9b087c2c517f67b31d7b1e84af8713861a581415ac5855db79627d5ac3fc7f9d

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9935d3dd85107cd23c02a37220ba8100N.exe
Size

3.2MB
MD5

9935d3dd85107cd23c02a37220ba8100
SHA1

0e0975fa9b53a685b2a917bdc6b3be88cd9553dc
SHA256

9b087c2c517f67b31d7b1e84af8713861a581415ac5855db79627d5ac3fc7f9d
SHA512

187f0eaf7f85e5d7bf18a1378fa75fd6adbc8e89244c124c58f967685ce400932e68fac7d048e53de42d2204375112f90e588abce79ee76325290f1e58cabdc4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp0bVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	9935d3dd85107cd23c02a37220ba8100N.exe

Executes dropped EXE 2 IoCs

pid	Process
2992	sysaopti.exe
2352	devdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBFD\\optixec.exe"	9935d3dd85107cd23c02a37220ba8100N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesFN\\devdobec.exe"	9935d3dd85107cd23c02a37220ba8100N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9935d3dd85107cd23c02a37220ba8100N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4404	9935d3dd85107cd23c02a37220ba8100N.exe
4404	9935d3dd85107cd23c02a37220ba8100N.exe
4404	9935d3dd85107cd23c02a37220ba8100N.exe
4404	9935d3dd85107cd23c02a37220ba8100N.exe
2992	sysaopti.exe
2992	sysaopti.exe
2352	devdobec.exe
2352	devdobec.exe
2992	sysaopti.exe
2992	sysaopti.exe
2352	devdobec.exe
2352	devdobec.exe
2992	sysaopti.exe
2992	sysaopti.exe
2352	devdobec.exe
2352	devdobec.exe
2992	sysaopti.exe
2992	sysaopti.exe
2352	devdobec.exe
2352	devdobec.exe
2992	sysaopti.exe
2992	sysaopti.exe
2352	devdobec.exe
2352	devdobec.exe
2992	sysaopti.exe
2992	sysaopti.exe
2352	devdobec.exe
2352	devdobec.exe
2992	sysaopti.exe
2992	sysaopti.exe
2352	devdobec.exe
2352	devdobec.exe
2992	sysaopti.exe
2992	sysaopti.exe
2352	devdobec.exe
2352	devdobec.exe
2992	sysaopti.exe
2992	sysaopti.exe
2352	devdobec.exe
2352	devdobec.exe
2992	sysaopti.exe
2992	sysaopti.exe
2352	devdobec.exe
2352	devdobec.exe
2992	sysaopti.exe
2992	sysaopti.exe
2352	devdobec.exe
2352	devdobec.exe
2992	sysaopti.exe
2992	sysaopti.exe
2352	devdobec.exe
2352	devdobec.exe
2992	sysaopti.exe
2992	sysaopti.exe
2352	devdobec.exe
2352	devdobec.exe
2992	sysaopti.exe
2992	sysaopti.exe
2352	devdobec.exe
2352	devdobec.exe
2992	sysaopti.exe
2992	sysaopti.exe
2352	devdobec.exe
2352	devdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 2992	4404	9935d3dd85107cd23c02a37220ba8100N.exe	85
PID 4404 wrote to memory of 2992	4404	9935d3dd85107cd23c02a37220ba8100N.exe	85
PID 4404 wrote to memory of 2992	4404	9935d3dd85107cd23c02a37220ba8100N.exe	85
PID 4404 wrote to memory of 2352	4404	9935d3dd85107cd23c02a37220ba8100N.exe	86
PID 4404 wrote to memory of 2352	4404	9935d3dd85107cd23c02a37220ba8100N.exe	86
PID 4404 wrote to memory of 2352	4404	9935d3dd85107cd23c02a37220ba8100N.exe	86

