34780aa3b4ae3728d2a516f620190fccae0277f356ee5363f8566bed24338e18

General

Target

34780aa3b4ae3728d2a516f620190fccae0277f356ee5363f8566bed24338e18.exe
Size

3.8MB
MD5

1a14bd811521976a881b4701515fe5af
SHA1

7442ff684bd49f157fbdf2e1de1c0af9acb3914a
SHA256

34780aa3b4ae3728d2a516f620190fccae0277f356ee5363f8566bed24338e18
SHA512

223aa34c6a76debcefe66a8908530d831402c56b376637ab001b9d287da0ba0838c6581cb3812ca867300aa687a46696f7a871eaf1ed598af185d41cd7db5e3e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpkbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

34780aa3b4ae3728d2a516f620190fccae0277f356ee5363f8566bed24338e18.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	34780aa3b4ae3728d2a516f620190fccae0277f356ee5363f8566bed24338e18.exe

Executes dropped EXE 2 IoCs

Processes:

locdevopti.exeaoptisys.exe

pid process

684 locdevopti.exe
4604 aoptisys.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
684	locdevopti.exe
4604	aoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

34780aa3b4ae3728d2a516f620190fccae0277f356ee5363f8566bed24338e18.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocY1\\aoptisys.exe"	34780aa3b4ae3728d2a516f620190fccae0277f356ee5363f8566bed24338e18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ6S\\bodxloc.exe"	34780aa3b4ae3728d2a516f620190fccae0277f356ee5363f8566bed24338e18.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

34780aa3b4ae3728d2a516f620190fccae0277f356ee5363f8566bed24338e18.exelocdevopti.exeaoptisys.exe

pid	process
2824	34780aa3b4ae3728d2a516f620190fccae0277f356ee5363f8566bed24338e18.exe
2824	34780aa3b4ae3728d2a516f620190fccae0277f356ee5363f8566bed24338e18.exe
2824	34780aa3b4ae3728d2a516f620190fccae0277f356ee5363f8566bed24338e18.exe
2824	34780aa3b4ae3728d2a516f620190fccae0277f356ee5363f8566bed24338e18.exe
684	locdevopti.exe
684	locdevopti.exe
4604	aoptisys.exe
4604	aoptisys.exe
684	locdevopti.exe
684	locdevopti.exe
4604	aoptisys.exe
4604	aoptisys.exe
684	locdevopti.exe
684	locdevopti.exe
4604	aoptisys.exe
4604	aoptisys.exe
684	locdevopti.exe
684	locdevopti.exe
4604	aoptisys.exe
4604	aoptisys.exe
684	locdevopti.exe
684	locdevopti.exe
4604	aoptisys.exe
4604	aoptisys.exe
684	locdevopti.exe
684	locdevopti.exe
4604	aoptisys.exe
4604	aoptisys.exe
684	locdevopti.exe
684	locdevopti.exe
4604	aoptisys.exe
4604	aoptisys.exe
684	locdevopti.exe
684	locdevopti.exe
4604	aoptisys.exe
4604	aoptisys.exe
684	locdevopti.exe
684	locdevopti.exe
4604	aoptisys.exe
4604	aoptisys.exe
684	locdevopti.exe
684	locdevopti.exe
4604	aoptisys.exe
4604	aoptisys.exe
684	locdevopti.exe
684	locdevopti.exe
4604	aoptisys.exe
4604	aoptisys.exe
684	locdevopti.exe
684	locdevopti.exe
4604	aoptisys.exe
4604	aoptisys.exe
684	locdevopti.exe
684	locdevopti.exe
4604	aoptisys.exe
4604	aoptisys.exe
684	locdevopti.exe
684	locdevopti.exe
4604	aoptisys.exe
4604	aoptisys.exe
684	locdevopti.exe
684	locdevopti.exe
4604	aoptisys.exe
4604	aoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

