267e

Analysis

max time kernel
150s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c8b90140c4ff23427921325f784be37d9410e91a4fd23ad1c7484e85b10267e.exe
Size

2.7MB
MD5

cfb930dbbf08994a3456b6c5e6bbb068
SHA1

0fb99a59e22258c2ee5c69518cf21d1bb9fb9e56
SHA256

3c8b90140c4ff23427921325f784be37d9410e91a4fd23ad1c7484e85b10267e
SHA512

2fea99e197b80c8d92f3b8b7f319690321c17c926f758f1e8eff2873a37b59bae654bfe7bdbf3ed50fd0919b1fe12c3ba51b19a49140d5607d03e71c4bf578e7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB9B/bSq:sxX7QnxrloE5dpUp2bV

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	3c8b90140c4ff23427921325f784be37d9410e91a4fd23ad1c7484e85b10267e.exe

Executes dropped EXE 2 IoCs

pid	Process
1236	sysaopti.exe
2524	xoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv78\\xoptisys.exe"	3c8b90140c4ff23427921325f784be37d9410e91a4fd23ad1c7484e85b10267e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxU6\\boddevec.exe"	3c8b90140c4ff23427921325f784be37d9410e91a4fd23ad1c7484e85b10267e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4216	3c8b90140c4ff23427921325f784be37d9410e91a4fd23ad1c7484e85b10267e.exe
4216	3c8b90140c4ff23427921325f784be37d9410e91a4fd23ad1c7484e85b10267e.exe
4216	3c8b90140c4ff23427921325f784be37d9410e91a4fd23ad1c7484e85b10267e.exe
4216	3c8b90140c4ff23427921325f784be37d9410e91a4fd23ad1c7484e85b10267e.exe
1236	sysaopti.exe
1236	sysaopti.exe
2524	xoptisys.exe
2524	xoptisys.exe
1236	sysaopti.exe
1236	sysaopti.exe
2524	xoptisys.exe
2524	xoptisys.exe
1236	sysaopti.exe
1236	sysaopti.exe
2524	xoptisys.exe
2524	xoptisys.exe
1236	sysaopti.exe
1236	sysaopti.exe
2524	xoptisys.exe
2524	xoptisys.exe
1236	sysaopti.exe
1236	sysaopti.exe
2524	xoptisys.exe
2524	xoptisys.exe
1236	sysaopti.exe
1236	sysaopti.exe
2524	xoptisys.exe
2524	xoptisys.exe
1236	sysaopti.exe
1236	sysaopti.exe
2524	xoptisys.exe
2524	xoptisys.exe
1236	sysaopti.exe
1236	sysaopti.exe
2524	xoptisys.exe
2524	xoptisys.exe
1236	sysaopti.exe
1236	sysaopti.exe
2524	xoptisys.exe
2524	xoptisys.exe
1236	sysaopti.exe
1236	sysaopti.exe
2524	xoptisys.exe
2524	xoptisys.exe
1236	sysaopti.exe
1236	sysaopti.exe
2524	xoptisys.exe
2524	xoptisys.exe
1236	sysaopti.exe
1236	sysaopti.exe
2524	xoptisys.exe
2524	xoptisys.exe
1236	sysaopti.exe
1236	sysaopti.exe
2524	xoptisys.exe
2524	xoptisys.exe
1236	sysaopti.exe
1236	sysaopti.exe
2524	xoptisys.exe
2524	xoptisys.exe
1236	sysaopti.exe
1236	sysaopti.exe
2524	xoptisys.exe
2524	xoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 1236	4216	3c8b90140c4ff23427921325f784be37d9410e91a4fd23ad1c7484e85b10267e.exe	81
PID 4216 wrote to memory of 1236	4216	3c8b90140c4ff23427921325f784be37d9410e91a4fd23ad1c7484e85b10267e.exe	81
PID 4216 wrote to memory of 1236	4216	3c8b90140c4ff23427921325f784be37d9410e91a4fd23ad1c7484e85b10267e.exe	81
PID 4216 wrote to memory of 2524	4216	3c8b90140c4ff23427921325f784be37d9410e91a4fd23ad1c7484e85b10267e.exe	82
PID 4216 wrote to memory of 2524	4216	3c8b90140c4ff23427921325f784be37d9410e91a4fd23ad1c7484e85b10267e.exe	82
PID 4216 wrote to memory of 2524	4216	3c8b90140c4ff23427921325f784be37d9410e91a4fd23ad1c7484e85b10267e.exe	82

