aafed6524a19ab11b65d47237b460ea73556bdd37269f3cbecc2615b727953eb

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aafed6524a19ab11b65d47237b460ea73556bdd37269f3cbecc2615b727953eb.exe
Size

2.6MB
MD5

182b7d0c783ed1014b870ba037eb6ee2
SHA1

d59a0013a3bbac6ee7c7d2a47e37ca963d05c5c1
SHA256

aafed6524a19ab11b65d47237b460ea73556bdd37269f3cbecc2615b727953eb
SHA512

b0bd12c2988312ae152c1f8e840a586abb21de1d12bc86b1b6558c4801525f05de9f664a9cc841f7b8d8751374b8f96363a500e5bb0edc3f71164cdc0ce73292
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bSq:sxX7QnxrloE5dpUp1bV

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe	aafed6524a19ab11b65d47237b460ea73556bdd37269f3cbecc2615b727953eb.exe

Executes dropped EXE 2 IoCs

pid	Process
4064	sysxopti.exe
3652	devoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocJY\\devoptiec.exe"	aafed6524a19ab11b65d47237b460ea73556bdd37269f3cbecc2615b727953eb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidD2\\dobdevec.exe"	aafed6524a19ab11b65d47237b460ea73556bdd37269f3cbecc2615b727953eb.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aafed6524a19ab11b65d47237b460ea73556bdd37269f3cbecc2615b727953eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxopti.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3600	aafed6524a19ab11b65d47237b460ea73556bdd37269f3cbecc2615b727953eb.exe
3600	aafed6524a19ab11b65d47237b460ea73556bdd37269f3cbecc2615b727953eb.exe
3600	aafed6524a19ab11b65d47237b460ea73556bdd37269f3cbecc2615b727953eb.exe
3600	aafed6524a19ab11b65d47237b460ea73556bdd37269f3cbecc2615b727953eb.exe
4064	sysxopti.exe
4064	sysxopti.exe
3652	devoptiec.exe
3652	devoptiec.exe
4064	sysxopti.exe
4064	sysxopti.exe
3652	devoptiec.exe
3652	devoptiec.exe
4064	sysxopti.exe
4064	sysxopti.exe
3652	devoptiec.exe
3652	devoptiec.exe
4064	sysxopti.exe
4064	sysxopti.exe
3652	devoptiec.exe
3652	devoptiec.exe
4064	sysxopti.exe
4064	sysxopti.exe
3652	devoptiec.exe
3652	devoptiec.exe
4064	sysxopti.exe
4064	sysxopti.exe
3652	devoptiec.exe
3652	devoptiec.exe
4064	sysxopti.exe
4064	sysxopti.exe
3652	devoptiec.exe
3652	devoptiec.exe
4064	sysxopti.exe
4064	sysxopti.exe
3652	devoptiec.exe
3652	devoptiec.exe
4064	sysxopti.exe
4064	sysxopti.exe
3652	devoptiec.exe
3652	devoptiec.exe
4064	sysxopti.exe
4064	sysxopti.exe
3652	devoptiec.exe
3652	devoptiec.exe
4064	sysxopti.exe
4064	sysxopti.exe
3652	devoptiec.exe
3652	devoptiec.exe
4064	sysxopti.exe
4064	sysxopti.exe
3652	devoptiec.exe
3652	devoptiec.exe
4064	sysxopti.exe
4064	sysxopti.exe
3652	devoptiec.exe
3652	devoptiec.exe
4064	sysxopti.exe
4064	sysxopti.exe
3652	devoptiec.exe
3652	devoptiec.exe
4064	sysxopti.exe
4064	sysxopti.exe
3652	devoptiec.exe
3652	devoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 4064	3600	aafed6524a19ab11b65d47237b460ea73556bdd37269f3cbecc2615b727953eb.exe	89
PID 3600 wrote to memory of 4064	3600	aafed6524a19ab11b65d47237b460ea73556bdd37269f3cbecc2615b727953eb.exe	89
PID 3600 wrote to memory of 4064	3600	aafed6524a19ab11b65d47237b460ea73556bdd37269f3cbecc2615b727953eb.exe	89
PID 3600 wrote to memory of 3652	3600	aafed6524a19ab11b65d47237b460ea73556bdd37269f3cbecc2615b727953eb.exe	92
PID 3600 wrote to memory of 3652	3600	aafed6524a19ab11b65d47237b460ea73556bdd37269f3cbecc2615b727953eb.exe	92
PID 3600 wrote to memory of 3652	3600	aafed6524a19ab11b65d47237b460ea73556bdd37269f3cbecc2615b727953eb.exe	92

