9e5b067fca7836d98f77908417ebaae07f1d5d1941578d2f7a8fdfd1bb01a416

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4536617e1ab87c50261c7bd2e8d464f0N.exe
Size

2.6MB
MD5

4536617e1ab87c50261c7bd2e8d464f0
SHA1

85b3819b5ffde7e9ccd67ce337a76967c541be3d
SHA256

9e5b067fca7836d98f77908417ebaae07f1d5d1941578d2f7a8fdfd1bb01a416
SHA512

5f99251a72a42db2e5bcb13a3b322c814eaea8c9bb1bf832306d31e2e0e4068bec49e1ba959b6babf4759a8365c59bd7ded052938235a5717f5aedb2c8374e5a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bS:sxX7QnxrloE5dpUpcb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	4536617e1ab87c50261c7bd2e8d464f0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2612	locdevbod.exe
2668	aoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2020	4536617e1ab87c50261c7bd2e8d464f0N.exe
2020	4536617e1ab87c50261c7bd2e8d464f0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocTN\\aoptisys.exe"	4536617e1ab87c50261c7bd2e8d464f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBYU\\bodaec.exe"	4536617e1ab87c50261c7bd2e8d464f0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2020	4536617e1ab87c50261c7bd2e8d464f0N.exe
2020	4536617e1ab87c50261c7bd2e8d464f0N.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe
2612	locdevbod.exe
2668	aoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2612	2020	4536617e1ab87c50261c7bd2e8d464f0N.exe	30
PID 2020 wrote to memory of 2612	2020	4536617e1ab87c50261c7bd2e8d464f0N.exe	30
PID 2020 wrote to memory of 2612	2020	4536617e1ab87c50261c7bd2e8d464f0N.exe	30
PID 2020 wrote to memory of 2612	2020	4536617e1ab87c50261c7bd2e8d464f0N.exe	30
PID 2020 wrote to memory of 2668	2020	4536617e1ab87c50261c7bd2e8d464f0N.exe	31
PID 2020 wrote to memory of 2668	2020	4536617e1ab87c50261c7bd2e8d464f0N.exe	31
PID 2020 wrote to memory of 2668	2020	4536617e1ab87c50261c7bd2e8d464f0N.exe	31
PID 2020 wrote to memory of 2668	2020	4536617e1ab87c50261c7bd2e8d464f0N.exe	31

C:\Users\Admin\AppData\Local\Temp\4536617e1ab87c50261c7bd2e8d464f0N.exe
"C:\Users\Admin\AppData\Local\Temp\4536617e1ab87c50261c7bd2e8d464f0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2612
- C:\IntelprocTN\aoptisys.exe
  C:\IntelprocTN\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocTN\aoptisys.exe

Filesize
2.6MB

MD5
6eb76584cad5137e17199a33035fddd9

SHA1
b552d9ac850fcc185e8dd1a86ebb2103b1af2e1b

SHA256
73afafa1f0787c3d417f1af0fe8a5aa6b5dcce616753cf53b6178ea099cc3342

SHA512
412fa3738364df4552476570900bdfde3ec9b49b74550f9557e0bf4ce299678686448d033c7e293d551a6ea8ba5a25c59c51605cb0ee5bb7967502805921f762

Download Submit
C:\KaVBYU\bodaec.exe

Filesize
53KB

MD5
2e9a66b754b83350b21648f88780d54f

SHA1
0d11ac5510ab97707d5532f9533436cc60d891c1

SHA256
e597c53b5215cf8367feb0dfaf2c8560bb3b69e9a2424e217f96cdd80db5fd1b

SHA512
b55da4a67482d8ca4e5622815788ef121374058d711b3dd474a7d85db7666d66f92b6112b03619fd07016ba7014d5cbcfab88b6740cd6e4747ceacff96dfa54b

Download Submit
C:\KaVBYU\bodaec.exe

Filesize
2.6MB

MD5
e2d631c4d9dd4a41c6ea9a2a59db7986

SHA1
1645ba216e8991a680f647bc6f8e1f109ce44af6

SHA256
e3730f23d556b990ba2fa92724a3e4443f874a3c9279430ac5f0e19e5c96d07d

SHA512
875cf6d078b0017c17a570e24640a80e4eb218c0259492a4551b986fd6c15c609108826d50ccd14e06fcc97623c78dfe7a6e58d59ac84cdb002301f327033bb3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
0fdfd224661aa600ed3635bba1ada1b0

SHA1
5d601e726c9288ae16b1b5c38edfdb952aacc103

SHA256
3873c5925a7436f902b6dabf2280dacafab0c27561c28f7eb399ff093adf25a7

SHA512
65e44058c52d71e04d8ac7c0328aa8ebc54ef65624d43fe2e51271165f8fcb34da912a5e54d8202df6dc2618cde3584ba9dcbea5651cc5ae58e3045099ba292c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
3fa545966c9b967d20d0ae65792626a3

SHA1
9c4c9d1a607975ab30e63f14a9940879a11541a7

SHA256
2093efee9350be9da6febc7155504be9c8cb90e6aa53b98f18275c0dd5339b73

SHA512
e13df53d485d196c674ecbdde2a58e5498b65acc4a2a2b6d1c2339d8b13b0d3207d187f2aea4a62c88cdac0179ff6c93d8ea3f74f6bfb11b32351d0130d3fa29

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
2.6MB

MD5
509f8bfea44df3fb0cb4b6b28efcc9ef

SHA1
5eafa378be83bd331b5377e73f976b35606873ec

SHA256
78fa96ffb5e2d4f5ebd7c913dcf0f655d5a4fe93c4543d04099647f5ed2f0fa9

SHA512
87b323140e63b74660445fb1c1c649967fc0843fee8299f12f0bfc9ff4ce04eef6963c03bc4250dd06e3490caea90dd13c9e1b337d71daecac4b43008de1abb2

Download Submit