a547b8e867b755de9592626b5aaca32e4c893db2b3dabf6d344afec5fece7dc0

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 03:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a547b8e867b755de9592626b5aaca32e4c893db2b3dabf6d344afec5fece7dc0.exe
Size

2.6MB
MD5

eb7b6ee2f611a9c3b6f0c6a15665b2f7
SHA1

37c253731940eec02431904282b28991e7752c71
SHA256

a547b8e867b755de9592626b5aaca32e4c893db2b3dabf6d344afec5fece7dc0
SHA512

6c671535f756edf558d3d1861dcf18961770e5c5392b06af13a6c6e0a08f0485b525f9c619df69968abbe4b7e6f270552a2a3667c06a6a91ab8462b3de9a0717
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bS:sxX7QnxrloE5dpUp5b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	a547b8e867b755de9592626b5aaca32e4c893db2b3dabf6d344afec5fece7dc0.exe

Executes dropped EXE 2 IoCs

pid	Process
1616	sysaopti.exe
4592	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe59\\devoptisys.exe"	a547b8e867b755de9592626b5aaca32e4c893db2b3dabf6d344afec5fece7dc0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB04\\dobdevsys.exe"	a547b8e867b755de9592626b5aaca32e4c893db2b3dabf6d344afec5fece7dc0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1532	a547b8e867b755de9592626b5aaca32e4c893db2b3dabf6d344afec5fece7dc0.exe
1532	a547b8e867b755de9592626b5aaca32e4c893db2b3dabf6d344afec5fece7dc0.exe
1532	a547b8e867b755de9592626b5aaca32e4c893db2b3dabf6d344afec5fece7dc0.exe
1532	a547b8e867b755de9592626b5aaca32e4c893db2b3dabf6d344afec5fece7dc0.exe
1616	sysaopti.exe
1616	sysaopti.exe
4592	devoptisys.exe
4592	devoptisys.exe
1616	sysaopti.exe
1616	sysaopti.exe
4592	devoptisys.exe
4592	devoptisys.exe
1616	sysaopti.exe
1616	sysaopti.exe
4592	devoptisys.exe
4592	devoptisys.exe
1616	sysaopti.exe
1616	sysaopti.exe
4592	devoptisys.exe
4592	devoptisys.exe
1616	sysaopti.exe
1616	sysaopti.exe
4592	devoptisys.exe
4592	devoptisys.exe
1616	sysaopti.exe
1616	sysaopti.exe
4592	devoptisys.exe
4592	devoptisys.exe
1616	sysaopti.exe
1616	sysaopti.exe
4592	devoptisys.exe
4592	devoptisys.exe
1616	sysaopti.exe
1616	sysaopti.exe
4592	devoptisys.exe
4592	devoptisys.exe
1616	sysaopti.exe
1616	sysaopti.exe
4592	devoptisys.exe
4592	devoptisys.exe
1616	sysaopti.exe
1616	sysaopti.exe
4592	devoptisys.exe
4592	devoptisys.exe
1616	sysaopti.exe
1616	sysaopti.exe
4592	devoptisys.exe
4592	devoptisys.exe
1616	sysaopti.exe
1616	sysaopti.exe
4592	devoptisys.exe
4592	devoptisys.exe
1616	sysaopti.exe
1616	sysaopti.exe
4592	devoptisys.exe
4592	devoptisys.exe
1616	sysaopti.exe
1616	sysaopti.exe
4592	devoptisys.exe
4592	devoptisys.exe
1616	sysaopti.exe
1616	sysaopti.exe
4592	devoptisys.exe
4592	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 1616	1532	a547b8e867b755de9592626b5aaca32e4c893db2b3dabf6d344afec5fece7dc0.exe	88
PID 1532 wrote to memory of 1616	1532	a547b8e867b755de9592626b5aaca32e4c893db2b3dabf6d344afec5fece7dc0.exe	88
PID 1532 wrote to memory of 1616	1532	a547b8e867b755de9592626b5aaca32e4c893db2b3dabf6d344afec5fece7dc0.exe	88
PID 1532 wrote to memory of 4592	1532	a547b8e867b755de9592626b5aaca32e4c893db2b3dabf6d344afec5fece7dc0.exe	89
PID 1532 wrote to memory of 4592	1532	a547b8e867b755de9592626b5aaca32e4c893db2b3dabf6d344afec5fece7dc0.exe	89
PID 1532 wrote to memory of 4592	1532	a547b8e867b755de9592626b5aaca32e4c893db2b3dabf6d344afec5fece7dc0.exe	89

