d2f686753ce17d3f23834f0415776139ba11d570522882e99f93cc0f0022ec30

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/08/2024, 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2f686753ce17d3f23834f0415776139ba11d570522882e99f93cc0f0022ec30.exe
Size

2.6MB
MD5

03b7defabbabb8ad0d420cb4d2aeec61
SHA1

a653ee755a0caeafafa79c9a5dc7d13666c6c421
SHA256

d2f686753ce17d3f23834f0415776139ba11d570522882e99f93cc0f0022ec30
SHA512

4d975fd820c4717c6b551841db48b23faf72044559e6469f6ca57fe0bcaccc69009d1ceb6e85aba3f5ce3f4f9b236b12323fd4995619cb8e8913da2f71355cbf
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bS:sxX7QnxrloE5dpUpSb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	d2f686753ce17d3f23834f0415776139ba11d570522882e99f93cc0f0022ec30.exe

Executes dropped EXE 2 IoCs

pid	Process
4204	sysaopti.exe
3516	aoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotMI\\aoptiloc.exe"	d2f686753ce17d3f23834f0415776139ba11d570522882e99f93cc0f0022ec30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintMF\\optidevloc.exe"	d2f686753ce17d3f23834f0415776139ba11d570522882e99f93cc0f0022ec30.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2f686753ce17d3f23834f0415776139ba11d570522882e99f93cc0f0022ec30.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2644	d2f686753ce17d3f23834f0415776139ba11d570522882e99f93cc0f0022ec30.exe
2644	d2f686753ce17d3f23834f0415776139ba11d570522882e99f93cc0f0022ec30.exe
2644	d2f686753ce17d3f23834f0415776139ba11d570522882e99f93cc0f0022ec30.exe
2644	d2f686753ce17d3f23834f0415776139ba11d570522882e99f93cc0f0022ec30.exe
4204	sysaopti.exe
4204	sysaopti.exe
3516	aoptiloc.exe
3516	aoptiloc.exe
4204	sysaopti.exe
4204	sysaopti.exe
3516	aoptiloc.exe
3516	aoptiloc.exe
4204	sysaopti.exe
4204	sysaopti.exe
3516	aoptiloc.exe
3516	aoptiloc.exe
4204	sysaopti.exe
4204	sysaopti.exe
3516	aoptiloc.exe
3516	aoptiloc.exe
4204	sysaopti.exe
4204	sysaopti.exe
3516	aoptiloc.exe
3516	aoptiloc.exe
4204	sysaopti.exe
4204	sysaopti.exe
3516	aoptiloc.exe
3516	aoptiloc.exe
4204	sysaopti.exe
4204	sysaopti.exe
3516	aoptiloc.exe
3516	aoptiloc.exe
4204	sysaopti.exe
4204	sysaopti.exe
3516	aoptiloc.exe
3516	aoptiloc.exe
4204	sysaopti.exe
4204	sysaopti.exe
3516	aoptiloc.exe
3516	aoptiloc.exe
4204	sysaopti.exe
4204	sysaopti.exe
3516	aoptiloc.exe
3516	aoptiloc.exe
4204	sysaopti.exe
4204	sysaopti.exe
3516	aoptiloc.exe
3516	aoptiloc.exe
4204	sysaopti.exe
4204	sysaopti.exe
3516	aoptiloc.exe
3516	aoptiloc.exe
4204	sysaopti.exe
4204	sysaopti.exe
3516	aoptiloc.exe
3516	aoptiloc.exe
4204	sysaopti.exe
4204	sysaopti.exe
3516	aoptiloc.exe
3516	aoptiloc.exe
4204	sysaopti.exe
4204	sysaopti.exe
3516	aoptiloc.exe
3516	aoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 4204	2644	d2f686753ce17d3f23834f0415776139ba11d570522882e99f93cc0f0022ec30.exe	84
PID 2644 wrote to memory of 4204	2644	d2f686753ce17d3f23834f0415776139ba11d570522882e99f93cc0f0022ec30.exe	84
PID 2644 wrote to memory of 4204	2644	d2f686753ce17d3f23834f0415776139ba11d570522882e99f93cc0f0022ec30.exe	84
PID 2644 wrote to memory of 3516	2644	d2f686753ce17d3f23834f0415776139ba11d570522882e99f93cc0f0022ec30.exe	85
PID 2644 wrote to memory of 3516	2644	d2f686753ce17d3f23834f0415776139ba11d570522882e99f93cc0f0022ec30.exe	85
PID 2644 wrote to memory of 3516	2644	d2f686753ce17d3f23834f0415776139ba11d570522882e99f93cc0f0022ec30.exe	85

