d24df9ba870a9df90f960e47563e4a261223e41a783024b28ef17b119f88f422

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97bc5b6b39934e2cd9ada416f49d4d20N.exe
Size

2.6MB
MD5

97bc5b6b39934e2cd9ada416f49d4d20
SHA1

4f31156baeb55cf8afacbedc2cf03f5de02f9421
SHA256

d24df9ba870a9df90f960e47563e4a261223e41a783024b28ef17b119f88f422
SHA512

a88d9bb99bfde65c7effb8687f3e2ecd77ec120da6428667f3246a176739a5242a58d5f6b5c6c5bd8f1be3609f94e053b9e159d648ea4d901b0a6b23b7e76560
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bS:sxX7QnxrloE5dpUpBb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	97bc5b6b39934e2cd9ada416f49d4d20N.exe

Executes dropped EXE 2 IoCs

pid	Process
3572	sysdevbod.exe
3180	aoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe8Q\\aoptisys.exe"	97bc5b6b39934e2cd9ada416f49d4d20N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintUR\\bodxec.exe"	97bc5b6b39934e2cd9ada416f49d4d20N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptisys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97bc5b6b39934e2cd9ada416f49d4d20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4888	97bc5b6b39934e2cd9ada416f49d4d20N.exe
4888	97bc5b6b39934e2cd9ada416f49d4d20N.exe
4888	97bc5b6b39934e2cd9ada416f49d4d20N.exe
4888	97bc5b6b39934e2cd9ada416f49d4d20N.exe
3572	sysdevbod.exe
3572	sysdevbod.exe
3180	aoptisys.exe
3180	aoptisys.exe
3572	sysdevbod.exe
3572	sysdevbod.exe
3180	aoptisys.exe
3180	aoptisys.exe
3572	sysdevbod.exe
3572	sysdevbod.exe
3180	aoptisys.exe
3180	aoptisys.exe
3572	sysdevbod.exe
3572	sysdevbod.exe
3180	aoptisys.exe
3180	aoptisys.exe
3572	sysdevbod.exe
3572	sysdevbod.exe
3180	aoptisys.exe
3180	aoptisys.exe
3572	sysdevbod.exe
3572	sysdevbod.exe
3180	aoptisys.exe
3180	aoptisys.exe
3572	sysdevbod.exe
3572	sysdevbod.exe
3180	aoptisys.exe
3180	aoptisys.exe
3572	sysdevbod.exe
3572	sysdevbod.exe
3180	aoptisys.exe
3180	aoptisys.exe
3572	sysdevbod.exe
3572	sysdevbod.exe
3180	aoptisys.exe
3180	aoptisys.exe
3572	sysdevbod.exe
3572	sysdevbod.exe
3180	aoptisys.exe
3180	aoptisys.exe
3572	sysdevbod.exe
3572	sysdevbod.exe
3180	aoptisys.exe
3180	aoptisys.exe
3572	sysdevbod.exe
3572	sysdevbod.exe
3180	aoptisys.exe
3180	aoptisys.exe
3572	sysdevbod.exe
3572	sysdevbod.exe
3180	aoptisys.exe
3180	aoptisys.exe
3572	sysdevbod.exe
3572	sysdevbod.exe
3180	aoptisys.exe
3180	aoptisys.exe
3572	sysdevbod.exe
3572	sysdevbod.exe
3180	aoptisys.exe
3180	aoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 3572	4888	97bc5b6b39934e2cd9ada416f49d4d20N.exe	86
PID 4888 wrote to memory of 3572	4888	97bc5b6b39934e2cd9ada416f49d4d20N.exe	86
PID 4888 wrote to memory of 3572	4888	97bc5b6b39934e2cd9ada416f49d4d20N.exe	86
PID 4888 wrote to memory of 3180	4888	97bc5b6b39934e2cd9ada416f49d4d20N.exe	87
PID 4888 wrote to memory of 3180	4888	97bc5b6b39934e2cd9ada416f49d4d20N.exe	87
PID 4888 wrote to memory of 3180	4888	97bc5b6b39934e2cd9ada416f49d4d20N.exe	87

