352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c

General

Target

352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe
Size

3.1MB
MD5

7326e2cc8b19595770965d72e1041325
SHA1

e1758cbd4eea1c45ef714d1c0651abe27d91fe93
SHA256

352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c
SHA512

a94365d8c26f6042c75f9fe0eb7945509ef6d5f2fc3f7e5252678efb3bb1fc2dc1efeaaa007e849c279703f66074c08a63686e96c780a35287ebbb2c4fd92236
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpobVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe

Executes dropped EXE 2 IoCs

Processes:

sysdevbod.exexoptisys.exe

pid process

2640 sysdevbod.exe
3624 xoptisys.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2640	sysdevbod.exe
3624	xoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesLL\\xoptisys.exe"	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid7I\\optidevec.exe"	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exesysdevbod.exexoptisys.exe

pid	process
556	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe
556	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe
556	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe
556	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe
2640	sysdevbod.exe
2640	sysdevbod.exe
3624	xoptisys.exe
3624	xoptisys.exe
2640	sysdevbod.exe
2640	sysdevbod.exe
3624	xoptisys.exe
3624	xoptisys.exe
2640	sysdevbod.exe
2640	sysdevbod.exe
3624	xoptisys.exe
3624	xoptisys.exe
2640	sysdevbod.exe
2640	sysdevbod.exe
3624	xoptisys.exe
3624	xoptisys.exe
2640	sysdevbod.exe
2640	sysdevbod.exe
3624	xoptisys.exe
3624	xoptisys.exe
2640	sysdevbod.exe
2640	sysdevbod.exe
3624	xoptisys.exe
3624	xoptisys.exe
2640	sysdevbod.exe
2640	sysdevbod.exe
3624	xoptisys.exe
3624	xoptisys.exe
2640	sysdevbod.exe
2640	sysdevbod.exe
3624	xoptisys.exe
3624	xoptisys.exe
2640	sysdevbod.exe
2640	sysdevbod.exe
3624	xoptisys.exe
3624	xoptisys.exe
2640	sysdevbod.exe
2640	sysdevbod.exe
3624	xoptisys.exe
3624	xoptisys.exe
2640	sysdevbod.exe
2640	sysdevbod.exe
3624	xoptisys.exe
3624	xoptisys.exe
2640	sysdevbod.exe
2640	sysdevbod.exe
3624	xoptisys.exe
3624	xoptisys.exe
2640	sysdevbod.exe
2640	sysdevbod.exe
3624	xoptisys.exe
3624	xoptisys.exe
2640	sysdevbod.exe
2640	sysdevbod.exe
3624	xoptisys.exe
3624	xoptisys.exe
2640	sysdevbod.exe
2640	sysdevbod.exe
3624	xoptisys.exe
3624	xoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe

description	pid	process	target process
PID 556 wrote to memory of 2640	556	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe	sysdevbod.exe
PID 556 wrote to memory of 2640	556	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe	sysdevbod.exe
PID 556 wrote to memory of 2640	556	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe	sysdevbod.exe
PID 556 wrote to memory of 3624	556	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe	xoptisys.exe
PID 556 wrote to memory of 3624	556	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe	xoptisys.exe
PID 556 wrote to memory of 3624	556	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe	xoptisys.exe

C:\Users\Admin\AppData\Local\Temp\352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe
"C:\Users\Admin\AppData\Local\Temp\352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:556

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2640

C:\FilesLL\xoptisys.exe
C:\FilesLL\xoptisys.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesLL\xoptisys.exe

Filesize
418KB

MD5
867044c4ccd6bf9ea58fc98c9570b562

SHA1
304a3ea13463ab62b794e0b1f93480a071fc4e88

SHA256
b58e4afbbbc08988520b7661e72278b32b68021eb780e8e6b57e2988ad140f34

SHA512
7a8585a57e172c8b5f2c85edf3726c1a70568b78cac2c712010cbc64b0d6e460bc9f7e53ca2dda46b6e5f71540eb5a99d100c801a172520a569a7a4cc6e9ef5f

Download Submit
C:\FilesLL\xoptisys.exe

Filesize
3.1MB

MD5
1ef66234510edcb89f07f23d7cb6b38b

SHA1
82dec903f995e3e629533f540ddc0db774e0622f

SHA256
14189ddf81adf54f8be3ab5c46bab54e7665396edb0de77d91290db17a153a8c

SHA512
5a13220d5b7ac1b08d009a92d791e87f057c1987c2ad63cbfe4d22db1bf77535f6a8b5cb01f366a4fc7766ac5e517a8c29e3016cc158d5d766a67c789f45c9d3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
6ef809ad6285007fd331d283207603bb

SHA1
568137f425e456de0d7d5559e841302b31ae0d22

SHA256
5cca0c9f74cf3e6787753d8414d7c9ca2c3504798971ccfa58f1c8f2300b39f0

SHA512
2e5065f0a28ec81d22679858fc93e22d930aaf0ea63df23ca1a1d4f67d0f0e6f4b2a84ad38e22e4b49a76b34ca26c4b65d41dd4d0766b508ee67ee981345b481

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
ddab588476db71f63510ab421445093e

SHA1
a586377b6145ceb58628c5a38dd465927b4fb675

SHA256
1fd0a33856103347398af0a8b3edb4afae664378c1a153001762b37415d48ac0

SHA512
b122e380ca8ab48fe1952b8780cd38eb7538eeee5342c551a1c34b5d8f1bebb26b3939609ba490dc4488556a3d69d0d35d58319bdb611cd73684791b2ef048b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
3.1MB

MD5
ad970105fe4001b753240eb418a96a14

SHA1
226b48140fab7b188ae2f8bd609b045629899c47

SHA256
edbabf4b1a7e7c17ac46946fc1e9e70daeb8a02ce3e0df5dcb9cf909ddfe4a14

SHA512
6aee8a6f064db04e13200e878a9b6c35c5af33c95da6e1f4ba2bd78e3fcb2857cc757d43d997a84a44d3b378fac2803ad04a0218c1b66c8c017fa263defe5dfa

Download Submit
C:\Vid7I\optidevec.exe

Filesize
25KB

MD5
5762bac0acb51c17f2d50d3089e9a468

SHA1
0050c15f18fcfb7ccb580d1b978828a14dfe5548

SHA256
9ba88174226e3e60f0e21fe9ea512cc1b77c4e88e7cd924a32a5d3ca62dd78fe

SHA512
c653b3411dcef476e2330af4f8649c7cd0bee4d00aa083bcee7ee9e5fa618df1779ef8f2c1a39238cb514b17f7ef07ea5a11b68b1ada79e11743feca9cf8a93c

Download Submit
C:\Vid7I\optidevec.exe

Filesize
181KB

MD5
19edbfac35ee4cc2ec541fb6f49eff31

SHA1
ce97af3e3af303bdcb36bda362d154682ca7ccfc

SHA256
246bc5f7c083c7754b5256617facde076f75b0c4672c152c6010090385547321

SHA512
9609adc7265ff031b1648051900f1a42a800c2632d73e33223ea2bb3f6b17ebcd7942b3ab5bd82a43d969500728bd9f6fe7af335a4b5849f338fd1780ff326c4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads