c9ea54e76bdddc4e7fbffad6a3fb6554f91173aa71da329daab33c43cca0b4a7

Analysis

max time kernel
119s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbba3a530dc5ffb5094e36fa60a098b0N.exe
Size

3.0MB
MD5

bbba3a530dc5ffb5094e36fa60a098b0
SHA1

7ab074c0b09b395bfc7aaeee01a0ffe46174fe9a
SHA256

c9ea54e76bdddc4e7fbffad6a3fb6554f91173aa71da329daab33c43cca0b4a7
SHA512

409c0d80186c19b157d194bea4c8a382eff240ae7f55cb2b3facc33d55c906165090a661b3a95614caaa3a9126915f7959db0f81ac86b8c1f11e424f4c0cf206
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8b6LNX:sxX7QnxrloE5dpUpPbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	bbba3a530dc5ffb5094e36fa60a098b0N.exe

Executes dropped EXE 2 IoCs

pid	Process
1204	sysaopti.exe
1568	devbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files3X\\devbodsys.exe"	bbba3a530dc5ffb5094e36fa60a098b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint24\\optixec.exe"	bbba3a530dc5ffb5094e36fa60a098b0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4920	bbba3a530dc5ffb5094e36fa60a098b0N.exe
4920	bbba3a530dc5ffb5094e36fa60a098b0N.exe
4920	bbba3a530dc5ffb5094e36fa60a098b0N.exe
4920	bbba3a530dc5ffb5094e36fa60a098b0N.exe
1204	sysaopti.exe
1204	sysaopti.exe
1568	devbodsys.exe
1568	devbodsys.exe
1204	sysaopti.exe
1204	sysaopti.exe
1568	devbodsys.exe
1568	devbodsys.exe
1204	sysaopti.exe
1204	sysaopti.exe
1568	devbodsys.exe
1568	devbodsys.exe
1204	sysaopti.exe
1204	sysaopti.exe
1568	devbodsys.exe
1568	devbodsys.exe
1204	sysaopti.exe
1204	sysaopti.exe
1568	devbodsys.exe
1568	devbodsys.exe
1204	sysaopti.exe
1204	sysaopti.exe
1568	devbodsys.exe
1568	devbodsys.exe
1204	sysaopti.exe
1204	sysaopti.exe
1568	devbodsys.exe
1568	devbodsys.exe
1204	sysaopti.exe
1204	sysaopti.exe
1568	devbodsys.exe
1568	devbodsys.exe
1204	sysaopti.exe
1204	sysaopti.exe
1568	devbodsys.exe
1568	devbodsys.exe
1204	sysaopti.exe
1204	sysaopti.exe
1568	devbodsys.exe
1568	devbodsys.exe
1204	sysaopti.exe
1204	sysaopti.exe
1568	devbodsys.exe
1568	devbodsys.exe
1204	sysaopti.exe
1204	sysaopti.exe
1568	devbodsys.exe
1568	devbodsys.exe
1204	sysaopti.exe
1204	sysaopti.exe
1568	devbodsys.exe
1568	devbodsys.exe
1204	sysaopti.exe
1204	sysaopti.exe
1568	devbodsys.exe
1568	devbodsys.exe
1204	sysaopti.exe
1204	sysaopti.exe
1568	devbodsys.exe
1568	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 1204	4920	bbba3a530dc5ffb5094e36fa60a098b0N.exe	89
PID 4920 wrote to memory of 1204	4920	bbba3a530dc5ffb5094e36fa60a098b0N.exe	89
PID 4920 wrote to memory of 1204	4920	bbba3a530dc5ffb5094e36fa60a098b0N.exe	89
PID 4920 wrote to memory of 1568	4920	bbba3a530dc5ffb5094e36fa60a098b0N.exe	92
PID 4920 wrote to memory of 1568	4920	bbba3a530dc5ffb5094e36fa60a098b0N.exe	92
PID 4920 wrote to memory of 1568	4920	bbba3a530dc5ffb5094e36fa60a098b0N.exe	92

