a3808092cd605b3ac8b6af0c57bd99ad6a1a523e77f91794fe22702cae5533e9

General

Target

a3808092cd605b3ac8b6af0c57bd99ad6a1a523e77f91794fe22702cae5533e9.exe
Size

2.6MB
MD5

cb5de47c4f2c2f42fc1949f8fb739a36
SHA1

493a9ae5a63c54b21dd18b775a401f243c67206a
SHA256

a3808092cd605b3ac8b6af0c57bd99ad6a1a523e77f91794fe22702cae5533e9
SHA512

858ac8f41f1c45d2994063ef8acd502e645594cfdea9d3e4276b448967fd7d47837684d24cfd353aa77525d62cfad764ab683830846ac3826caf747e5a0f6d3b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUpOb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

Processes:

a3808092cd605b3ac8b6af0c57bd99ad6a1a523e77f91794fe22702cae5533e9.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe	a3808092cd605b3ac8b6af0c57bd99ad6a1a523e77f91794fe22702cae5533e9.exe

Executes dropped EXE 2 IoCs

Processes:

sysxopti.exedevoptisys.exe

pid process

3148 sysxopti.exe
2916 devoptisys.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3148	sysxopti.exe
2916	devoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a3808092cd605b3ac8b6af0c57bd99ad6a1a523e77f91794fe22702cae5533e9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvDB\\devoptisys.exe"	a3808092cd605b3ac8b6af0c57bd99ad6a1a523e77f91794fe22702cae5533e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax8Z\\optixsys.exe"	a3808092cd605b3ac8b6af0c57bd99ad6a1a523e77f91794fe22702cae5533e9.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a3808092cd605b3ac8b6af0c57bd99ad6a1a523e77f91794fe22702cae5533e9.exesysxopti.exedevoptisys.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3808092cd605b3ac8b6af0c57bd99ad6a1a523e77f91794fe22702cae5533e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a3808092cd605b3ac8b6af0c57bd99ad6a1a523e77f91794fe22702cae5533e9.exesysxopti.exedevoptisys.exe

pid	process
2464	a3808092cd605b3ac8b6af0c57bd99ad6a1a523e77f91794fe22702cae5533e9.exe
2464	a3808092cd605b3ac8b6af0c57bd99ad6a1a523e77f91794fe22702cae5533e9.exe
2464	a3808092cd605b3ac8b6af0c57bd99ad6a1a523e77f91794fe22702cae5533e9.exe
2464	a3808092cd605b3ac8b6af0c57bd99ad6a1a523e77f91794fe22702cae5533e9.exe
3148	sysxopti.exe
3148	sysxopti.exe
2916	devoptisys.exe
2916	devoptisys.exe
3148	sysxopti.exe
3148	sysxopti.exe
2916	devoptisys.exe
2916	devoptisys.exe
3148	sysxopti.exe
3148	sysxopti.exe
2916	devoptisys.exe
2916	devoptisys.exe
3148	sysxopti.exe
3148	sysxopti.exe
2916	devoptisys.exe
2916	devoptisys.exe
3148	sysxopti.exe
3148	sysxopti.exe
2916	devoptisys.exe
2916	devoptisys.exe
3148	sysxopti.exe
3148	sysxopti.exe
2916	devoptisys.exe
2916	devoptisys.exe
3148	sysxopti.exe
3148	sysxopti.exe
2916	devoptisys.exe
2916	devoptisys.exe
3148	sysxopti.exe
3148	sysxopti.exe
2916	devoptisys.exe
2916	devoptisys.exe
3148	sysxopti.exe
3148	sysxopti.exe
2916	devoptisys.exe
2916	devoptisys.exe
3148	sysxopti.exe
3148	sysxopti.exe
2916	devoptisys.exe
2916	devoptisys.exe
3148	sysxopti.exe
3148	sysxopti.exe
2916	devoptisys.exe
2916	devoptisys.exe
3148	sysxopti.exe
3148	sysxopti.exe
2916	devoptisys.exe
2916	devoptisys.exe
3148	sysxopti.exe
3148	sysxopti.exe
2916	devoptisys.exe
2916	devoptisys.exe
3148	sysxopti.exe
3148	sysxopti.exe
2916	devoptisys.exe
2916	devoptisys.exe
3148	sysxopti.exe
3148	sysxopti.exe
2916	devoptisys.exe
2916	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a3808092cd605b3ac8b6af0c57bd99ad6a1a523e77f91794fe22702cae5533e9.exe