C:\Users\Admin\AppData\Local\Temp\9935d3dd85107cd23c02a37220ba8100N.exe
"C:\Users\Admin\AppData\Local\Temp\9935d3dd85107cd23c02a37220ba8100N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2992
- C:\FilesFN\devdobec.exe
  C:\FilesFN\devdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesFN\devdobec.exe

Filesize
168KB

MD5
342ebf6d2c4562b4c7b803882204d775

SHA1
aedfee1960518f163fda0b10e2fdc0451a67995c

SHA256
1eda50e393b51d2acfecfda5af85d27b1096a6df2ccbd7ecad5a7d8c0d33d74a

SHA512
b844dd3d986ef3877aaedee3f1f52a3c81ccb782aad3d849b7d9666f0befc744a5b6c3340119461633a35d525892814f4a2cf8844bc8c34fb42b13b36e98ca28

Download Submit
C:\FilesFN\devdobec.exe

Filesize
3.2MB

MD5
22f78d8e97c9fbdd84029708400c4f63

SHA1
ef139ffbf2770af0a4c8cb0ba3b30f0a0698c8e6

SHA256
8bc97619824b2a8572b0dc2815ab38cbad6485d934457f3f6d50960a6063d9c8

SHA512
72c596a96fabda0548c651e293f0acc90444a1a99f60271f4ddd8a9b89fafb24a1b899092f36ad6af6b8af37cb187ae7c866e230f41bdb542b416fce80e75957

Download Submit
C:\KaVBFD\optixec.exe

Filesize
570KB

MD5
4a6c20e05131f1f6f4830759c2c16a7e

SHA1
712958acb7bebeddfbd29671609c1e0ace3f35c2

SHA256
07f79ceb759510084b64909690fea79281593ce2988a15e2f0bacfd5ed086c00

SHA512
09c6dfa1a0cb9bdc2f8675532bb1073a279a1c44576ef0dfedc577814c9404e50333c4ed1665637f8a0ed2b1fcc791e2adc3f085665470ebb244c4671f09ec1e

Download Submit
C:\KaVBFD\optixec.exe

Filesize
1.1MB

MD5
8d9a398eaf55551ee7b49aabc2519dba

SHA1
b1bab7a8df76304a3ecf8638c079ecd91d1d035e

SHA256
6c12206724658223639c7243b10d0c4ace78b9e9dc5e21e6135c144241477503

SHA512
f04660b609112727ee9bc0da1fc6db871e1733816ca475a36efd4a0898ea27cb7273fbbf25dc96186afaf4a99f3af96e5f134252ab1dc5647d2eb626410b19d7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
dfc390980955fe2e7b187d2bb84dce92

SHA1
9ff356c0d8a73b986427681a86ed24d9f9b77bd6

SHA256
353b0966a551916318b5054db6ed3860371bcfd59561d8ec1b8f88db03c89a5b

SHA512
ebe69a64933a43b481bd4198db933de32e52540fd2c80e734f651a67798aead3cc1c20ff3b25972a7835513809db75e3cd518b2347cd7d4eea35ad5a5fb2c97e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
b201cbf1e40c2552e652bd27ab9953ff

SHA1
8e877b7d389839d850afcd7e3387ce5f75e94e2a

SHA256
90298c425a9f61e9264ef9793b96c9a19471ecbc453babcd93f7f0fa6ff8f5d6

SHA512
9ecf205e929ca03beecd9639810d8b4558d382b415bff60cd133e8860f937457e0346a04228f8e5b3c54fa86867dcd5ec8cd7cf560a419a8c0d98714ebf6df88

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.2MB

MD5
960f0c2120693b558afa1c1d744e2c04

SHA1
2a890eb46ac921c08f95ce594422de1fe5ed0154

SHA256
466a39eddfc24cb19e9a6ece2be32a0cf9eab0fb74d45eff5565962aa010b55b

SHA512
770d8250264e6c6ffee0378fdd961ee322f443f5a577c675dbff8473b247661995205e8bd8409232aee21fd61f0ad2571238d5efe8e3a51a37122de31938faaf

Download Submit