16605d3c20dfda31d67f33bc58edb61db93f6b03ad834368ea4f12a563641865

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

135b5d1a525c6cc808b6ff25f7e7d420.exe
Size

4.0MB
MD5

135b5d1a525c6cc808b6ff25f7e7d420
SHA1

4f1680212850f213f5e89821ae2da2eed44efb71
SHA256

16605d3c20dfda31d67f33bc58edb61db93f6b03ad834368ea4f12a563641865
SHA512

ed2668b753edb3bb057d4e8ccc2ee1bcb8f853ba8a196d3ba360fcda6cea4b6abf7f9637e55e2e3313d58f5e440a5c8c40d9e61864ec7e828cde2c4ecdb14175
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpjbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	135b5d1a525c6cc808b6ff25f7e7d420.exe

Executes dropped EXE 2 IoCs

pid	Process
2896	sysdevbod.exe
2820	aoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2656	135b5d1a525c6cc808b6ff25f7e7d420.exe
2656	135b5d1a525c6cc808b6ff25f7e7d420.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid0J\\dobdevsys.exe"	135b5d1a525c6cc808b6ff25f7e7d420.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc9G\\aoptiec.exe"	135b5d1a525c6cc808b6ff25f7e7d420.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2656	135b5d1a525c6cc808b6ff25f7e7d420.exe
2656	135b5d1a525c6cc808b6ff25f7e7d420.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe
2896	sysdevbod.exe
2820	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2896	2656	135b5d1a525c6cc808b6ff25f7e7d420.exe	30
PID 2656 wrote to memory of 2896	2656	135b5d1a525c6cc808b6ff25f7e7d420.exe	30
PID 2656 wrote to memory of 2896	2656	135b5d1a525c6cc808b6ff25f7e7d420.exe	30
PID 2656 wrote to memory of 2896	2656	135b5d1a525c6cc808b6ff25f7e7d420.exe	30
PID 2656 wrote to memory of 2820	2656	135b5d1a525c6cc808b6ff25f7e7d420.exe	31
PID 2656 wrote to memory of 2820	2656	135b5d1a525c6cc808b6ff25f7e7d420.exe	31
PID 2656 wrote to memory of 2820	2656	135b5d1a525c6cc808b6ff25f7e7d420.exe	31
PID 2656 wrote to memory of 2820	2656	135b5d1a525c6cc808b6ff25f7e7d420.exe	31

C:\Users\Admin\AppData\Local\Temp\135b5d1a525c6cc808b6ff25f7e7d420.exe
"C:\Users\Admin\AppData\Local\Temp\135b5d1a525c6cc808b6ff25f7e7d420.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2896
- C:\Intelproc9G\aoptiec.exe
  C:\Intelproc9G\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc9G\aoptiec.exe

Filesize
6KB

MD5
0860ba7ab87e6dbf893e728aa4621778

SHA1
6296ec6dd59bc3b8a68b647437f788d3632c62db

SHA256
dae0dd40453db7d1814b71e7428dae76ec100c87d90429cfe275f635828912b2

SHA512
6b72d47a2829acfcf1490f689278dd8559279bed5d5c4557d0d0a5168428051f1906438558ebacac45c8aee6d3c2408cb4723e18b3d3bcc087625db5239ebaef

Download Submit
C:\Intelproc9G\aoptiec.exe

Filesize
4.0MB

MD5
44a2e265f7ed81ddd77f070b10c80092

SHA1
80fb7d74765a6a2942e11b5adbb7563e16599bad

SHA256
9404881a3a633f2d08cdb8a739d4d0cd1d4b543805ab643b9d016a7cf8f92b67

SHA512
cbe0ecd8475d5bbf6ab60cd7f3aae4546eeb358c59c6e357ce22cb4bbfd8f544772993170e24ea7914c3f8988a7ed5efc880f1db9401fce603b17e0a06e787e2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
0082f87033a66010677c76e87d780504

SHA1
fdd57ee01effddf0c77155346cce03e1f6b79229

SHA256
35160022d2a095f51611aa6ba3a59267db83403fc9196434835febbdb8e2aa5f

SHA512
a36f806e666072a4a12aaee989cc48a7e38763d249c04bf018f251baf25d6c1a6b678a15c6bb8ec59f3044d95711513410e92ee687744032fc6570dcaa441c65

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
bef4c06f22e1a69dfdd70aadc6148a87

SHA1
4b14dcb81134498161d0b34a46c9129afe34ff38

SHA256
d0a0dc32c2088bc00c42f8cc15e6b84d0fceaa0403f48241862cd43072e5d288

SHA512
62da3d782891bd6b147a8dd53780705c95d5c56cd495fa53e5e8b1cd129db9d9f3adf4f746745cdb58e36dd7554e223f64a063796caccd9d9ab35bb714a9888a

Download Submit
C:\Vid0J\dobdevsys.exe

Filesize
4KB

MD5
b61f1c7ad73efe910c92dd7a7c9a7a0e

SHA1
da9ddf3e1877afc7efd9c8d203fc7f7be3458ddd

SHA256
b362504c75e4817110ee35bd9d522710e988aa3feb5cfb08054cbe0cfa6e45f0

SHA512
224073e4b1011e45541352166fffbcb47dc06282baa16dc5279ee78e858f642e1495bf79dc1ee547b1db3adc2c1a1fbb08ea75a50ef49d2a238000e931ebc155

Download Submit
C:\Vid0J\dobdevsys.exe

Filesize
4.0MB

MD5
a8a717b434bed5c4d5727adbc4a51730

SHA1
ca496f933dad445cbb8f3a38e5d918a01b493192

SHA256
373887140307b1f5802c1fbd52ba81e808bc557afc631a1307be49f753ac26d2

SHA512
2b502b42ebadb7581d4849437f12a45b57f8c73d9e279294b7dbeff5135f9387508510b66a8635548d522fbd65f7455f1a989c8f0a324c99a98e7a97715590b9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
4.0MB

MD5
72e47321f61843575415007b5f3e31ac

SHA1
e2c35eb9d9f16b213dc95d54264b8edf0ad34146

SHA256
65ea280cb2c78d89d641c817583dc01f70c02397feffdfa0bb5726496473636b

SHA512
f1bd6c3818d28ac3a39c2350c344fa611c2af609b1bcb11fe283191b46c891e06f96cfb28d78c45c550d24831736135f5c3cd53df27a075081102952b5b34ccd

Download Submit