32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240708-en
resource tags

arch:x64arch:x86image:win10v2004-20240708-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe
Size

3.9MB
MD5

6d6b115ac5af96c38912354c84f72f12
SHA1

6404ee58bb256ee4aa657ae9ce06169bd7138f0b
SHA256

32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2
SHA512

efd2c7869ca24082eb8502e59192ec6ae35cb2528056f8ddbe588f717107d3b2a5716f4a63d032695ac119da4e1e10fffbe3000c86dcfc69daa847bba3a9dec4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpKbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe

Executes dropped EXE 2 IoCs

pid	Process
3620	ecdevdob.exe
3476	aoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvS0\\aoptisys.exe"	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintT8\\dobaloc.exe"	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1728	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe
1728	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe
1728	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe
1728	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe
3620	ecdevdob.exe
3620	ecdevdob.exe
3476	aoptisys.exe
3476	aoptisys.exe
3620	ecdevdob.exe
3620	ecdevdob.exe
3476	aoptisys.exe
3476	aoptisys.exe
3620	ecdevdob.exe
3620	ecdevdob.exe
3476	aoptisys.exe
3476	aoptisys.exe
3620	ecdevdob.exe
3620	ecdevdob.exe
3476	aoptisys.exe
3476	aoptisys.exe
3620	ecdevdob.exe
3620	ecdevdob.exe
3476	aoptisys.exe
3476	aoptisys.exe
3620	ecdevdob.exe
3620	ecdevdob.exe
3476	aoptisys.exe
3476	aoptisys.exe
3620	ecdevdob.exe
3620	ecdevdob.exe
3476	aoptisys.exe
3476	aoptisys.exe
3620	ecdevdob.exe
3620	ecdevdob.exe
3476	aoptisys.exe
3476	aoptisys.exe
3620	ecdevdob.exe
3620	ecdevdob.exe
3476	aoptisys.exe
3476	aoptisys.exe
3620	ecdevdob.exe
3620	ecdevdob.exe
3476	aoptisys.exe
3476	aoptisys.exe
3620	ecdevdob.exe
3620	ecdevdob.exe
3476	aoptisys.exe
3476	aoptisys.exe
3620	ecdevdob.exe
3620	ecdevdob.exe
3476	aoptisys.exe
3476	aoptisys.exe
3620	ecdevdob.exe
3620	ecdevdob.exe
3476	aoptisys.exe
3476	aoptisys.exe
3620	ecdevdob.exe
3620	ecdevdob.exe
3476	aoptisys.exe
3476	aoptisys.exe
3620	ecdevdob.exe
3620	ecdevdob.exe
3476	aoptisys.exe
3476	aoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 3620	1728	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe	83
PID 1728 wrote to memory of 3620	1728	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe	83
PID 1728 wrote to memory of 3620	1728	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe	83
PID 1728 wrote to memory of 3476	1728	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe	84
PID 1728 wrote to memory of 3476	1728	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe	84
PID 1728 wrote to memory of 3476	1728	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe	84

C:\Users\Admin\AppData\Local\Temp\32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe
"C:\Users\Admin\AppData\Local\Temp\32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3620
- C:\SysDrvS0\aoptisys.exe
  C:\SysDrvS0\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintT8\dobaloc.exe

Filesize
2.7MB

MD5
346bb0afc014ddcd9353f0e6f491b669

SHA1
e618a660f2c1ddc530e21fc7d9e2d42bd0a6cdce

SHA256
90e8486c2a59f7c274a554f8ff374e66c8568589bfe25502797c42b7c8cdad4e

SHA512
6995ae92903dead92d8cfd487e8059ad265fd8bd26cba4b1e5a082d157bd55e27babf12d643e0857e08c831e311cd8ce0bd181fed11ab6b1b94a164b20296068

Download Submit
C:\MintT8\dobaloc.exe

Filesize
6KB

MD5
eca5ea25f6a32a95c09d2d11f140c43b

SHA1
fc7c4ffc46b345747cc079073a62c80c129f2442

SHA256
7d956fbd2f73b9d56dbb1fa91bb438857ce1495cd868cdc6d6daea38edfcff17

SHA512
27d28a94c6c9d88714e07d1c5d856b348aaffe7164a680aa4aa760c4a738cf9fed9f373ea895b3dfa3e80ea1b8702679ff32bafeb7e84ada4fe30ff30b1add61

Download Submit
C:\SysDrvS0\aoptisys.exe

Filesize
3.9MB

MD5
295e2f587d4ebf5f48becf0adfe221fd

SHA1
7ad4357d9a7ba2c5a7a02d19a5b890abb7342e34

SHA256
689cc9fb7c1b9ad52d262e0377b645d3614be0c489ae37f3adcf66f749a47026

SHA512
b1492b6696c736e8d0b30fd0fdf0261a27d97a78427a52d95999e9ee552893fa1deaea0609dd6768210921af78bbd4f204cae08318b119ff5f4e74884453f320

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
d18339f2312635f1d3f0996899e9987b

SHA1
761aaaada85369237e6803d57f131b920dd35b1f

SHA256
3e2ca41092f26a025bfab4ed7017b605ee1761db2cf9d9698e6c49ca63ba9bc1

SHA512
352279ea8f453998fbf51ff4fa2fe5bf0942f5ed1d7d10f7505852ba9cc66768ab731197295b8f1157f457be322d463673b092cf93de83fb0bb8fa321ac23f9f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
4b12c7bd64a2563cdefeba6bcf4477fe

SHA1
ac2cd3d7f5ce1b6ad6c5c3653eb1fdf40563cca6

SHA256
702a758a8c35f3bfcfa67fd546dd2751564d1633ff282fa7614854f638439fec

SHA512
5da752172dd44b56e4d29acfc273aeb1c6ffb92b9b0ef52465025dd6e833a0412e0bb151ca11eb71f2fa54b962f5246f10988132c247dab4614ace1db2c23435

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
3.9MB

MD5
efc12b3e3670df70b898691c3d32b08f

SHA1
f8008ff264fdf7c7227b8c4f14f8ab264181ca9d

SHA256
4e6691f58794c571fcabdcf4c0dc6e230eb243bdd50095b26d73f5fdba528f21

SHA512
47c4d6924b95e976a1f28ec83967231ab4e1bd08809f29bc3a0e08d73b6783a3f8a4773e36a3ca5b10b8e79bc8a2e9b156c9be19f2a382fe42cfca67a38e7dd2

Download Submit