C:\Users\Admin\AppData\Local\Temp\3c8b90140c4ff23427921325f784be37d9410e91a4fd23ad1c7484e85b10267e.exe
"C:\Users\Admin\AppData\Local\Temp\3c8b90140c4ff23427921325f784be37d9410e91a4fd23ad1c7484e85b10267e.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1236
- C:\SysDrv78\xoptisys.exe
  C:\SysDrv78\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxU6\boddevec.exe

Filesize
797KB

MD5
0e9b405040c93e9ba893806c5d21a325

SHA1
68d7cbbf79900a36d53b42642ab7d15d17a346cd

SHA256
e247e46bd92b5177ba0d141ed04179da4165b6ce12ded8bf70043c40347bd50c

SHA512
e9c88bfa0e126f6ce535dd1f788c2d3fe93833a1a5b293b00b3a85acc96bd4964db0aaa356884ec545255f8321bbb5ba89aa97feb4afa6040536edd8b8544fbf

Download Submit
C:\GalaxU6\boddevec.exe

Filesize
2.7MB

MD5
15291ce79f817d2d36ff2c55c75a7d99

SHA1
94d1eaa7c7fd4b8b425a1e69c1982ec67f1f8e2d

SHA256
a6aef3055d9c4626d346c0713ab84a3680602c5a34064decf11fb39f60df7d4d

SHA512
c0253fd4cd17694ec9dc84f4b94e0daefc3fb74e7a1eaf41c77a3f6f36b43766b0a8b207a8c71d351be895defdabc2e04a58f8ab6d9273ad3f763e67852e5e4e

Download Submit
C:\SysDrv78\xoptisys.exe

Filesize
2.7MB

MD5
cdcae6c63c4c801e3edb76bed907c738

SHA1
327eab53a6ba72e875127a04623749f7945fe8a1

SHA256
0d32dee2296cad1c086f732207575d262c731ad4d7893489e47033e0930f0e02

SHA512
3323e30df6a6571bcc3a491c8e32b676a4563933ce1b205461874c92e64db716bf3b820e035392e0aff03f06a91e69aaf625d8d1b5e8f5ff1fbeeb2aa47f0aad

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
2f71f5265efa55117695a06e0a778f00

SHA1
55c2c3a314a56eba4e1b63c791ece11f176b5aeb

SHA256
d41eabfa3016d59d43676dcb03cfdf13d115b26c09053a06a7435fbf46c3a898

SHA512
36223cf71cfc657a8a4a08d761f5743f22870dd06a3813b0d5bd5ccb0a25d98bc63287c7dff1f17ba9b5b987a7847ce3b1eb515b37c70c0846ccedad8d804795

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
f982b03ab100808b15f38621abb7bc4e

SHA1
bcacab6c633d36e314fb538c0b74d7977de9766a

SHA256
01810da7a7a0fd86ad462e99785dccdda69c9cebcbf60e2924d6072843cb0765

SHA512
a608e28a1e1c4513ccbe027adae88b2109b22ecc3c82b60da00b958fbe90a707dc0c720bccd0cc34591087672d8872e7d3e3198a234d5f3904786d018b0bb7b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
2.7MB

MD5
2ee693220e0fe4bf9c1f759b25c50f38

SHA1
4d464a5e25c6dc7875e85d5ff4b0691f9801cf0e

SHA256
53167998a771f8280482eb3cafd72c983cd9cfaec5f43649864c1d02f9c110e5

SHA512
6ff6e4bcab3a44f587cf8150861ba6896624b0a680b2de87beddfaa3e0f2025bdf5dea5e75aca5d640772c66def14198fbecfa9cae08b0fa9a97f8e98154525d

Download Submit