1634840dca8ef8c198389e3e5340eb183e9e6e153e772984d70162857db5f770

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 13:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c8fb859665661a537d72c49a9ea9d710N.exe
Size

2.6MB
MD5

c8fb859665661a537d72c49a9ea9d710
SHA1

541f571ccbc8be0fb3dd07ff9efe95a5e81550bf
SHA256

1634840dca8ef8c198389e3e5340eb183e9e6e153e772984d70162857db5f770
SHA512

41157e5555119823a8fe73878506fa95bf5637ad2e05dc606a5f794f273340305e899b65e3053854aa4a13f6ce8c952bb30df1ee750d2f4b1a25c123912f956f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bSq:sxX7QnxrloE5dpUpIbV

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	c8fb859665661a537d72c49a9ea9d710N.exe

Executes dropped EXE 2 IoCs

pid	Process
2320	sysdevbod.exe
1372	aoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1932	c8fb859665661a537d72c49a9ea9d710N.exe
1932	c8fb859665661a537d72c49a9ea9d710N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files9H\\aoptiec.exe"	c8fb859665661a537d72c49a9ea9d710N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxPZ\\optiaec.exe"	c8fb859665661a537d72c49a9ea9d710N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1932	c8fb859665661a537d72c49a9ea9d710N.exe
1932	c8fb859665661a537d72c49a9ea9d710N.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe
2320	sysdevbod.exe
1372	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2320	1932	c8fb859665661a537d72c49a9ea9d710N.exe	30
PID 1932 wrote to memory of 2320	1932	c8fb859665661a537d72c49a9ea9d710N.exe	30
PID 1932 wrote to memory of 2320	1932	c8fb859665661a537d72c49a9ea9d710N.exe	30
PID 1932 wrote to memory of 2320	1932	c8fb859665661a537d72c49a9ea9d710N.exe	30
PID 1932 wrote to memory of 1372	1932	c8fb859665661a537d72c49a9ea9d710N.exe	31
PID 1932 wrote to memory of 1372	1932	c8fb859665661a537d72c49a9ea9d710N.exe	31
PID 1932 wrote to memory of 1372	1932	c8fb859665661a537d72c49a9ea9d710N.exe	31
PID 1932 wrote to memory of 1372	1932	c8fb859665661a537d72c49a9ea9d710N.exe	31

C:\Users\Admin\AppData\Local\Temp\c8fb859665661a537d72c49a9ea9d710N.exe
"C:\Users\Admin\AppData\Local\Temp\c8fb859665661a537d72c49a9ea9d710N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2320
- C:\Files9H\aoptiec.exe
  C:\Files9H\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files9H\aoptiec.exe

Filesize
2.6MB

MD5
5180077c29427b8a5aafe2103197beb5

SHA1
2741d0b2f09b9ddc1bcddcfffefd3a126bd547f5

SHA256
ade21e76eefc38c5f1318064f5262affabc8f1e5822d3b781c77c77938277301

SHA512
46610c36c827f32dfbcd6c3c34035f5346a15910e9ffb86494542e661d243e59c1f459571aabeffe89c41a80aa029815c2cce452e431433843ed18406ec9d9fb

Download Submit
C:\GalaxPZ\optiaec.exe

Filesize
2.6MB

MD5
7e80ecff645076b7463c9822fdeb0897

SHA1
0ab4b1b0cf39ea5cebe116aa004391b10bd7089c

SHA256
9545e7fb5b453af6724b7cd65dde33b28057461ac6df6508d63236b7cbd9074f

SHA512
0a8b8d6b333d1412e750034e37b7b1bb8148363d2e6cee0d951180aacde773f5322201eed21d3ba26311523c5b3fe90c5ceb74432628d2911037e5ef37315952

Download Submit
C:\GalaxPZ\optiaec.exe

Filesize
2.6MB

MD5
0a53c79fe671adf6584764397d2816ba

SHA1
47f4b395837e50ad96c6e967874cd7f303ce17b5

SHA256
03f01b74a5afa97bf004ab8f00af57019569f9be334db025f22caa1c686c7f40

SHA512
a08d8b223ca19b4137a1e75db527bec9330c1176738c6b5a8b5348caa6352e8c6006dad3b1faf0b5c051f0c5f4d8d8165558b0438d7e9441fd63264b467ca599

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
56939bb79d0aeb8d657fe6075d835ae6

SHA1
d264249e92f6c27a6be5f473fce069a01c3a3f13

SHA256
c50c0778f02241374dc8f12191b8dbd2c11a98728a6c4bcd17b03aca49e7cabe

SHA512
e2410154dde9310a8aa9f508603b7f50e13bf438dfab0e5b021bf90a91f7bb3f5a16298e835de95393ae5f71d97d34be4057fd1c7f74d5b2040d74eccbeca3c5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
c6e22df8ee0d01e91041d49d2a70e1ce

SHA1
054d0fc8e11eee8731ff56326003dc5730ef835a

SHA256
4a4926524b5e397a4deeda0d7521fc04bccbf5489f258ea2874b5a72d9a567ed

SHA512
ae55717ac7c6b96ab76c5c0d2b330a29e538c06fbf27836b12c339b952df5787d76916ad85dbd514bfa4e54f50d55aa6dce374c5c06757d8e448fd5d2723739b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
d76521503500ff180a315390a4db672b

SHA1
dd2f62bef303d602282518e1c4e88991e2eb2275

SHA256
197d0c813c8c0a8bab76ab27c113169ac7195383b823f070683a2a96c69faf96

SHA512
8d8b1dd147ac627018f35c4c62b3794fbe8873ecf13a278dd1ea60f48d66b5942995832f006835a2efe40cc3334e5803f4e9294ae0da3f3b9e264a4f3799ae3f

Download Submit