3921a5b4c1aae3b2eb55320b7185c39b74b6ebe5dba592371ceef25663261c73

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

046dcb90a380c0e5a918e0ddf76f5390N.exe
Size

3.6MB
MD5

046dcb90a380c0e5a918e0ddf76f5390
SHA1

5856c17a3a291d8e32beeba44963dc18fa8e680c
SHA256

3921a5b4c1aae3b2eb55320b7185c39b74b6ebe5dba592371ceef25663261c73
SHA512

90a4347270610501cc6713719d4b56123948f851b3165fc486244e45d3163be5d41221b6de94bcb3498d337763dba698b73f52944f8e36298e424bc36ff76976
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8:sxX7QnxrloE5dpUpdbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	046dcb90a380c0e5a918e0ddf76f5390N.exe

Executes dropped EXE 2 IoCs

pid	Process
2076	sysadob.exe
1488	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files0H\\devoptisys.exe"	046dcb90a380c0e5a918e0ddf76f5390N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint9E\\optiaec.exe"	046dcb90a380c0e5a918e0ddf76f5390N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1048	046dcb90a380c0e5a918e0ddf76f5390N.exe
1048	046dcb90a380c0e5a918e0ddf76f5390N.exe
1048	046dcb90a380c0e5a918e0ddf76f5390N.exe
1048	046dcb90a380c0e5a918e0ddf76f5390N.exe
2076	sysadob.exe
2076	sysadob.exe
1488	devoptisys.exe
1488	devoptisys.exe
2076	sysadob.exe
2076	sysadob.exe
1488	devoptisys.exe
1488	devoptisys.exe
2076	sysadob.exe
2076	sysadob.exe
1488	devoptisys.exe
1488	devoptisys.exe
2076	sysadob.exe
2076	sysadob.exe
1488	devoptisys.exe
1488	devoptisys.exe
2076	sysadob.exe
2076	sysadob.exe
1488	devoptisys.exe
1488	devoptisys.exe
2076	sysadob.exe
2076	sysadob.exe
1488	devoptisys.exe
1488	devoptisys.exe
2076	sysadob.exe
2076	sysadob.exe
1488	devoptisys.exe
1488	devoptisys.exe
2076	sysadob.exe
2076	sysadob.exe
1488	devoptisys.exe
1488	devoptisys.exe
2076	sysadob.exe
2076	sysadob.exe
1488	devoptisys.exe
1488	devoptisys.exe
2076	sysadob.exe
2076	sysadob.exe
1488	devoptisys.exe
1488	devoptisys.exe
2076	sysadob.exe
2076	sysadob.exe
1488	devoptisys.exe
1488	devoptisys.exe
2076	sysadob.exe
2076	sysadob.exe
1488	devoptisys.exe
1488	devoptisys.exe
2076	sysadob.exe
2076	sysadob.exe
1488	devoptisys.exe
1488	devoptisys.exe
2076	sysadob.exe
2076	sysadob.exe
1488	devoptisys.exe
1488	devoptisys.exe
2076	sysadob.exe
2076	sysadob.exe
1488	devoptisys.exe
1488	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2076	1048	046dcb90a380c0e5a918e0ddf76f5390N.exe	86
PID 1048 wrote to memory of 2076	1048	046dcb90a380c0e5a918e0ddf76f5390N.exe	86
PID 1048 wrote to memory of 2076	1048	046dcb90a380c0e5a918e0ddf76f5390N.exe	86
PID 1048 wrote to memory of 1488	1048	046dcb90a380c0e5a918e0ddf76f5390N.exe	87
PID 1048 wrote to memory of 1488	1048	046dcb90a380c0e5a918e0ddf76f5390N.exe	87
PID 1048 wrote to memory of 1488	1048	046dcb90a380c0e5a918e0ddf76f5390N.exe	87

C:\Users\Admin\AppData\Local\Temp\046dcb90a380c0e5a918e0ddf76f5390N.exe
"C:\Users\Admin\AppData\Local\Temp\046dcb90a380c0e5a918e0ddf76f5390N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2076
- C:\Files0H\devoptisys.exe
  C:\Files0H\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files0H\devoptisys.exe

Filesize
3.6MB

MD5
6c338f2887b0dd5d3b5bc9960585d666

SHA1
37e17734b4b79fa0fd5c096513c7459d259dcdfe

SHA256
d2e31a2988f8523e314f4d722125b63542a750fb57b473f3f7249787bd2e0c2e

SHA512
50c7508d5376c30745115df886d46ad5af0482bd6dbbdc47416d32f60ad8d29917ea2f66a7731b57cd1bd3fdb3bfe1e2b01337e4c04fd00d23bd6530cbfb7a89

Download Submit
C:\Mint9E\optiaec.exe

Filesize
4KB

MD5
34bd8ff991b1427aa83cc59b77d0487f

SHA1
1775fb0e77f2b1b201917c49e409123372df9167

SHA256
8403bbb0bac4da664de516bbb70dba1484985a13d35a0b02c2b798b94ccd1eec

SHA512
5ad1d34933d6a9cead5a8c6dade3c65e64d2de098018614533d08a57b36f862dedf6faf5cdbf1678c96c8a779ddd2da5af6f25798fda1194686676872e35721e

Download Submit
C:\Mint9E\optiaec.exe

Filesize
3.2MB

MD5
75f66956e30213ce1c6cea07703999c9

SHA1
5f778ea7a0d9bcf57692961c3094799365f408e9

SHA256
ee9519bf026822d277de1c26abaaa53401aadb72b9f32d41c819bf02415259d7

SHA512
1f43eb9b500403c106d229c03b43538953253c9ab9f79116f25ffbe7fc183a012751008c6eae7089ca31a2c82b1968bf568b6b9fdf9d0c392bd2ea2a24cbb414

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
7a8b488ec6bef69c4a2e7306eefdc0ea

SHA1
e915c2ada4a800a8eed650c44e39757d01a80487

SHA256
69eb46080b1d16696c141136273aa5029a02e15df0c1484b0d08001f6c149fbe

SHA512
b884c182dc110e907129058938aa8a7d3dc31d2dd1c7e40bf80b0d6acde4ac0e5d0f37e17bed34b57318257c1074da7e569365e2ee479dd53dc6bbd6f2d77d18

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
18d6bfbc5b37110dc9d458a00a968d16

SHA1
e78f50cf8a4536823a163a806f5fe1328059a730

SHA256
59291c8a72b17a2ea4c81fc6bb1256df000425df82657700375c5acfd78e97d9

SHA512
e54d5b092d3555c2d33d8cfe9b0527e789f92252adc82b7fdfdcd3b4caacbb5db7ab8404e6b6114306622ab58b225f2f96c0692c2bc39373c1950e4de0fa1896

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
3.6MB

MD5
a5b95c233f6b088731d58c137e0d97c9

SHA1
a11ec12b20894bff1b64ccf39b9551b1e0dcd020

SHA256
e50c52ae2959089597193f2134e59a9c13cbbee1c0f424de79093bf8d781085b

SHA512
22631f3f62ddbc36ae1845dcfe3fe092f522057e1a669534093db0a4107b744d96a5e9f47585e54ee5171765e862236c2e36f45f7dae5a972d109b5abe822fbd

Download Submit