description	pid	process	target process
PID 2464 wrote to memory of 3148	2464	a3808092cd605b3ac8b6af0c57bd99ad6a1a523e77f91794fe22702cae5533e9.exe	sysxopti.exe
PID 2464 wrote to memory of 3148	2464	a3808092cd605b3ac8b6af0c57bd99ad6a1a523e77f91794fe22702cae5533e9.exe	sysxopti.exe
PID 2464 wrote to memory of 3148	2464	a3808092cd605b3ac8b6af0c57bd99ad6a1a523e77f91794fe22702cae5533e9.exe	sysxopti.exe
PID 2464 wrote to memory of 2916	2464	a3808092cd605b3ac8b6af0c57bd99ad6a1a523e77f91794fe22702cae5533e9.exe	devoptisys.exe
PID 2464 wrote to memory of 2916	2464	a3808092cd605b3ac8b6af0c57bd99ad6a1a523e77f91794fe22702cae5533e9.exe	devoptisys.exe
PID 2464 wrote to memory of 2916	2464	a3808092cd605b3ac8b6af0c57bd99ad6a1a523e77f91794fe22702cae5533e9.exe	devoptisys.exe

C:\Users\Admin\AppData\Local\Temp\a3808092cd605b3ac8b6af0c57bd99ad6a1a523e77f91794fe22702cae5533e9.exe
"C:\Users\Admin\AppData\Local\Temp\a3808092cd605b3ac8b6af0c57bd99ad6a1a523e77f91794fe22702cae5533e9.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2464

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3148

C:\SysDrvDB\devoptisys.exe
C:\SysDrvDB\devoptisys.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax8Z\optixsys.exe

Filesize
2.6MB

MD5
4be6f688b74fece17babf00e454cdfd6

SHA1
34ecaddf3ef7730dc469cffd78fe002cbde4ec31

SHA256
78b188ac5783e2545b3e66186822fe287273e51a406efd344e41ea4fe9d1aabd

SHA512
4bdad2f9873928ae351c6ebd286b53a314c6315b5f125bf723acbf8e54e9761b8ede0ca567277d4f7cd72fba428ddb4552b4fccab1b61dcc64cb03a27f5abda3

Download Submit
C:\Galax8Z\optixsys.exe

Filesize
2.6MB

MD5
61fa8c1e953560d5119dd0c2f0d3a615

SHA1
a939fce5dd9496b33c4949bf584e5488c473fb34

SHA256
c2df98b0a2ec12ef17c09152333757e347413d54e211f9d04d317d90d0a70206

SHA512
f16b706018962c9c7fd7af9a923bbe29e007e608d2638ca5b474e0a38c28bae3f763d774e0d482aeeabe6225947df0101ce2e0df9cf206a89577b6d31d3cbece

Download Submit
C:\SysDrvDB\devoptisys.exe

Filesize
2.6MB

MD5
f8c4aaa75bd0b5eca138e4961dbf7695

SHA1
769e474c9327a1419e8a882b043e113b32dffdb3

SHA256
352800d2c1f99ce6c61118820a37e9e570e63b06ab2ffb775e5436f24254e23b

SHA512
b6b2d3357a893cd99b99a96edbbc2f421c610c28bf84d7e6e11b662f17a39bf1014f4e2f5c190f81321bce9354314bf9428ff610a21158d9a8044aab828b2d8e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
1a6be6021610b569fe654cb681a9e04f

SHA1
8bc87eeaabb044e43cbe2b55002f764ee29ea406

SHA256
cdd2a87cb0a06039f78b3b33cd03b6a8d7265c0808c15e63967390bd65508c5e

SHA512
b60d3c5bd3cfe87f0fc8434d0003f57378f69f0c32dff01712ddbf6ef9ce893c3535cd63a7f3897b8f401dba8a9c6cb88d0a7470846039f3caa536729555bc76

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
175B

MD5
e241551250aec89ae2c50b6d70b2f412

SHA1
78882a5453d259cdb716ee70c9bf82fcbcc99e4a

SHA256
6e445c2452bc83762e2c9e05b830500c39f72a9a09a90009057b54d63073b47b

SHA512
7282f6ae3cb2f436a2bec9afd16f09c2b2d0ba29108e254329174d671694ffc3c57160a941402ddae211a2ac4dfbfd31eb129f41b7f41939334a0301e0614f1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

Filesize
2.6MB

MD5
b24192e0e9b110dc860286b7dbaa5ef9

SHA1
cb57fd10ad34558aebd0f6a2b62e9b2307753c5f

SHA256
293cb888ea55b70359894e221786137277f4fc455f3c552b28f6fabdc9a531b3

SHA512
3557b496d3104b13eee45a08a08dcb7bf9cc72f9e9f169fc7ffc3d9ddf26f59cf56abedf617864890451ff79c0ff42b39dc46c8348ed4616e3c25c139242b74e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads