990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/08/2024, 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe
Size

2.6MB
MD5

ed7ebf0ab9eef68269b8c3fcb5eb842b
SHA1

89562f6119d27097025c0ab00df9572a2074dbd2
SHA256

990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb
SHA512

0408a369ef86aa954ce9686cc7192ac82bb7eba8a59c934d05183af414cd7392b1a8816a64ed1a1f334e386cc63e8863f8f95ed84446fb5dd159970b180eaf11
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bS:sxX7QnxrloE5dpUpeb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe

Executes dropped EXE 2 IoCs

pid	Process
4232	sysdevdob.exe
2632	aoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv9B\\aoptiloc.exe"	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid4B\\boddevsys.exe"	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2596	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe
2596	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe
2596	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe
2596	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe
4232	sysdevdob.exe
4232	sysdevdob.exe
2632	aoptiloc.exe
2632	aoptiloc.exe
4232	sysdevdob.exe
4232	sysdevdob.exe
2632	aoptiloc.exe
2632	aoptiloc.exe
4232	sysdevdob.exe
4232	sysdevdob.exe
2632	aoptiloc.exe
2632	aoptiloc.exe
4232	sysdevdob.exe
4232	sysdevdob.exe
2632	aoptiloc.exe
2632	aoptiloc.exe
4232	sysdevdob.exe
4232	sysdevdob.exe
2632	aoptiloc.exe
2632	aoptiloc.exe
4232	sysdevdob.exe
4232	sysdevdob.exe
2632	aoptiloc.exe
2632	aoptiloc.exe
4232	sysdevdob.exe
4232	sysdevdob.exe
2632	aoptiloc.exe
2632	aoptiloc.exe
4232	sysdevdob.exe
4232	sysdevdob.exe
2632	aoptiloc.exe
2632	aoptiloc.exe
4232	sysdevdob.exe
4232	sysdevdob.exe
2632	aoptiloc.exe
2632	aoptiloc.exe
4232	sysdevdob.exe
4232	sysdevdob.exe
2632	aoptiloc.exe
2632	aoptiloc.exe
4232	sysdevdob.exe
4232	sysdevdob.exe
2632	aoptiloc.exe
2632	aoptiloc.exe
4232	sysdevdob.exe
4232	sysdevdob.exe
2632	aoptiloc.exe
2632	aoptiloc.exe
4232	sysdevdob.exe
4232	sysdevdob.exe
2632	aoptiloc.exe
2632	aoptiloc.exe
4232	sysdevdob.exe
4232	sysdevdob.exe
2632	aoptiloc.exe
2632	aoptiloc.exe
4232	sysdevdob.exe
4232	sysdevdob.exe
2632	aoptiloc.exe
2632	aoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 4232	2596	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe	84
PID 2596 wrote to memory of 4232	2596	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe	84
PID 2596 wrote to memory of 4232	2596	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe	84
PID 2596 wrote to memory of 2632	2596	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe	85
PID 2596 wrote to memory of 2632	2596	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe	85
PID 2596 wrote to memory of 2632	2596	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe	85

C:\Users\Admin\AppData\Local\Temp\990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe
"C:\Users\Admin\AppData\Local\Temp\990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4232
- C:\SysDrv9B\aoptiloc.exe
  C:\SysDrv9B\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrv9B\aoptiloc.exe

Filesize
2.6MB

MD5
ce2b85b080b35172c57a80b3887720a9

SHA1
88ec3c4b75b3a98db9180b36819e3086b33463d9

SHA256
45d2ca4ef85b0453de4e819070802b4f73c7f78d5e3cfe4e6e710f892be419e8

SHA512
4be01a2e9259577646a261541e35069900ee00e18044f7dcab5892cc2a39b68434824fdb96b8e279342320f63cd6e361cdabe92e84793f1bdd572ae671ea489c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
7e6205b72708237b7a73c40ffbdad17a

SHA1
ec2d8930aa2365e1efc1c2d38e22efb771647408

SHA256
ad9870d0379235ac74f7614f83a9c0f26ccb67b0e0fae5487e5b622ed5ce2550

SHA512
09fc54ad10958a2b2976f236f30b283364b6626131bd0471dd1a6cbdd2e8a005e848117053094e3d95aff93c9acc2ded78b2e81082e549a75cd79a4aae644fdd

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
7f15e1cd54e80c07edf436ef23937a9c

SHA1
1e21a838c9c772f30722c1c189e23709106ae252

SHA256
a0e0f29c6b7657f580961897ebd5c631536378aba85beb590a16e9f11bc1f334

SHA512
7bf62074e541ac8031a46920a595ccb4d16f4ba13155fb18e56ce3851f30c1fff34eda35714d28a26299e1adec5c20ae05c9d3df619080bafb26be58e4fef434

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
2.6MB

MD5
9ef797262f9211059ce36e2e87a12890

SHA1
56ae7c460aee43ec9fdf1febe2949a2b54538fbc

SHA256
7934f273601f8b55626f191151bab35fe549b2545f386be685062222fc000a1b

SHA512
209c3df697ba9549b7511066f180ef712dd725c43c8a66b614f38c047a85bc18f77d5343e852bd4b793ac486d39ab500c53213bf1ca66e0bcae0ce84b2d958e5

Download Submit
C:\Vid4B\boddevsys.exe

Filesize
223KB

MD5
bd293b77377b9f08b4b5763a889a1324

SHA1
1270f64634150c6853440db4aca88ebfb4c1250a

SHA256
6275c2cf8f4dce45fe2879bdfd9c4e91b7ca45cd0322cb69ee47d7403fdc66a4

SHA512
4d033dbf941c444d86fbe9844bd1162c4bc540cb73203f70a810773eff952f69bbdcf3b04b1a5b8be3f420bd9045b320a76e349110326088729cf63c6536776f

Download Submit
C:\Vid4B\boddevsys.exe

Filesize
4KB

MD5
34bd8ff991b1427aa83cc59b77d0487f

SHA1
1775fb0e77f2b1b201917c49e409123372df9167

SHA256
8403bbb0bac4da664de516bbb70dba1484985a13d35a0b02c2b798b94ccd1eec

SHA512
5ad1d34933d6a9cead5a8c6dade3c65e64d2de098018614533d08a57b36f862dedf6faf5cdbf1678c96c8a779ddd2da5af6f25798fda1194686676872e35721e

Download Submit