C:\Users\Admin\AppData\Local\Temp\97bc5b6b39934e2cd9ada416f49d4d20N.exe
"C:\Users\Admin\AppData\Local\Temp\97bc5b6b39934e2cd9ada416f49d4d20N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3572
- C:\Adobe8Q\aoptisys.exe
  C:\Adobe8Q\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe8Q\aoptisys.exe

Filesize
759KB

MD5
badf2a237e783b4d2aff97973bcbfdc4

SHA1
ebc8153c61e16e1f6c4a985bca6e4b6b5898eb37

SHA256
c4df1c23746dbf6f8a95791f707947cc10cafd6c86d272041a586ae3636e41db

SHA512
befe775824845eae94738e13c1c64e4289e168caf14ddb4c4d2bbb37c9c0fc73c76eaab7706a0804ddd2ef254539417106bb69cfbfbf51e21f186074b921eaad

Download Submit
C:\Adobe8Q\aoptisys.exe

Filesize
2.6MB

MD5
9a83f207cf4a71127605950e6619aa93

SHA1
bc4aa42ae73bc97a8fcf520f5e1d73e26afb8dce

SHA256
3ce895c485fd0492ec49f45bc0e664c18be187dd581fbe88ae59f698aac20a49

SHA512
45624b580ce7289682564e81c030ef4e10dd903c07cc450709264bf36b17222e1a7ce1d4d5f14979371750718b1a9665f3520c788185beec80333648db624882

Download Submit
C:\MintUR\bodxec.exe

Filesize
59KB

MD5
c681406f0206ff6f39faae542685ca02

SHA1
17194a6e44c30508ab4b5584051495254faf1164

SHA256
2bd598777819ffc71cfc165de225f85fa08a8fb094956522458ba030d8043d34

SHA512
5907c2cdf30e397fcdb8d015b8ec0f14f4f27225dc83a2ccd23ac9b1fbee434243c8df0ff5ab840c9b7673d64fecac4ef327aed7ff9a61e9fba7de0cc66fad9c

Download Submit
C:\MintUR\bodxec.exe

Filesize
49KB

MD5
5139b167ad5088bb5e3cb3f439674ade

SHA1
f6929b7f22e30f06b3e4175e265e5d355d5d7e8a

SHA256
95f84b75e91ebc70e17a2183993fd1c1f0607e1c1f2095432283ced08338b05d

SHA512
3f566c19f63a417f8e29104ad4f9e08acc4f706160c049eabde3a7274be328615d3ec266040e90c9bee8e28a498a05c430907c81eb2d44e018a3cbff1d1a4383

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
6e29af30e8631a16262bb5d46dba3f47

SHA1
263c505dd9670aba6b53c7b690cdee54edccd12a

SHA256
e4e29abf69a260caf779d7689e139cc3ef91d8574830cc47005dfe58eb4daae3

SHA512
3701ea4eb7e3a6704715db164d6b9f0e56e14998bf1e87d645768f747e0c3911de5183ec866e4ba760eb68914716344a377116cafe1c8249b21fcac61a8d55a2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
d81dbb38b6db88d59597e587ffc5d9c3

SHA1
c3150e4fe19493d60262afa49c96d05a89b3de31

SHA256
d17f55bb960f267f9e63087b6e6a5b243bbaf81fe7b521b9e6d8ab282a29b168

SHA512
2d726a4da636527d42cc079c91b1b0975193d3e6d4515e60ec322cf6aab7f68c0b48d30ef581e34d96ff64209d7057fce238c028284fd5bc61b7c4a4d6e7ada1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
cd38f17cced65bbde107d19c1e56686c

SHA1
432d931a34c4ac268eac25f2ef8d12a363afb1ad

SHA256
0afe12950f7e645bd91387159397c4dae63fbe15325860521d45b4e7dd618e95

SHA512
d0188eae07d658b70f4c2fde1dd35227b3ed5d60ef0a346d2cdff17d30bc537a5f90e4a1f079826f9e62a1460571d6fa80562ad3540c01cbc82918c1bc3c2541

Download Submit