3576f376adcc66d33b7c63f1a9c71436b6f57cf9cdaf631a986de8d20f2b8277

Analysis

max time kernel
119s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69facb3ed9b2c3f67673c73bfecaacf0N.exe
Size

3.2MB
MD5

69facb3ed9b2c3f67673c73bfecaacf0
SHA1

30aaaf171a07c4a3cbb4b67397282cc9aa8f2749
SHA256

3576f376adcc66d33b7c63f1a9c71436b6f57cf9cdaf631a986de8d20f2b8277
SHA512

f88a90a9387c0aa08a5439ca5eb00baa44a4168c4729f31c28a456b37052154d9b1fd97c7dad5c48768f039f492efea0431b2f8279c9f2773f26df41965c2758
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpAbVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	69facb3ed9b2c3f67673c73bfecaacf0N.exe

Executes dropped EXE 2 IoCs

pid	Process
5044	sysaopti.exe
3128	adobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeIY\\adobec.exe"	69facb3ed9b2c3f67673c73bfecaacf0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintA4\\optixec.exe"	69facb3ed9b2c3f67673c73bfecaacf0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69facb3ed9b2c3f67673c73bfecaacf0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2940	69facb3ed9b2c3f67673c73bfecaacf0N.exe
2940	69facb3ed9b2c3f67673c73bfecaacf0N.exe
2940	69facb3ed9b2c3f67673c73bfecaacf0N.exe
2940	69facb3ed9b2c3f67673c73bfecaacf0N.exe
5044	sysaopti.exe
5044	sysaopti.exe
3128	adobec.exe
3128	adobec.exe
5044	sysaopti.exe
5044	sysaopti.exe
3128	adobec.exe
3128	adobec.exe
5044	sysaopti.exe
5044	sysaopti.exe
3128	adobec.exe
3128	adobec.exe
5044	sysaopti.exe
5044	sysaopti.exe
3128	adobec.exe
3128	adobec.exe
5044	sysaopti.exe
5044	sysaopti.exe
3128	adobec.exe
3128	adobec.exe
5044	sysaopti.exe
5044	sysaopti.exe
3128	adobec.exe
3128	adobec.exe
5044	sysaopti.exe
5044	sysaopti.exe
3128	adobec.exe
3128	adobec.exe
5044	sysaopti.exe
5044	sysaopti.exe
3128	adobec.exe
3128	adobec.exe
5044	sysaopti.exe
5044	sysaopti.exe
3128	adobec.exe
3128	adobec.exe
5044	sysaopti.exe
5044	sysaopti.exe
3128	adobec.exe
3128	adobec.exe
5044	sysaopti.exe
5044	sysaopti.exe
3128	adobec.exe
3128	adobec.exe
5044	sysaopti.exe
5044	sysaopti.exe
3128	adobec.exe
3128	adobec.exe
5044	sysaopti.exe
5044	sysaopti.exe
3128	adobec.exe
3128	adobec.exe
5044	sysaopti.exe
5044	sysaopti.exe
3128	adobec.exe
3128	adobec.exe
5044	sysaopti.exe
5044	sysaopti.exe
3128	adobec.exe
3128	adobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 5044	2940	69facb3ed9b2c3f67673c73bfecaacf0N.exe	90
PID 2940 wrote to memory of 5044	2940	69facb3ed9b2c3f67673c73bfecaacf0N.exe	90
PID 2940 wrote to memory of 5044	2940	69facb3ed9b2c3f67673c73bfecaacf0N.exe	90
PID 2940 wrote to memory of 3128	2940	69facb3ed9b2c3f67673c73bfecaacf0N.exe	93
PID 2940 wrote to memory of 3128	2940	69facb3ed9b2c3f67673c73bfecaacf0N.exe	93
PID 2940 wrote to memory of 3128	2940	69facb3ed9b2c3f67673c73bfecaacf0N.exe	93

