583dea6150a0e5ff28180e09457487016555e1574bc2fc4f1f0a62cb9564452b

Analysis

max time kernel
120s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 21:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0ae3b651b121d7f05c7ed77c7e0f3c60N.exe
Size

3.2MB
MD5

0ae3b651b121d7f05c7ed77c7e0f3c60
SHA1

2a0a58e3aec3f0a76e89208c9ea4eb03ba0bfb5e
SHA256

583dea6150a0e5ff28180e09457487016555e1574bc2fc4f1f0a62cb9564452b
SHA512

595ce596cca6bc18e6364697ecaddc2800050c196e76ace0e81d81db98d827f591ff9693cc61ea8baa5196494ff993f0314bd05809bf380cd5b145f8148c4764
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpmbVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	0ae3b651b121d7f05c7ed77c7e0f3c60N.exe

Executes dropped EXE 2 IoCs

pid	Process
1372	sysadob.exe
5104	aoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotC2\\aoptisys.exe"	0ae3b651b121d7f05c7ed77c7e0f3c60N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidWG\\boddevloc.exe"	0ae3b651b121d7f05c7ed77c7e0f3c60N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ae3b651b121d7f05c7ed77c7e0f3c60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3340	0ae3b651b121d7f05c7ed77c7e0f3c60N.exe
3340	0ae3b651b121d7f05c7ed77c7e0f3c60N.exe
3340	0ae3b651b121d7f05c7ed77c7e0f3c60N.exe
3340	0ae3b651b121d7f05c7ed77c7e0f3c60N.exe
1372	sysadob.exe
1372	sysadob.exe
5104	aoptisys.exe
5104	aoptisys.exe
1372	sysadob.exe
1372	sysadob.exe
5104	aoptisys.exe
5104	aoptisys.exe
1372	sysadob.exe
1372	sysadob.exe
5104	aoptisys.exe
5104	aoptisys.exe
1372	sysadob.exe
1372	sysadob.exe
5104	aoptisys.exe
5104	aoptisys.exe
1372	sysadob.exe
1372	sysadob.exe
5104	aoptisys.exe
5104	aoptisys.exe
1372	sysadob.exe
1372	sysadob.exe
5104	aoptisys.exe
5104	aoptisys.exe
1372	sysadob.exe
1372	sysadob.exe
5104	aoptisys.exe
5104	aoptisys.exe
1372	sysadob.exe
1372	sysadob.exe
5104	aoptisys.exe
5104	aoptisys.exe
1372	sysadob.exe
1372	sysadob.exe
5104	aoptisys.exe
5104	aoptisys.exe
1372	sysadob.exe
1372	sysadob.exe
5104	aoptisys.exe
5104	aoptisys.exe
1372	sysadob.exe
1372	sysadob.exe
5104	aoptisys.exe
5104	aoptisys.exe
1372	sysadob.exe
1372	sysadob.exe
5104	aoptisys.exe
5104	aoptisys.exe
1372	sysadob.exe
1372	sysadob.exe
5104	aoptisys.exe
5104	aoptisys.exe
1372	sysadob.exe
1372	sysadob.exe
5104	aoptisys.exe
5104	aoptisys.exe
1372	sysadob.exe
1372	sysadob.exe
5104	aoptisys.exe
5104	aoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 1372	3340	0ae3b651b121d7f05c7ed77c7e0f3c60N.exe	86
PID 3340 wrote to memory of 1372	3340	0ae3b651b121d7f05c7ed77c7e0f3c60N.exe	86
PID 3340 wrote to memory of 1372	3340	0ae3b651b121d7f05c7ed77c7e0f3c60N.exe	86
PID 3340 wrote to memory of 5104	3340	0ae3b651b121d7f05c7ed77c7e0f3c60N.exe	87
PID 3340 wrote to memory of 5104	3340	0ae3b651b121d7f05c7ed77c7e0f3c60N.exe	87
PID 3340 wrote to memory of 5104	3340	0ae3b651b121d7f05c7ed77c7e0f3c60N.exe	87