C:\Users\Admin\AppData\Local\Temp\a547b8e867b755de9592626b5aaca32e4c893db2b3dabf6d344afec5fece7dc0.exe
"C:\Users\Admin\AppData\Local\Temp\a547b8e867b755de9592626b5aaca32e4c893db2b3dabf6d344afec5fece7dc0.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1616
- C:\Adobe59\devoptisys.exe
  C:\Adobe59\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe59\devoptisys.exe

Filesize
2.6MB

MD5
5d1fdf96fa83bb91b0233a7652b5bad8

SHA1
dac8ca3461f4c6fa9b2e8e096102f483b19c903b

SHA256
1d705745ac96ce180515a3a06476328ac9d6782a4d98a18983d422b1a7d0bda0

SHA512
9e2db9076188e5ba81ff6456f7b4127e979be40b66ff6a4c6daadc5149e5cca725c6af9a43eee1bba6511a36bdf086fc466cf5e7d15c5495b628f5043c6eb5d0

Download Submit
C:\KaVB04\dobdevsys.exe

Filesize
2.6MB

MD5
117f977ba8ca01c5cf9fc227dc5744b8

SHA1
664043b3dc3b05476a11a93b095e9ce30c1e5ded

SHA256
e0b1e14b5403b6ea8cba22b85e209a7173eb77678be9deaa3424a31285f49b17

SHA512
69fba8b6c37f34f3ae86faa58253a41d1db69e51700dd6b87da93e138a3b89de14232736a01125934637ce5f62041d9775bea2579a4f769abd31ea5a938ee17c

Download Submit
C:\KaVB04\dobdevsys.exe

Filesize
2.6MB

MD5
6d5b87853216178c2996db6b0c0381d0

SHA1
b394d2635079e93c9ac87cdfd9208d5e6c3ccef2

SHA256
d04d646b1acc31d54076ae9e5955670f09c6d60724d4327217a7138f576af38d

SHA512
6be4a41061b0b2dc160bc955733809117b4a6e458f50419a8feeef32e2b981c5e8ed05524574d4cc049d95df885bee462655cf65998d473411ff5569a999c5bd

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
613d43107969533c4ef6106f284c47e2

SHA1
aa8565a3cc9f8ac8311d40dbcecb0f7f63e5849f

SHA256
cd75e099045af91884252b90a9ed1a1fda235d5cc799fe59d454ea35cae7d30a

SHA512
6550022564227eede58f383d3486f910130cde65e5adf171ba54fcda3cfd9725d18ceabaefc9d3bddce20cc6523ebfaa9b88446e843b28d0dbc8383f53ea274d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
6d53d4b91ea8aa8f88ad5e9dcdc5236f

SHA1
0b63159972176701b3bdc71914afd5b4f4e26915

SHA256
b7c1126b4b01694bed20f981a1cadd9d93149c2e4be909d122bc55991a90612d

SHA512
341a17c52d982df7e26fe95f5784d670b9cecbeb0fa61fc7bbcfe580641bb2dadc31c0b23d1ae64ad405f9e4fad8d251cccd505ced234093c2c821f660461368

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
2.6MB

MD5
98d26dfb85e85daafbcd46f24928cdde

SHA1
af6ac138b80255b8df2a34c3326130a8e56011c9

SHA256
5d5e082aba14bf069c84d20c53011187789f8d3e3fc7053f552370bf9131ef70

SHA512
14ecc79796c61dac973dff75b0bc5838118b8323eae32f42d0bb7ec81dd413520c451316b67d094b0aac44b7a14685f7b16819b3ada0e24ba78d3b69bcdff192

Download Submit