52db67ba930060d2a4aac4ecfd4b16f0ab073b5e7f41baab59e7c549059aa2ae

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fc1ac8660fae4d48b1fd85829bb1350N.exe
Size

3.1MB
MD5

0fc1ac8660fae4d48b1fd85829bb1350
SHA1

1685d3434114da9e212daf58c3b008bb509c6457
SHA256

52db67ba930060d2a4aac4ecfd4b16f0ab073b5e7f41baab59e7c549059aa2ae
SHA512

1bae8fcdc796d98c7f4de269b3a7e5d40b425692404fd1beca5218271dc49f850582844c43647d2f1a8465727491bf71b524562062b215a92535c1d2e9314514
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8:sxX7QnxrloE5dpUpIbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	0fc1ac8660fae4d48b1fd85829bb1350N.exe

Executes dropped EXE 2 IoCs

pid	Process
2208	sysaopti.exe
2380	aoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2372	0fc1ac8660fae4d48b1fd85829bb1350N.exe
2372	0fc1ac8660fae4d48b1fd85829bb1350N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc5V\\aoptiec.exe"	0fc1ac8660fae4d48b1fd85829bb1350N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint62\\dobxloc.exe"	0fc1ac8660fae4d48b1fd85829bb1350N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2372	0fc1ac8660fae4d48b1fd85829bb1350N.exe
2372	0fc1ac8660fae4d48b1fd85829bb1350N.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe
2208	sysaopti.exe
2380	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2208	2372	0fc1ac8660fae4d48b1fd85829bb1350N.exe	30
PID 2372 wrote to memory of 2208	2372	0fc1ac8660fae4d48b1fd85829bb1350N.exe	30
PID 2372 wrote to memory of 2208	2372	0fc1ac8660fae4d48b1fd85829bb1350N.exe	30
PID 2372 wrote to memory of 2208	2372	0fc1ac8660fae4d48b1fd85829bb1350N.exe	30
PID 2372 wrote to memory of 2380	2372	0fc1ac8660fae4d48b1fd85829bb1350N.exe	31
PID 2372 wrote to memory of 2380	2372	0fc1ac8660fae4d48b1fd85829bb1350N.exe	31
PID 2372 wrote to memory of 2380	2372	0fc1ac8660fae4d48b1fd85829bb1350N.exe	31
PID 2372 wrote to memory of 2380	2372	0fc1ac8660fae4d48b1fd85829bb1350N.exe	31

C:\Users\Admin\AppData\Local\Temp\0fc1ac8660fae4d48b1fd85829bb1350N.exe
"C:\Users\Admin\AppData\Local\Temp\0fc1ac8660fae4d48b1fd85829bb1350N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2208
- C:\Intelproc5V\aoptiec.exe
  C:\Intelproc5V\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc5V\aoptiec.exe

Filesize
3.1MB

MD5
883d01fdd282040942f1aee2c32dca7e

SHA1
95031d2c404fadd70c040ba9c327e9b13a259de9

SHA256
d223423bad2411a8d5d2180d64ffd70f96635af5ee6267b598a8c01f14895941

SHA512
7dec11ad258c8d37ccc8699bfe6904c0f0d5dd2ffe649ed1b02c502d579e4b7f15e9dda64a8721a1764633ce734b0d53a7cbb042fd091a7ca4b0fd47a6ffb75b

Download Submit
C:\Mint62\dobxloc.exe

Filesize
3.1MB

MD5
aef539da7b4ba11d40b1359ddec9426e

SHA1
3889fd7ff376eaa18cdc0c766d12966d918d0cf9

SHA256
07c08765cb3f7c4ad90ed2d417de9101743a9385e840e13809e7b66524dfcf30

SHA512
45ad789148b66f821d7fb4929b2b8cf04c2a42ac98a341e2bbd7a6649d7bf93e214916513bff1a4c81d11643ed7523964014a98ae4f7b548bafb00ee09eec7cd

Download Submit
C:\Mint62\dobxloc.exe

Filesize
3.1MB

MD5
678df6f0267cec9a1bd58de14fbb82b9

SHA1
3afa59aaf708f4c8285646111069e9b471b663f0

SHA256
62442e8dfca5a67ea8c21e158c4a5aa4729e54a1bf96cdf190945b36021a003f

SHA512
7ac48797d95ec10c4e66e9dec809fad38bb25b88b612366e530b172b2e6cb7a79325ce6cd8924373304902b83bca886f9b57da6c250bc27dc1842755af27ac0e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
fb9ef7eeb751aca1d3a2789fcf19a9c2

SHA1
42255333d608d11f70a4ad13cea3729bdeecc04d

SHA256
1b58947d1007f3f6d3985869457af8f6018914b8ae0eefb53c78ad240abb04d8

SHA512
4c6d685c3574e5d9d49f9c392854611a69c676154a2cd41a768dd82ae9755adf48524ac849d8cf5aa18e43daf477ee87f6942a89e8100d1678f47dd426c8f663

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
c18528a268a00e2b803fa3bbbf0a0565

SHA1
d5c4e18bdb12c09a30f2543152e84e2669e4e8d0

SHA256
64cf5d390e2f57ea01ebdb5f104d27b2904cee0fd959b35d2035fc5172c44513

SHA512
9ddaf9d3ee6434e1aecef85810272dc2ad689fadb9fce3951776c293d1bf6cbc67b14a3b64aab66cc7fb1b30303d3ab513b9248981f780b56a25afd37cea2e08

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.1MB

MD5
48f68f0f5261918f7b866656c2ae48ab

SHA1
6ce1c3ad6a4f6e5cb230208f0e1a30e65780bdcc

SHA256
53a8e33e2923bf19779ec8873c84f5a2f1b57c044abd99e5148a1cdbf383a419

SHA512
ca221b438827176059d4ff85b1d680b3fdf054b91779efeb10c5de36454d3099ba8ce6328139581a71c11ccac15a798a82a068b2ea05b49ab5efc2aa43108510

Download Submit