3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 20:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe
Size

3.2MB
MD5

6e2757a6f53d14a8b541f8cfaf064a50
SHA1

22d265bf15497a428150eb5c7948bc43cef14cc0
SHA256

3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045
SHA512

564c7440fd0441fe6eb5e62cecf6228a8305d65e13015ceb558d48d4857f5443b529cb3452b07abae67177f95f2e62f7436a6a0704dcf4d716ef4371ad4909aa
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpVbVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe

Executes dropped EXE 2 IoCs

pid	Process
860	sysaopti.exe
2492	devoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2608	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe
2608	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocSP\\devoptiloc.exe"	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintCS\\optiasys.exe"	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2608	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe
2608	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe
860	sysaopti.exe
2492	devoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 860	2608	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe	31
PID 2608 wrote to memory of 860	2608	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe	31
PID 2608 wrote to memory of 860	2608	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe	31
PID 2608 wrote to memory of 860	2608	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe	31
PID 2608 wrote to memory of 2492	2608	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe	32
PID 2608 wrote to memory of 2492	2608	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe	32
PID 2608 wrote to memory of 2492	2608	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe	32
PID 2608 wrote to memory of 2492	2608	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe	32

C:\Users\Admin\AppData\Local\Temp\3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe
"C:\Users\Admin\AppData\Local\Temp\3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:860
- C:\IntelprocSP\devoptiloc.exe
  C:\IntelprocSP\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocSP\devoptiloc.exe

Filesize
3.2MB

MD5
34f0e726c0bd11c38882453b1033b3da

SHA1
082204c9fb514d3e65e32d2c8049c803e6dbc45d

SHA256
bb7cd713568bb9d3c013c6ba10278e3e24f28280007b34e207e24f46c78ae85c

SHA512
af41985f1a9cbef38dc61c98044550eb4e7d3ba914ac78cc3a5bae0df9828bf6e4ecc646e5ab8beeb946c4fc7445a4db45fb268f8caa0158dfbb41e70dab8912

Download Submit
C:\MintCS\optiasys.exe

Filesize
3.2MB

MD5
aac06460f4da01bde9c5f996be857f57

SHA1
700713ecb286b1bcff806f44e576d28e4833bfdf

SHA256
a284c9658b840bb91d93a9c4fefe6799f0c3812ca781a4668ae3a0ab4d38bc4c

SHA512
3f8861ca85cd84bd5039958bacc78929dc5b9acfec3b5b7f16252168c580c5e2983c7e9bf96ebe544742fa8a277ff42a802c9e3f8f37a43aaad8fbbbe0089177

Download Submit
C:\MintCS\optiasys.exe

Filesize
48KB

MD5
d48736965f2b8e04bebb694d01483c92

SHA1
835cf4b7af1f69194c52135a66eab049613ced97

SHA256
2f98d5c6795d26c2dd4d5a98ca95180513c6ccfbe3e94e6123b6e2a68ff2cff5

SHA512
f80ad636f5a916fc4377bf1c3728a3067b94a8e39756c9534393fc24d5f28f16ae87fe27c6f8e4e84cb666d648ea7848fecb9e5a1ded31a6e45721ed182f871f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
177B

MD5
a0972a903a7fbeff8008f62cc4315a9b

SHA1
c57dfddc1f06384f1626ab027fe32339f96f95aa

SHA256
1b8915fb6fee269fdf9484d4e63eb2526d68f48d88484d4a6b9d1f8e5b16ab0b

SHA512
97815630b390dcc25f66f6a85e4afa2e77a35b4bfb1f207a0026033c99e936e7e4b54f02ce09f81794d6d946fd610527f7eb10684476858d10537a0e4e4255ac

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
209B

MD5
8138ee20a4a643910bd175d51b47fdc4

SHA1
645ebd51c610bb230e63ca35eed70d469402b08b

SHA256
c2e4412e973cf646d596a2ba5e9f8e41e97f5604582f3b161c7e95ca9fa55c42

SHA512
a1ed2c90733256c24ba74b773870214a42d4ac98c588527079308479ff4daee7c7063144b4e16d0286ce284bdaba5ecc35c37f0e102d9ae11642d720055cd78e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.2MB

MD5
673e5802151e52efc450f09c36e4c6a7

SHA1
925347a41ae975483581401e5cb5165713fdc1ee

SHA256
7c80fc4bd0c78a59af4609194751c47277b20fb6c6da34c1c35fd10d1cb70178

SHA512
00552545747c214ae99ba8e8a5bbf55583a1013fe42729ab69d6cb61181caded2265729848112b01c96bb066c72218c89db456aee4d826782a4c06770b3143ba

Download Submit