C:\Users\Admin\AppData\Local\Temp\aafed6524a19ab11b65d47237b460ea73556bdd37269f3cbecc2615b727953eb.exe
"C:\Users\Admin\AppData\Local\Temp\aafed6524a19ab11b65d47237b460ea73556bdd37269f3cbecc2615b727953eb.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4064
- C:\IntelprocJY\devoptiec.exe
  C:\IntelprocJY\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocJY\devoptiec.exe

Filesize
2.6MB

MD5
f2a1070d6208d034beeded1596fe5161

SHA1
82756b332be2a806bb07a086f88a4c26afcc7988

SHA256
572053e02e9c8ee4095c653e17f08653affc945586bd05b7042d39a6f3aa0567

SHA512
fe65fd953fd46fa3c69901ef032e31138edc8737682800cccc58c5b8c7065c4ee64c515a7f40371f5a9ed037c85b5b4a99516959c35d47895e4a3060a0d3f92a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
9cfb1b80b155924b27843a4678ab64f1

SHA1
7de12684d8139a1679089613f487d09e0bc339b6

SHA256
11cb2f3533e484eb856fa727086ec00ea45500f669ed2ecd53f01d25bd7cad7c

SHA512
0e57f88502da1501bf4ed511f19eaa8e28da7e9e948a961171ca437165f03fbebf96c64567c1c4f294f794c2b3b631c7abd816ba9ffcde2b4d8e49aa93a37b05

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
175B

MD5
5b512c03ecbe00d7ab295e54c7566b44

SHA1
8d04e560bed4f009537dc77f33b15f252b831bf2

SHA256
e4e95f68c903a9d7a27ccc582dd5a26bc554dd3cda93b698a36aa2d936146527

SHA512
cb3c348d5279e0bee955fd9dbf75296a832ecbf383fc6e418dde38323377150d0fae955f61039549acf8bf2ef58140e2f618491826fd3ac28a6104c97c69cb0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

Filesize
2.6MB

MD5
5982ad80a75e327d7b97db6c8814d9f7

SHA1
416a39deb3b0f0c2384ad7e73da44af5bc488da3

SHA256
d4a4ec560749b78bad033c96eef5fafd83f371b45bb2bc3fef1287ac3bf0afed

SHA512
dce40cb2d8847675c604e5b3d2295dd1eaeb9bf118a2b9362fec0c89ac748f2ff097c45c6a4e42a231172b1a18237c735b9aab90939783e3b4a2c495e1d1a2b1

Download Submit
C:\VidD2\dobdevec.exe

Filesize
2.6MB

MD5
1a663a1ce8ec40192b36fe70869be389

SHA1
7aed01614956e58213bcdb1a88395181e6fa88e8

SHA256
c07a16ce2ac03b688638a540d8b94a7f5aaccc898fbf89bb9a21d40d67b9ba5e

SHA512
bc14a7382364498b61b554f4d3331605b5064e235adee2dcf65fb2ad663fb71e5cf178daa617f22fab2f9065ca478b5fd508b72aa09a5296b6da76fe2743ef6b

Download Submit
C:\VidD2\dobdevec.exe

Filesize
2.6MB

MD5
66128cb390612d7b5b266f1a9292bc45

SHA1
c9df05dac73f5476e9b00d1c0345a63063644103

SHA256
da127fa8e72838bdfe1e3bec65679669c5ccc45598aa8245172bcddca3d23144

SHA512
bdffc595701e1f4b532c6356e982810914a578cae2b21126c619c5499160e76773618176df4d044dd148f8f27d0da8d8292c5bbf4669af40811180dbffd2f39b

Download Submit