7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588

Analysis

max time kernel
149s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2024 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe
Size

2.6MB
MD5

9f7c74b3e33e5300d21f6596a1306610
SHA1

75036ff3be8f0698445c5161f4b824cb68f8c206
SHA256

7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588
SHA512

5bf5b8d3833260c9fc8f6028521ca1eb3923b09dc462398b27071f228a63fb9016ed4a3e3e3c4c0a6ab31664ffd9af16a3cef1a84ad778c227336da4336276a4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpub

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe

Executes dropped EXE 2 IoCs

pid	Process
3396	sysdevopti.exe
3928	aoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxPG\\bodxsys.exe"	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesK1\\aoptisys.exe"	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptisys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevopti.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3112	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe
3112	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe
3112	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe
3112	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe
3396	sysdevopti.exe
3396	sysdevopti.exe
3928	aoptisys.exe
3928	aoptisys.exe
3396	sysdevopti.exe
3396	sysdevopti.exe
3928	aoptisys.exe
3928	aoptisys.exe
3396	sysdevopti.exe
3396	sysdevopti.exe
3928	aoptisys.exe
3928	aoptisys.exe
3396	sysdevopti.exe
3396	sysdevopti.exe
3928	aoptisys.exe
3928	aoptisys.exe
3396	sysdevopti.exe
3396	sysdevopti.exe
3928	aoptisys.exe
3928	aoptisys.exe
3396	sysdevopti.exe
3396	sysdevopti.exe
3928	aoptisys.exe
3928	aoptisys.exe
3396	sysdevopti.exe
3396	sysdevopti.exe
3928	aoptisys.exe
3928	aoptisys.exe
3396	sysdevopti.exe
3396	sysdevopti.exe
3928	aoptisys.exe
3928	aoptisys.exe
3396	sysdevopti.exe
3396	sysdevopti.exe
3928	aoptisys.exe
3928	aoptisys.exe
3396	sysdevopti.exe
3396	sysdevopti.exe
3928	aoptisys.exe
3928	aoptisys.exe
3396	sysdevopti.exe
3396	sysdevopti.exe
3928	aoptisys.exe
3928	aoptisys.exe
3396	sysdevopti.exe
3396	sysdevopti.exe
3928	aoptisys.exe
3928	aoptisys.exe
3396	sysdevopti.exe
3396	sysdevopti.exe
3928	aoptisys.exe
3928	aoptisys.exe
3396	sysdevopti.exe
3396	sysdevopti.exe
3928	aoptisys.exe
3928	aoptisys.exe
3396	sysdevopti.exe
3396	sysdevopti.exe
3928	aoptisys.exe
3928	aoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3112 wrote to memory of 3396	3112	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe	88
PID 3112 wrote to memory of 3396	3112	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe	88
PID 3112 wrote to memory of 3396	3112	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe	88
PID 3112 wrote to memory of 3928	3112	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe	91
PID 3112 wrote to memory of 3928	3112	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe	91
PID 3112 wrote to memory of 3928	3112	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe	91

C:\Users\Admin\AppData\Local\Temp\7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe
"C:\Users\Admin\AppData\Local\Temp\7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3396
- C:\FilesK1\aoptisys.exe
  C:\FilesK1\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesK1\aoptisys.exe

Filesize
2.6MB

MD5
d959849fe0d7616afb892f7fad788da1

SHA1
7da946b9f7ca3fc2f9299ebeb4c68b73013dfa5b

SHA256
59b6e55e9e9dda809ae420bc3576710b3a7b8e809434ae35d0d5b7cc75b4970d

SHA512
8fe51ea3ca58fed94a0a679f58fa88da292103cf5ed3663b1c40dd08545e20467b4c19601fdd2639738b68db7fa4f8e4360f01a42bc85d4d8c222824ff6d2e9d

Download Submit
C:\GalaxPG\bodxsys.exe

Filesize
2.6MB

MD5
91758660dee427edc58f5fa2c47bb31a

SHA1
5d1f6b26fa925d21752bd1b150cbb16c8c5561bc

SHA256
a226643c057f7ab02eaca39a6e0147a4293a09a2712b64968b7399ca7e651192

SHA512
7285cae3dee529b3f30ba1cbde591d7758375d8edd37ff849d1ffbb44318b174c296360cc54a40f1f3d2981a45260361dd09049b4464baa14df48ef8be24e15f

Download Submit
C:\GalaxPG\bodxsys.exe

Filesize
897KB

MD5
3e98d30ed6b4f6366468533feaa48b60

SHA1
71c87bf9e2797244716c1de658f90266c3ef6b19

SHA256
9d6f3393e63c6fb92f35b4203a41a26351736f95f2a21b7b8afd6a842624487a

SHA512
7de2d0db3b16c8719875ccdf84f17e819648f28fc93a6d502d78403534862227cd4c2543bf2e1b051228a2796609cd7af83e196cf53e8c1b5e25cdcf4425691c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
eed90524510502b42f5bec72e4d53c11

SHA1
2f359e8008229429d3bb5b67726a6d97ddf57081

SHA256
ca7ef12f3885d7abbaa57844713e821fdc499572680aa5387688c4efb9d05a7a

SHA512
aa1fdab4d53a51ff3118438b9f771482e537738efe27b735fa3f31eb3ee1654ca543957c857eff942f1b4e4900fbbf98a2932e65d17ef4fc607f08db15107232

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
eddfe3f68c0339d07618ec852f776bb2

SHA1
bbd0bd5fd336c9540014e6f387832b79e95e8bae

SHA256
8293fd4c6335cf81c5bd7c7cccca258a402049e29f0953f8e5f8a3e13cda62b0

SHA512
87b25537f3a800f8b4d9f6c3bf671d630e94fdc6fe71f3ae3289867ff37eddcdb393350cfb8eb53e619c2c9335b9fb9e17ea828bf8a1b7c8b1ddaae75465682e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
2.6MB

MD5
cb4918349906865e8f7cb561d2a04d58

SHA1
0e0687842281f414d788982d0aadf7b703c557b5

SHA256
0086b3df9f85fb3ec4289908d1b80ba20ddc9e1dd43a9e67484ca93fcde3985e

SHA512
14b7630f11b8d9c5569ee846264247172a1e63bf0ef1effc11fceeaab75d23b4d55173b3de53083a62186aad5e3b73b613e48c0d816f9ff60cb7dc427ec9f15a

Download Submit