C:\Users\Admin\AppData\Local\Temp\bbba3a530dc5ffb5094e36fa60a098b0N.exe
"C:\Users\Admin\AppData\Local\Temp\bbba3a530dc5ffb5094e36fa60a098b0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1204
- C:\Files3X\devbodsys.exe
  C:\Files3X\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files3X\devbodsys.exe

Filesize
1.5MB

MD5
d2da3dc35f4b8e545b4c5075456d6559

SHA1
7ad09c29883c5bcb3f1af1bbee4dc40336237390

SHA256
61da32cf815c32eedb62f6013e1871b0edc35737d971246d6f50ed2db3818de6

SHA512
7d11dabad7e19035b0bb045a2b7428a75e07b6d75f001208b1bbce7fe3568d80e0ad13bf6f2533d8b5699f7668a944a2899728766b844f3bd61d4d41f6f5e78f

Download Submit
C:\Files3X\devbodsys.exe

Filesize
3.0MB

MD5
0cdb08491dc6f48471442e374f73d06d

SHA1
70de96ebcb6dba5ca09f0f7a922d996f86a18b9b

SHA256
f39e7eb0f332f8fdd6964b5e1f4bdd62030f10c8c99982ab276fa2eee399fd54

SHA512
7b9f884c322c66367b4af2c336111e51311392c36e9e387b89f6f0236351f6b71fc3a6be03c52fbeae1dd118735bfc68b7debb82465ad4a2c2ab137bf9a633c9

Download Submit
C:\Mint24\optixec.exe

Filesize
1.1MB

MD5
006c58b45979988b4b073f489ea5f343

SHA1
400501230717ade6ad1f0aa09b194372d18c7a8f

SHA256
75e5877007272ec48093726f638a5f6bb9bf7bfe288acce0cdb628cde4c4c3f7

SHA512
b0f5040f9b5ecbb5527ee9190027d4d02630a7e2b4e38b7a8262a8c625781739e39e26f56b2d7563aa1f16182e4934bc9fd989711866244d24a9705f984d0628

Download Submit
C:\Mint24\optixec.exe

Filesize
14KB

MD5
eea4aa3d13cff294fb9de101050d3b95

SHA1
8be9253d0215e54c585f56eadb2280278a3ef3fa

SHA256
4bfbd1374923be20f98b58ddc780be3cd5a3714124580ccf4631700f056077a5

SHA512
8793ab23bc508ea67a7d382f851f692b10c6141d6a08aea34676af615c93c597ab6a7bab354d52cfa7c84c568a31eee4521a37ed280aa9a5c1a200be1d176b44

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
5009f6c79203061adec0bc3e435a0201

SHA1
2269e4c35414e2756be4ac53d5710a7792ef0005

SHA256
816fe5a408877f1beaa6d2ca4d2d89d67c88994c1930dd1d4c09368845878ad9

SHA512
9ddf43d2648ddc09538137a7dd925e3e59eaab98bba3295b95efe0afdf2872c19f117687e3a8a6679e6bb8a7847e7f590ba55c1ff9273467c4079e8b836e4f0b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
8c5b3679a6129fa5859c383b8d763e8e

SHA1
9b97b3a6a0b810228b681a9db79e2463d3c35cd6

SHA256
c6ec3f14e2bdd1ae8eca426f68410dc0e6127bcc743c4904030b27cbf9ec6a3f

SHA512
a0d8a204b9eb2d65ab5f5bfff714fd6b223f4559c598aa632874de09c8914d780c6d6de3434ff3cab5ad802a7cea384e5c84fb4c25ad8f00ae8f4b4465e4c678

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.0MB

MD5
b8048135846715fa489e3396fb466768

SHA1
afea3505a179be47a7ae7d02933edef36c0352fb

SHA256
89847c1685fd323eaf3c30807e97e1af95507dc0f0df603363bc8dae65d4892a

SHA512
4ae89c709e4c4382be1b7f345479268e789775cdb32f797f8d00b69bd4eb2d447ceec873ed00aaf50ef0b6b1769ca03b8edd8c4669bd5adb75d96a63005c0e44

Download Submit