C:\Users\Admin\AppData\Local\Temp\69facb3ed9b2c3f67673c73bfecaacf0N.exe
"C:\Users\Admin\AppData\Local\Temp\69facb3ed9b2c3f67673c73bfecaacf0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5044
- C:\AdobeIY\adobec.exe
  C:\AdobeIY\adobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeIY\adobec.exe

Filesize
662KB

MD5
9db3a3c89bcec16eb4de721a109c9c2d

SHA1
6f5a2d2f3bdd698a9e031742cef24c2a3bfda8b8

SHA256
0f1e69db2c27ccf8a3e207fd692c2cf7f4569ec58b9947fae1b3144e8a1d5a4f

SHA512
c8f6eab52d2a1f2cf9103a73b2ad009e01fca0a3df1a76c2cd65a148682e6219c549ef85753fa66d3de954869f18f83e91528b871660dbecd516dd25ac686797

Download Submit
C:\AdobeIY\adobec.exe

Filesize
3.2MB

MD5
92ca3bb6e18d30cc7c034f657fcac9dc

SHA1
e4419f0f8edf146537f6e400ed9879455df861a3

SHA256
df8bd2ccbb6d805af780525182c78182dff48506d2f4bebba90fc9493a8d7a94

SHA512
ce30ebae14e1c0e99b2cfba1d8b705938e12acc84e85fd60c6e7a7e4e6e408d725009aad81374b5864d8163dcf7146c10a18738fb664378e68d79a4403be221b

Download Submit
C:\MintA4\optixec.exe

Filesize
3.2MB

MD5
0b7a667949bdd36f8837abbdda62aa50

SHA1
27440b5bd820f052c6df5fdbeaf9f4d46ef9a314

SHA256
ae679f3ea2670e9304ff7bbdc4549a0cf1f89ed30ffce6fa18c7b2b8d045d72e

SHA512
131b4a6bbc195c1b1e9d37c9cff29e32e4cd9aa6e5cd13bb11e8660eb38c6d3a6d3d7b107d319e5433dfff3e153a76dad4bc78073f9d903904acfbd4adf8ca93

Download Submit
C:\MintA4\optixec.exe

Filesize
68KB

MD5
3dd99fd52fa2b28eaeeaf7183018f9be

SHA1
3290381f779c52840fbbe1fff2551e88a8daafec

SHA256
03461e4286d94a40ed75a05b56e97beb53246b66f71d08fb5824a2bd4b4075af

SHA512
de65c0b6ed45fbe40a6f5a9173cd7ffda44d60e8e86d6358d8cfa3d9fbf7c2bc316aac8d1a7af8d8cecc3193437414f1f08e46b5c06d17472ca155173b8e0640

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
802fc89e09a661085e0efe8edf112617

SHA1
23d6cc7cfbe6c6e683956205ed18864a5e45364b

SHA256
7c9679eb4d8a294aaed1b0216362dafd768cbe30bffff2f72300ed424ea52b3c

SHA512
7a83593116ebd1856a9b06bf54864ff3f3c10792d18b23cca34cab9022b647fea58024f8cba3f7682bb57d6698e671a4da03a1da36b81e9fb57e86c750777be9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
f3d8f75a38def13a0dd890b320e5e06c

SHA1
b9ad9c4d877f3b0f7ef0df1e1bcf9de3a8a59c23

SHA256
9d0784a7af5b6718a77f7bbe5c86eaf4a36d3d4cc05bc410a73131a9e163e925

SHA512
9338ed1b8a4a61f84790769608e8b22e7632e8612a14e2013614dc34e8dbc14d93396684da9de3bcef13f192466cddc3938e3964b27b2ae19d176b45f7fb8813

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.2MB

MD5
b487a43073f935dc26c54096743c2854

SHA1
3aa26a5e2243a6f5cb81c0410618ebe5115f5c66

SHA256
18895d408c7308e96f242a5a0544de99802bfdf0cbd02652879a163278f72990

SHA512
ec3ca68e9e3a52f61738bf0e3bdde88c718eccb8ff700b9432fa8f08dc2a36867bfc07b9a2f507dae296ae531db41194bc67c8ede8930fc81fd84856ff4b7753

Download Submit