C:\Users\Admin\AppData\Local\Temp\0ae3b651b121d7f05c7ed77c7e0f3c60N.exe
"C:\Users\Admin\AppData\Local\Temp\0ae3b651b121d7f05c7ed77c7e0f3c60N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1372
- C:\UserDotC2\aoptisys.exe
  C:\UserDotC2\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotC2\aoptisys.exe

Filesize
304KB

MD5
399379eb21d4d1a237313b121affb187

SHA1
46027502073bd42582ab093745ee5b3ab3993c89

SHA256
b18f78c6135e89a0439c9731828e771b0d7bf7336debc3e55a78b2166892ed80

SHA512
09e11abc2424080d4e6ada9fe09aec728bd0c2d8fab5c85e8070fd138dfbdd9d5a2754d96dc1bcc04b953b9a898167434c88d13f980ebe1dd67598d93441bfa9

Download Submit
C:\UserDotC2\aoptisys.exe

Filesize
3.2MB

MD5
736f8ca84f7d102c62ac49cd5c7c9d5d

SHA1
f7289b454f4c2b8dd89f3b17f63de0a7f019fae4

SHA256
0ece297311651c87246c38987e9af7ed8e208e49c68e2df81777080e613cf001

SHA512
36bbfd955a6e160a10a5ce568bd6ee2d48e126ce0ba45540e63438077126226991039f1aebe3c5530f3939c39c4bdff357f34e0b3a54c1c64dc523bd28f75d2d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
690132f1787a014e19ca00362cf39555

SHA1
c40af9785fb3a0aafa912fb0ed4f9858a1776a1f

SHA256
8cdfc30f72878ada55748d8914f42b6e1b97d27b0c81e6bbeaedd369eaf8fc53

SHA512
ca9ca980b0ac13f71440c3750216107a46048cf9f2b9b289dcaacf578990e0020251fd7b42bf370fb80ebb6502da967c7b3aeb7ae44699092f0d970411708abb

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
d39122d66ca51373a08b2c403099d811

SHA1
66c41688e68e08d7f2fe6cc5bdaf964bc699388e

SHA256
ee888c616dd4c8850835bcc8271e1a82885d0548aa10cc13e2ce903a53605b8b

SHA512
9d30d3e01f5ff5e4164f16abab6e4e6d8fc27fa6ebe66ffd83a2590a191749534aa63d7af640e7357ae12b70eccae4bd09dda6e43e9794d934bcce6bb1ffa012

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
3.2MB

MD5
6cfcee4dcc9c342263edbfe0e0d7b7ac

SHA1
1f8ae1d2821f40926ca1093aabd9e4977ea2dd98

SHA256
e59a4392d6662093e985ba0e75add632a55d02fe7784915f7f1ef1d801174a1f

SHA512
e4b4f7e0c35cc37fb19c33a91d2daffa50b2e23fef9a211931f0204b78b99230c330d0204f3ba6fb02663013b6e0c10b8a50625edbbcf384bf60bc4ec8fc0dca

Download Submit
C:\VidWG\boddevloc.exe

Filesize
440KB

MD5
a163b1d5f9c728bf6fb50fe973f47185

SHA1
2a5e96d1c8c2a734133429ea8071d9876b3ec7f5

SHA256
20f59aac1973c1539362ac0b4e5cde2197c7722b4096925545cf604ae2207cea

SHA512
c1983133aa7a0e033e878e1f2cf2c08ac7dcd1d27a77686a05c78d36abb7240d8d45727ef0b68bbf1abdf9c09a1422018a51acb4def8d7a8877e460d5fe62339

Download Submit
C:\VidWG\boddevloc.exe

Filesize
387KB

MD5
fda58b82866fcea2f90a0fb1334c0535

SHA1
19f9e0a783a9e34304c9dcf8e5c9eb9163ec5d14

SHA256
c057a517763e52d64808ee5d6b6a585fbede01ff91f109e1bc5023c25ff87a0b

SHA512
64aad126ada3e9d780a001e8745769684d66b1833040060ddc0dbb3b849a00943934d50295be0c48f06f1af46bf388cfae1cdc0d073b5c582730929e22b2b906

Download Submit