8aac6e2e413ecc740489f2e08f6b5b6e054ec7700980e1388a0fa421174a0ffc

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8aac6e2e413ecc740489f2e08f6b5b6e054ec7700980e1388a0fa421174a0ffc.exe
Size

3.0MB
MD5

b077c7291aecb0512278fff76a2c29d4
SHA1

40b633c2e1a0ecadd586dfc135bb02465f45068d
SHA256

8aac6e2e413ecc740489f2e08f6b5b6e054ec7700980e1388a0fa421174a0ffc
SHA512

b9fb82819cf3737e081aa4105339055af8328f55bca401b6741a570ff62ce2f2a5668db8766db85bb926fa3749fe72cf1786bf3ccc9f882ea83634b4576d9c0f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bSqz8b6LNX:sxX7QnxrloE5dpUpgbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	8aac6e2e413ecc740489f2e08f6b5b6e054ec7700980e1388a0fa421174a0ffc.exe

Executes dropped EXE 2 IoCs

pid	Process
2060	sysdevopti.exe
2304	aoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeV6\\aoptiloc.exe"	8aac6e2e413ecc740489f2e08f6b5b6e054ec7700980e1388a0fa421174a0ffc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ65\\optialoc.exe"	8aac6e2e413ecc740489f2e08f6b5b6e054ec7700980e1388a0fa421174a0ffc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3700	8aac6e2e413ecc740489f2e08f6b5b6e054ec7700980e1388a0fa421174a0ffc.exe
3700	8aac6e2e413ecc740489f2e08f6b5b6e054ec7700980e1388a0fa421174a0ffc.exe
3700	8aac6e2e413ecc740489f2e08f6b5b6e054ec7700980e1388a0fa421174a0ffc.exe
3700	8aac6e2e413ecc740489f2e08f6b5b6e054ec7700980e1388a0fa421174a0ffc.exe
2060	sysdevopti.exe
2060	sysdevopti.exe
2304	aoptiloc.exe
2304	aoptiloc.exe
2060	sysdevopti.exe
2060	sysdevopti.exe
2304	aoptiloc.exe
2304	aoptiloc.exe
2060	sysdevopti.exe
2060	sysdevopti.exe
2304	aoptiloc.exe
2304	aoptiloc.exe
2060	sysdevopti.exe
2060	sysdevopti.exe
2304	aoptiloc.exe
2304	aoptiloc.exe
2060	sysdevopti.exe
2060	sysdevopti.exe
2304	aoptiloc.exe
2304	aoptiloc.exe
2060	sysdevopti.exe
2060	sysdevopti.exe
2304	aoptiloc.exe
2304	aoptiloc.exe
2060	sysdevopti.exe
2060	sysdevopti.exe
2304	aoptiloc.exe
2304	aoptiloc.exe
2060	sysdevopti.exe
2060	sysdevopti.exe
2304	aoptiloc.exe
2304	aoptiloc.exe
2060	sysdevopti.exe
2060	sysdevopti.exe
2304	aoptiloc.exe
2304	aoptiloc.exe
2060	sysdevopti.exe
2060	sysdevopti.exe
2304	aoptiloc.exe
2304	aoptiloc.exe
2060	sysdevopti.exe
2060	sysdevopti.exe
2304	aoptiloc.exe
2304	aoptiloc.exe
2060	sysdevopti.exe
2060	sysdevopti.exe
2304	aoptiloc.exe
2304	aoptiloc.exe
2060	sysdevopti.exe
2060	sysdevopti.exe
2304	aoptiloc.exe
2304	aoptiloc.exe
2060	sysdevopti.exe
2060	sysdevopti.exe
2304	aoptiloc.exe
2304	aoptiloc.exe
2060	sysdevopti.exe
2060	sysdevopti.exe
2304	aoptiloc.exe
2304	aoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 2060	3700	8aac6e2e413ecc740489f2e08f6b5b6e054ec7700980e1388a0fa421174a0ffc.exe	84
PID 3700 wrote to memory of 2060	3700	8aac6e2e413ecc740489f2e08f6b5b6e054ec7700980e1388a0fa421174a0ffc.exe	84
PID 3700 wrote to memory of 2060	3700	8aac6e2e413ecc740489f2e08f6b5b6e054ec7700980e1388a0fa421174a0ffc.exe	84
PID 3700 wrote to memory of 2304	3700	8aac6e2e413ecc740489f2e08f6b5b6e054ec7700980e1388a0fa421174a0ffc.exe	85
PID 3700 wrote to memory of 2304	3700	8aac6e2e413ecc740489f2e08f6b5b6e054ec7700980e1388a0fa421174a0ffc.exe	85
PID 3700 wrote to memory of 2304	3700	8aac6e2e413ecc740489f2e08f6b5b6e054ec7700980e1388a0fa421174a0ffc.exe	85

C:\Users\Admin\AppData\Local\Temp\8aac6e2e413ecc740489f2e08f6b5b6e054ec7700980e1388a0fa421174a0ffc.exe
"C:\Users\Admin\AppData\Local\Temp\8aac6e2e413ecc740489f2e08f6b5b6e054ec7700980e1388a0fa421174a0ffc.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2060
- C:\AdobeV6\aoptiloc.exe
  C:\AdobeV6\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeV6\aoptiloc.exe

Filesize
2.9MB

MD5
2ceed590ec2f3b6d2faaafe5494c2dd6

SHA1
c1e9f10f2387545c020fb9e5f5bd52f130d233e8

SHA256
96f9cfe699b7c26bb30a042d3f9eb02472b9ec4d4cf0274a0403823eaba0ff25

SHA512
2eff3593de12b7abb4af525715b040da1035ff9d0c3b3022cc14d3a3d3a6f6e7ba53ea35278bbd5d71a1b1009f45d9fde1dde819fe2758196c01cac1119a1ad4

Download Submit
C:\AdobeV6\aoptiloc.exe

Filesize
3.0MB

MD5
f55c2e8f77a7428a0301a4a5e88ff249

SHA1
ef23afddad4133e9815311f79c0dbf22caf4376b

SHA256
a94e2cae58a5c48d06d76b6514f4bdd41f275100b6eaf8d88a4ffec2b7e2410f

SHA512
c93cf9f5a0377a995adf00290f826f25c1fa1b0f100cf1aee8ec48e804623d2d56fbfc3a0f8f677168b29578d16d24f6b3dce5856d42dc5fd512fb5ab1539ac2

Download Submit
C:\LabZ65\optialoc.exe

Filesize
6KB

MD5
c8190a91500bb1d9caa61e3b11eaf128

SHA1
ab7eb6ce00d2fb8ec932dee7fe6f72551ada8684

SHA256
6396e1bd18ed0ea864d8f56b7885ef5813fe836854b68c3ebafb7d49b8580b1e

SHA512
bc143ae225ca8cceb9e90f7dc6f36a8608eafed2d7e67396657444f3a004832c0c51921fe8c0487de4ca21430686dbc62c6a304de00cbbfb8c0e8dc538f5492b

Download Submit
C:\LabZ65\optialoc.exe

Filesize
169KB

MD5
b81ccde1e740710399cdfb643c376813

SHA1
bfb8987b67bb0d089a65c353eeec54895f519f41

SHA256
1e5a4e858889a1a9ae34a8c400f7f48c79bfc8e81a7a5ce78bb4afc84f681842

SHA512
b55bab1043b188ed21f0b7a35b4194f7118bea123aa3f875a6037373fbb79b25cd7419ae01bb4df2d6d250307ecee806455eba6ad6f289be1bebc5ff3764c3f7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
7354f08ac4cdd2d10db080476a2f8b20

SHA1
6d54850f6c98c406ef3f265aa5771f11ceb90759

SHA256
dc226e65b0dc37397673a2184d3fce79f834d58d32e0c6d8f7d54da7256bdda3

SHA512
5003f8697477047229737133106170ddbf05dbb9b79ee40926dfa1c182a2671d0fdb062dccbd075e77e71cf4fcb0646547a2895e042f31c370cd00a1d3c1c7b6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
f33bab3376250229dfac181a5fab1e2c

SHA1
80531fcb2ca957f369b799925fb1a62f2f912253

SHA256
8204b402197246735f3bba3b6ee2496b3148eb77c0f4bf736f30da3aded530f0

SHA512
975a8de29dd7882f6adcf35f01da765e16bae704bd48b36116d367cc0720ccbd598cc492a5fd564f0ab143880dc621b5bd98d6731972833592b2ad59331470cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
3.0MB

MD5
07fb3e18a2948e5f5ccaeb41f9c70443

SHA1
a26da71b87c01d1c0f12a89d5e93915d6c233c81

SHA256
2ea4ae9421e28cc7a56c5f53b4756964fad320072dd6b7303600c70f0eb293b1

SHA512
0bcaab544c69021086663d47e65096906a7148b82c809f61db8c4d7af63de706662957be00a57b95c490699b25a6dcf9eb3820cfb5302403bfc131e0ec4faef8

Download Submit