34780aa3b4ae3728d2a516f620190fccae0277f356ee5363f8566bed24338e18.exe

description	pid	process	target process
PID 2824 wrote to memory of 684	2824	34780aa3b4ae3728d2a516f620190fccae0277f356ee5363f8566bed24338e18.exe	locdevopti.exe
PID 2824 wrote to memory of 684	2824	34780aa3b4ae3728d2a516f620190fccae0277f356ee5363f8566bed24338e18.exe	locdevopti.exe
PID 2824 wrote to memory of 684	2824	34780aa3b4ae3728d2a516f620190fccae0277f356ee5363f8566bed24338e18.exe	locdevopti.exe
PID 2824 wrote to memory of 4604	2824	34780aa3b4ae3728d2a516f620190fccae0277f356ee5363f8566bed24338e18.exe	aoptisys.exe
PID 2824 wrote to memory of 4604	2824	34780aa3b4ae3728d2a516f620190fccae0277f356ee5363f8566bed24338e18.exe	aoptisys.exe
PID 2824 wrote to memory of 4604	2824	34780aa3b4ae3728d2a516f620190fccae0277f356ee5363f8566bed24338e18.exe	aoptisys.exe

C:\Users\Admin\AppData\Local\Temp\34780aa3b4ae3728d2a516f620190fccae0277f356ee5363f8566bed24338e18.exe
"C:\Users\Admin\AppData\Local\Temp\34780aa3b4ae3728d2a516f620190fccae0277f356ee5363f8566bed24338e18.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2824

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:684

C:\IntelprocY1\aoptisys.exe
C:\IntelprocY1\aoptisys.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocY1\aoptisys.exe

Filesize
3.8MB

MD5
a38ab82380eaffe8a3e1ce6b7f77fa2d

SHA1
9d394c24a7666050ec3642eb92dd8c9a062d4460

SHA256
fadfa8d18ee48b21a1f3561e5da5cabd93ec150ac3e9b8d4918e64afbd7d2bef

SHA512
d0e3f43799b9fb0dab2430bc6a2079f7a09ead1071d6c3453be6da4e50c205da48cece1edba3ef2fd641acc5dd46aaf0d3e8a17be31c0e0f06c7844880c58bce

Download Submit
C:\LabZ6S\bodxloc.exe

Filesize
2.6MB

MD5
950c1696c53b79b5a2478d313c969adc

SHA1
7a0ce89cf51043d49184ed96575a117107b19ee0

SHA256
2162c2fe8c049fa0581297be4eca9d447e3b4652263042bdb75b0465df539a66

SHA512
688661bc49aa82bfb3d890b50eeba181185201b096fc39c4809c972b1dc39bec78e6f3288ee9e44c168af9500377a657a9df32ec3822eeb28aca0130b5137028

Download Submit
C:\LabZ6S\bodxloc.exe

Filesize
720KB

MD5
51d086c9dd81260befcb0e21b5b040d0

SHA1
63b0c730d491635a1e35d07457c8df7fd25c3b8b

SHA256
c9c2953ec8dc3f0ae0466c5979028adf664407674692c35fc486c0973d4269a0

SHA512
3447cb26dff4a24324e341f228901653ef0322dce4473a02b4aa57a1a39a0d54c21d21ad092b3f3af77b838241015179521f4de34b750399efda18b541dbbff2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
208B

MD5
89c888beb21abb59a0a0ac19990fdd25

SHA1
5a73e2acf68f90dc57191d4ff0dd2fa4beed45ae

SHA256
0a01a678a41c86bad6e1dd3087232c26eb51155fdafd8dff7019acd8fa06fd30

SHA512
25fc6daf55b4bd26cae78cf317c80b415b55521973aa6123511e19de2686427330673d02ae2b5927075b7f5fd020e59fbc9f2a26b50a589138b28d585e909fd6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
176B

MD5
6347c1aef4481f8de8c7ca26a0d60a93

SHA1
a4e80ffdcd6543ef7de06b96efcc613c5b41e95d

SHA256
abf830d9a6c71a5aebccaec9bbc1f4a46fc12a0242f1d1d834f0083152a68663

SHA512
6cdd5c7c40211ed25c79674fb1a73c0aa308a6163aba94de0041f7f24c0b76f993ddb3acfec0d231816de0605f9eb5aa632bb4b591f25b5dd18bcb8e4624ec80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
3.8MB

MD5
d76af367b8c2f288eec14ee92713fe25

SHA1
c76bdd4b9cdf34bee62f57eb9fba61837da3b9f3

SHA256
b27cf5891ac3f18546c378b85fa8585e2fef99917140bbfd7fc1a779aa50b04f

SHA512
f97846972ed1f3f0c494724061d9d8f14388d6d53f0ca609eeeaee41e0e3386af72191f581a98224c18f914e7959777f66e542d3ae95a25fd87bf83f54eec442

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads