96a85e08e98db6fcb940eca6b695bd9a41bcfcdd0d620b31de4a8f35d22ae0c4

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b83d16ceb4c4f2370ab149a03b9fd30N.exe
Size

2.6MB
MD5

5b83d16ceb4c4f2370ab149a03b9fd30
SHA1

cee1c2bd9cad74586ba6361056b601b64c007853
SHA256

96a85e08e98db6fcb940eca6b695bd9a41bcfcdd0d620b31de4a8f35d22ae0c4
SHA512

3cc10d8be306e9ff9bd000994b889b4fa1e01c3df4f3d273445501fe7e11733df5c1fc02eb4ec4f6e1e2547d5c3db143053471ddf60866b9eeaa2254cbedda0d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bS:sxX7QnxrloE5dpUpEb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	5b83d16ceb4c4f2370ab149a03b9fd30N.exe

Executes dropped EXE 2 IoCs

pid	Process
2676	sysaopti.exe
3012	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2092	5b83d16ceb4c4f2370ab149a03b9fd30N.exe
2092	5b83d16ceb4c4f2370ab149a03b9fd30N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLY\\optialoc.exe"	5b83d16ceb4c4f2370ab149a03b9fd30N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files36\\abodsys.exe"	5b83d16ceb4c4f2370ab149a03b9fd30N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b83d16ceb4c4f2370ab149a03b9fd30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2092	5b83d16ceb4c4f2370ab149a03b9fd30N.exe
2092	5b83d16ceb4c4f2370ab149a03b9fd30N.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe
2676	sysaopti.exe
3012	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2676	2092	5b83d16ceb4c4f2370ab149a03b9fd30N.exe	30
PID 2092 wrote to memory of 2676	2092	5b83d16ceb4c4f2370ab149a03b9fd30N.exe	30
PID 2092 wrote to memory of 2676	2092	5b83d16ceb4c4f2370ab149a03b9fd30N.exe	30
PID 2092 wrote to memory of 2676	2092	5b83d16ceb4c4f2370ab149a03b9fd30N.exe	30
PID 2092 wrote to memory of 3012	2092	5b83d16ceb4c4f2370ab149a03b9fd30N.exe	31
PID 2092 wrote to memory of 3012	2092	5b83d16ceb4c4f2370ab149a03b9fd30N.exe	31
PID 2092 wrote to memory of 3012	2092	5b83d16ceb4c4f2370ab149a03b9fd30N.exe	31
PID 2092 wrote to memory of 3012	2092	5b83d16ceb4c4f2370ab149a03b9fd30N.exe	31

C:\Users\Admin\AppData\Local\Temp\5b83d16ceb4c4f2370ab149a03b9fd30N.exe
"C:\Users\Admin\AppData\Local\Temp\5b83d16ceb4c4f2370ab149a03b9fd30N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2676
- C:\Files36\abodsys.exe
  C:\Files36\abodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files36\abodsys.exe

Filesize
2.6MB

MD5
76af23a0f08f13df662d2da66abfba66

SHA1
6851c0fe4b3b8760d3d689d7db7c55f7e4aaf0b2

SHA256
11d769931c984833308a2187b5b86f7873e8aaae8c4312f0f3b786a50f9912c0

SHA512
4f6458bb154b1457b62110377e25ecfcd1a4e4e3d01afedfbf62f25574bb26de88123aa95fd35f336ae09e275b64aac6335448d1e5f95254bb65e6346161cd35

Download Submit
C:\MintLY\optialoc.exe

Filesize
1.7MB

MD5
e50a50307033e7e2af403da7f31beccb

SHA1
b9503b652a09a943e6e195df94f5514da2b76b1d

SHA256
52dc2272166340655018b6b6c8a1cdd77c2d485ed2c9bb1628c9e4c37491dc66

SHA512
1e52c7724c5247e193428d74e9110f8c5b9586f1cc48ceece36f0306cffa56c98edf92800804344a7c1f6f264f66ef3111ed926d5f3adfdb96c49a0d53b82210

Download Submit
C:\MintLY\optialoc.exe

Filesize
2.6MB

MD5
e3d128429e69dbb23575150c7181fa25

SHA1
819ca6da8e371e69d03b06ed42d17e4b78cd9724

SHA256
c0f6462e5144792b38003684470bc64df31f0a59b60c0b34c67936c3b19557b4

SHA512
e160fc34fc613a05f2ed34068d285ceed324ccbb5d0ea45a71b50b4757a5580b72292666aa0c377214f2203555f042313faca667302113923d49692e71482666

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
6b7c8a66d48a6b78c3c5b8c5cc5b103d

SHA1
ab84aa7fdab6af5148cb512fbb10e82dec4136aa

SHA256
ff20a7348f9471519505603a8ae2a6c4a122ce919a8682f39a03119b13a779af

SHA512
00d4b6e39dc69cb07bd8ff8e4ce65b338f35bcd6ddec38332b8ac3f30f6c1fdaa935e843be9b135ae8ecf3c5b4d48f8dca1f11c5bf81ecbda6c82196ef4a8c76

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
bb8e9f801f425704fa097e9c9b12d228

SHA1
195c237613ca51ddf25a8c60c0cf39e03fd03177

SHA256
05e756575e34dd7c14db09b215f15a3dd4533c116ae6c03ab88ba27142810290

SHA512
7f72e297c07b469cddc52643c9a5031870cb6f27b741cc1eafedb3698d4beba3dfead4bdfca0fae0aec99ec829a02c1b70dd18d60fc9b697620a3510586b7572

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
2.6MB

MD5
da6b435f62e7caecc0d4ae7ae88acc87

SHA1
d179ec5827e8f9a775de3f8b6522da4a1553abb2

SHA256
8ba3eec5cf9c6b42757c965bb75cf6cb55f76a5df6fb9bccf0136d3c1f3298cb

SHA512
d8beaddd8f50cf0ad78a0fe388c2e5f916620e322bbe24cb97472d757ad16d9b4b7a722e1d138a086324c819ae3b350bc7683bbc226e468746dc01d16b6d7f79

Download Submit