C:\Users\Admin\AppData\Local\Temp\d2f686753ce17d3f23834f0415776139ba11d570522882e99f93cc0f0022ec30.exe
"C:\Users\Admin\AppData\Local\Temp\d2f686753ce17d3f23834f0415776139ba11d570522882e99f93cc0f0022ec30.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4204
- C:\UserDotMI\aoptiloc.exe
  C:\UserDotMI\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintMF\optidevloc.exe

Filesize
258KB

MD5
58e7e91d47458eb0f277e6fc722bfc27

SHA1
ee3fafe63a7361650ff22cdf5e990e6495c02244

SHA256
5f823f4e6f0eea730cbac9973e6533b22d1196a34d28e30548dd726defca6b63

SHA512
451adf5c29334c819ef955b3d061fd9ee7e2555e11b35fe5d87787c2495b5d7ae254c0606aa53ba7dad327187ad709acf13c793c9074739bd679a4f153bd7cde

Download Submit
C:\MintMF\optidevloc.exe

Filesize
2.6MB

MD5
cd64829b8a8484c181f6159187f8c7d7

SHA1
61cf1e08401a15b6f6b3182eddea2c998cd79e86

SHA256
31c6c395f1a0fd83992519f7aba12196e0d64c700441375af8a063ea2bf7c68b

SHA512
942b2935b5804817b7a857cfd12773dd2c47fcda105b8747e7bce92546ba3d5d2aca7e3cef6338e0a972c13f5703e37abcf2947fad301b1a2d25a6d03f4f8270

Download Submit
C:\UserDotMI\aoptiloc.exe

Filesize
2.6MB

MD5
83135fa97b5086e89331767b18d02142

SHA1
374712963121b7ba5715d8b4f0984e057b7240ec

SHA256
5d477f548934c89424c1caec10efe3d6d072f5cd5a8845fb1a67d86d972e076a

SHA512
8d00d86f8f2b110ef72018dde4a5bfc1d561ecd125121ed93f9bfcec2ea73176c5ca2e666dc5fd717f6ed1018d73f10a32bed1745be40ec2e8e9f8d295a17e08

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
373dd9101632039bf75c5e14c093ca96

SHA1
b65bdd36ba3cb5a65896a8aca5900ad4a251e469

SHA256
2f2ede5331ebfb78e723fc50684b2eddaecb100a70b3ee9199ab076e59b45775

SHA512
822337ad4944a66b58e057d1194fb28a0b98ab0891d31da0d4e3ac34ad07fb2e1a46c47097998b59baa72e0b20dd7fcc27cfd35c0f82c3a33e25c71e631a3f8a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
175B

MD5
eadd00d3e45f3e57e1afb9c3a8cec0df

SHA1
536fa3bfea2ed2e4e7ed9df094b4ecb8a6e2ee9f

SHA256
0fd4fa0b798fa5d1557360aeb8d15b1f031d4937d284ff8f76ef2b839d04b81a

SHA512
2942511c6ecdb25aa6912b7772eab07a212ec380a35464d23024d9bb8630ddd49178befaf0314d814c2765919970ef98c3621a2b56d002a2a0a0157d237d5f67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
2.6MB

MD5
5a6f56d80b6ca30a994b9d0dea560500

SHA1
509cd844bcdd87641bd75ff0619f718679a6bad4

SHA256
f47e26208b45adcbd3a7a539a5165bddca0ba8166bd7b54dc41c27e3eee902ab

SHA512
78aa1651bbb1b2ce56fa2cb9339e6ceda93687c12133cd4829cf6d398feffc2beb0763d480cdf3daf8a47b70000b158f65d2f85390104e81149f22e2cd6c9576

Download Submit