b2fa466180454c368867e2ab775f93091bfd845aaaab92c9e5af3ba6d942ec3f

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c0c6b8b0902b4807ca9536a398f3180N.exe
Size

3.1MB
MD5

2c0c6b8b0902b4807ca9536a398f3180
SHA1

1b921069bbef9eac41a0fd00454a53cb9169f7db
SHA256

b2fa466180454c368867e2ab775f93091bfd845aaaab92c9e5af3ba6d942ec3f
SHA512

ad1a39a7e58c2a2e3eac43166661cc245f46904accc0f05cc7cb19beaec2d0af720d77aaa54b6a476edf33fd0df36bdb100bb0c40fd03fd35c6484e3ef941dc9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpSbVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	2c0c6b8b0902b4807ca9536a398f3180N.exe

Executes dropped EXE 2 IoCs

pid	Process
2736	sysaopti.exe
2808	aoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2876	2c0c6b8b0902b4807ca9536a398f3180N.exe
2876	2c0c6b8b0902b4807ca9536a398f3180N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesLW\\aoptiloc.exe"	2c0c6b8b0902b4807ca9536a398f3180N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxIF\\dobdevec.exe"	2c0c6b8b0902b4807ca9536a398f3180N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2876	2c0c6b8b0902b4807ca9536a398f3180N.exe
2876	2c0c6b8b0902b4807ca9536a398f3180N.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe
2736	sysaopti.exe
2808	aoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2736	2876	2c0c6b8b0902b4807ca9536a398f3180N.exe	30
PID 2876 wrote to memory of 2736	2876	2c0c6b8b0902b4807ca9536a398f3180N.exe	30
PID 2876 wrote to memory of 2736	2876	2c0c6b8b0902b4807ca9536a398f3180N.exe	30
PID 2876 wrote to memory of 2736	2876	2c0c6b8b0902b4807ca9536a398f3180N.exe	30
PID 2876 wrote to memory of 2808	2876	2c0c6b8b0902b4807ca9536a398f3180N.exe	31
PID 2876 wrote to memory of 2808	2876	2c0c6b8b0902b4807ca9536a398f3180N.exe	31
PID 2876 wrote to memory of 2808	2876	2c0c6b8b0902b4807ca9536a398f3180N.exe	31
PID 2876 wrote to memory of 2808	2876	2c0c6b8b0902b4807ca9536a398f3180N.exe	31

C:\Users\Admin\AppData\Local\Temp\2c0c6b8b0902b4807ca9536a398f3180N.exe
"C:\Users\Admin\AppData\Local\Temp\2c0c6b8b0902b4807ca9536a398f3180N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2736
- C:\FilesLW\aoptiloc.exe
  C:\FilesLW\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesLW\aoptiloc.exe

Filesize
3.1MB

MD5
d6d3f1f8381e84ec72461abb1736f243

SHA1
3bfd2b1c7e947b90435ce5725fb2b13c58f51f5d

SHA256
678e3f4784be1b720f9126b49c061f126134a6032ecaba8bdd339e597b7d21df

SHA512
47f51f9185be8950e68908b66152fbfdbd0e5bc48e386d03180136650fd9f633f02dc6687617948e418915a72e253d9aea77d35a31566209bbfa92cb6b9c082d

Download Submit
C:\GalaxIF\dobdevec.exe

Filesize
3.1MB

MD5
3fc7f6cacc39b332d30cff1aa11a1d41

SHA1
eabec846da542b3752319185ea5421e808687bb8

SHA256
7977cbd5fe57a7d995f0ba894b5d2ec2d0e100d9cbd811635aab3a344b4e5c61

SHA512
707f05b0e25fc0062c3330c6eaab9e4f79255aa83db3d442ae9ad9bb2b1e30d87cbf4a1a221c1de9847d7c922bb83b86de0a3dc8c73ed288a3146edf23c34f2b

Download Submit
C:\GalaxIF\dobdevec.exe

Filesize
3.1MB

MD5
b8a724e8c4d880e48ef822f445676646

SHA1
65223c0dee531704016b07e7975afb1a8fcef01b

SHA256
4e5dfbed8538216d38dd21e367e3a0e1b38949ac22e8586c3e71d30c0c5d151e

SHA512
9f934dd9001d6c92bf807a71815f5d71df8f0068a82ad619286984637b1f5e3908163daa4d4c9b6add588c7eb8a9fb9378bc2a481f5e56bdbc34bbc276c1f9af

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
cfc34cb741cd0e00fc8a74fca47719b2

SHA1
5add4faa3d82eb0843d3f538159d7c890c42b159

SHA256
f88fdd93a3b20e841499df9ead3bd918f2dfe2ee9755d5e6d7f8ba5e733db3da

SHA512
d5356267d5ba525cd5172081274d942682110798d2d31ac3ea59da74323b1471f139cb84ec524c281102375edc7c741d378b238806d53b20e90c190166c86f20

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
8667cd5a2e7f19eb72cb32dc905bb5c5

SHA1
b6b11fc2e4047e8a3e012f412a35631e529938d3

SHA256
d04d44316216e5ece6f2de7b0bf8d2f0eafa067031697c11688aa0a09b1c4a29

SHA512
3e4892e75d6799777afb8ba2ecc939d3adebe0a843d8708d2ae1abc3f28912211c6c1a00b0cfd50c47810f9fcba663ccdb9906f80904da3b3939f6c8b4e88af5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.1MB

MD5
ccfe5e4fd0fc56c8f3f17c394892eb83

SHA1
bec6d4884596deb68ff808dd18cd177a2626dde0

SHA256
33af10c6e611f34fdd836e8a31df0e2e508531b9c4cc53c13f013bb1e34e9826

SHA512
9c629712b1e0812e6517372b45e9dc1e80220e66eb44b3843679baca6a5d9105854e973c3b4d86f383bbe17e14ed37630194c833b27a604484c590f934f00ecc

Download Submit