d24df9ba870a9df90f960e47563e4a261223e41a783024b28ef17b119f88f422

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97bc5b6b39934e2cd9ada416f49d4d20N.exe
Size

2.6MB
MD5

97bc5b6b39934e2cd9ada416f49d4d20
SHA1

4f31156baeb55cf8afacbedc2cf03f5de02f9421
SHA256

d24df9ba870a9df90f960e47563e4a261223e41a783024b28ef17b119f88f422
SHA512

a88d9bb99bfde65c7effb8687f3e2ecd77ec120da6428667f3246a176739a5242a58d5f6b5c6c5bd8f1be3609f94e053b9e159d648ea4d901b0a6b23b7e76560
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bS:sxX7QnxrloE5dpUpBb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	97bc5b6b39934e2cd9ada416f49d4d20N.exe

Executes dropped EXE 2 IoCs

pid	Process
2800	sysdevopti.exe
2728	aoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2232	97bc5b6b39934e2cd9ada416f49d4d20N.exe
2232	97bc5b6b39934e2cd9ada416f49d4d20N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe9M\\aoptisys.exe"	97bc5b6b39934e2cd9ada416f49d4d20N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint0U\\dobdevloc.exe"	97bc5b6b39934e2cd9ada416f49d4d20N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97bc5b6b39934e2cd9ada416f49d4d20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2232	97bc5b6b39934e2cd9ada416f49d4d20N.exe
2232	97bc5b6b39934e2cd9ada416f49d4d20N.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe
2800	sysdevopti.exe
2728	aoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2800	2232	97bc5b6b39934e2cd9ada416f49d4d20N.exe	30
PID 2232 wrote to memory of 2800	2232	97bc5b6b39934e2cd9ada416f49d4d20N.exe	30
PID 2232 wrote to memory of 2800	2232	97bc5b6b39934e2cd9ada416f49d4d20N.exe	30
PID 2232 wrote to memory of 2800	2232	97bc5b6b39934e2cd9ada416f49d4d20N.exe	30
PID 2232 wrote to memory of 2728	2232	97bc5b6b39934e2cd9ada416f49d4d20N.exe	31
PID 2232 wrote to memory of 2728	2232	97bc5b6b39934e2cd9ada416f49d4d20N.exe	31
PID 2232 wrote to memory of 2728	2232	97bc5b6b39934e2cd9ada416f49d4d20N.exe	31
PID 2232 wrote to memory of 2728	2232	97bc5b6b39934e2cd9ada416f49d4d20N.exe	31

C:\Users\Admin\AppData\Local\Temp\97bc5b6b39934e2cd9ada416f49d4d20N.exe
"C:\Users\Admin\AppData\Local\Temp\97bc5b6b39934e2cd9ada416f49d4d20N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2800
- C:\Adobe9M\aoptisys.exe
  C:\Adobe9M\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe9M\aoptisys.exe

Filesize
2.6MB

MD5
11f31a4240e83cf496367c91aa283980

SHA1
9ddb43c34d5e9dcc9c3f8f40dbba55cf5204a67d

SHA256
871ae9ac1f7baa80779a8466cb586011d2523d02e5ab6c37a9ede0d45b21ec17

SHA512
17a4173443e3f71a3327a984c6c5b1a3535dfb7d1b4d8a0274713080c55a3cc03d02fe12fcf9a4500e78cf942272fefd011aa7a79aa0d7924feeb53ef8f2d3ba

Download Submit
C:\Mint0U\dobdevloc.exe

Filesize
2.6MB

MD5
09385bb18dc5f2fc0d795ecc8b47a4e6

SHA1
061cb72ab0984041c963560c4c00d0a70bffe833

SHA256
1c380ef36b576843fab635d2095c9b3332a59219eb66eb3ab5ca970bd2b92ef9

SHA512
fe1fc2e053a11f53ae937fa747cca8f97e87a7c3e65927bd705f67ac8eeaf10651bd545a6b39222dfa6196acfe0ef78f33ac85894551acad6405250b71a41d4f

Download Submit
C:\Mint0U\dobdevloc.exe

Filesize
2.6MB

MD5
fb25827ba0b3dd4a4fa600ac019523aa

SHA1
ba064e29451ffef290a68590f78dbb41449dfb45

SHA256
057c61c1e70a3efb28f5a9d426078fd989f0fbeee37b5b0915c5686ffe122600

SHA512
3e7e4a4259f25c402e3891f829107731d3334c171d79ff7899a262640c24890f33ddb2f1705800e46430c0fcf1673308e579f5ea20466904ceb628fffd5361d3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
741312b630f7e58a1ee78517252fb110

SHA1
3390693f6a06d73dc60472006e84ce4d0aebe6fb

SHA256
1f7c0aeb284bdb2c47e5ca778255018d39ebb61659915b2f7d14c9c1e368c7c3

SHA512
aadeb9d203473f74168a6abe4e1017852d0cb7b7e7cd4653cb11082270d2f5635552d1fe0e5cd69c8c16122e7c1b9bb6957ccbcaef1d60ae0e49968d70b7be7f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
f9926a366b08a6312299e1a4731bd08b

SHA1
9fc4fb724f8a45a20d8d74a54206829e98371e99

SHA256
17e0e9c62293000a824a50ca2b7f6909fd990c9b364df624177b3ec0594bd95c

SHA512
c7645823ee2b62e5a7001fcd7fea238feb7576e73e8ca82f3ff6d282259c5e6d8e68120117c0ef624b8629ad2c40eae17bb1cea31206f5116ac587dc5229b896

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
2.6MB

MD5
5627b81c8df2f506313ef6bb7ee5bc59

SHA1
6a52e6e33d61b14b6442afe5233343877722daf8

SHA256
0367d8ebf2fe788067a9f3e57b79970e41195a41c4d40cbcb68a20c08ceb71b3

SHA512
a1b58581cc6410f1e61c2cd25d26dd712e9cdd8c0455eb8462ffed19994ddb52274e8691dcefc31cb7c672faf971e8cc948fb1b3cec39e21913335b31575f9d2

Download Submit