5573c4947536bb470112bf7819a196499d33e819ab4e0154eae70b75daf14790

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12ad68c32f9a52205f86d844c5cd0e40.exe
Size

3.2MB
MD5

12ad68c32f9a52205f86d844c5cd0e40
SHA1

22873f5c4b7150d635d90b51ba9447b9ecde26a2
SHA256

5573c4947536bb470112bf7819a196499d33e819ab4e0154eae70b75daf14790
SHA512

c73d7cf86638c23a8255662f062445207f2b2432ee5ce02dda8d6e4956d40c1bc90754b485ec90277d1ca9a7fd59497e157a7305578371aac5c01ad59fa0313c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp/bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	12ad68c32f9a52205f86d844c5cd0e40.exe

Executes dropped EXE 2 IoCs

pid	Process
5036	sysaopti.exe
4680	aoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotTR\\aoptiloc.exe"	12ad68c32f9a52205f86d844c5cd0e40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxE6\\dobxsys.exe"	12ad68c32f9a52205f86d844c5cd0e40.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
8	12ad68c32f9a52205f86d844c5cd0e40.exe
8	12ad68c32f9a52205f86d844c5cd0e40.exe
8	12ad68c32f9a52205f86d844c5cd0e40.exe
8	12ad68c32f9a52205f86d844c5cd0e40.exe
5036	sysaopti.exe
5036	sysaopti.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
5036	sysaopti.exe
5036	sysaopti.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
5036	sysaopti.exe
5036	sysaopti.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
5036	sysaopti.exe
5036	sysaopti.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
5036	sysaopti.exe
5036	sysaopti.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
5036	sysaopti.exe
5036	sysaopti.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
5036	sysaopti.exe
5036	sysaopti.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
5036	sysaopti.exe
5036	sysaopti.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
5036	sysaopti.exe
5036	sysaopti.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
5036	sysaopti.exe
5036	sysaopti.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
5036	sysaopti.exe
5036	sysaopti.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
5036	sysaopti.exe
5036	sysaopti.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
5036	sysaopti.exe
5036	sysaopti.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
5036	sysaopti.exe
5036	sysaopti.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
5036	sysaopti.exe
5036	sysaopti.exe
4680	aoptiloc.exe
4680	aoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 5036	8	12ad68c32f9a52205f86d844c5cd0e40.exe	87
PID 8 wrote to memory of 5036	8	12ad68c32f9a52205f86d844c5cd0e40.exe	87
PID 8 wrote to memory of 5036	8	12ad68c32f9a52205f86d844c5cd0e40.exe	87
PID 8 wrote to memory of 4680	8	12ad68c32f9a52205f86d844c5cd0e40.exe	88
PID 8 wrote to memory of 4680	8	12ad68c32f9a52205f86d844c5cd0e40.exe	88
PID 8 wrote to memory of 4680	8	12ad68c32f9a52205f86d844c5cd0e40.exe	88

C:\Users\Admin\AppData\Local\Temp\12ad68c32f9a52205f86d844c5cd0e40.exe
"C:\Users\Admin\AppData\Local\Temp\12ad68c32f9a52205f86d844c5cd0e40.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:8
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5036
- C:\UserDotTR\aoptiloc.exe
  C:\UserDotTR\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxE6\dobxsys.exe

Filesize
3.2MB

MD5
05297dda7878473e25a42c16ff3c5bad

SHA1
10980dcf8e53aea9efd7f6aa6e31561a77e57b79

SHA256
566a63669a40f02b97e07c6abb2a8677a77bc52d01cc12ec0dd8f9bc74acda9a

SHA512
1309b47bc46b4479bee895df66cfa7c3eea0c483627bf04cdb414cf049c58a225f7a6bc29ebf04735dd264ed5f18054d974c1f6bfb8081364dcfe4029034fc19

Download Submit
C:\GalaxE6\dobxsys.exe

Filesize
3.2MB

MD5
4dd2a01373d2a663a45517c58414043b

SHA1
7c39c3e79da58fdf7105c8604970b8e2001b3b38

SHA256
a29bb44e87d7d8d01ec642373ad1e0649a775d3aadc1412bb4c20503129c58f7

SHA512
a347eb1d1e3c826e956a50fbdf41a446a591598de57953385f3952b7e99c89983a0382fe92f574fc0bdeaa49ee29af2941f5d41ce116b76e45b72c124861ead0

Download Submit
C:\UserDotTR\aoptiloc.exe

Filesize
1.3MB

MD5
929ab4ba106937e34c3398bb504a8164

SHA1
ff12c282ed0f530ec60c91e26a8751e1f0d184df

SHA256
ac240cb2d8f2c7ac21bca326f84d4a1ce3959a16200a4b128729c5abd270b1bd

SHA512
055b16f7b481a4499eb19fd2b44429440f072228912f6a3622767b28517e8b02631c2c29ae112a03128cdbe3bc1f1acec83ca015a6704cc4a9bf37d4d4773d92

Download Submit
C:\UserDotTR\aoptiloc.exe

Filesize
3.2MB

MD5
fe1c9b2f6b81bbc4d9cd21229ef7a27a

SHA1
a37ad8b11c4b5e0df5d0e6c49192f145e4a9b206

SHA256
4d1206d150ac4df09dd7d4cef4bc4b1c2af87afe275fb84f2a51c3f7bfc3512e

SHA512
2c8b12f3fa93e737bee87038b61ef47892a533e88e32c6e2ed874fc6cb2c9ad4d91a9d2cbf0311efe4465c0a753bcdcc4085a8d23db7a5965b2cee179028415b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
9163cf7df12015604bc35994df18c1cd

SHA1
4355d7fbca43c33f032bdac11a9684d603fa0017

SHA256
93923e6b70bd49616308d0620b3cc846da4a249c39211a5d45c567ffa82a9655

SHA512
9bd776d8897707d4fe4fb75adb8dbf00770f721ed11fecd78989db1224ad428f66b30901b5cead7df9ac7c5ea2495f3457367c8f0a8f3e4d9582fcf0a9c45590

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
d041b2064123465e503f01c5e5e55d17

SHA1
215b4066fdb80f3a4fdba6f002783df1a7ad616b

SHA256
adecee8d59c205496e3e466c56cfcf57ad4665c3cdda6d2a825c1027742bfde7

SHA512
90e6bbf1619238804bf87beb653147aa093793fe1eb6ce4f9adb85d4cdccd82a2f790b44aea713d78e85eaa2b7b559fda9c86e5b207c0a6c133c44a68a1d773f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.2MB

MD5
a5e2223d7dd9bfae53cbb3359de379c2

SHA1
cfa80724bdb1daa3882c2389061dbbfd32ba56f5

SHA256
234192e5b2ed3f87d636cba410ad239d6a5d653b545ceca26d0199a6f5274cf5

SHA512
72a10193f9ba9764ebb8aaaf74f9fdcc5f78c276f53d76eeae8fcdea87270ae6f835a0b74a226e31aa791c6662199648d9017fcae4a49652be2e85ef835439f2

Download Submit