835de684255c31fb62160d82f1973e49f132a6f4476d055233356db3088aa73e

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

158356ef887e9e9901760c933cd85740N.exe
Size

2.6MB
MD5

158356ef887e9e9901760c933cd85740
SHA1

738d9d49671ca8e88cd4eb6ea2e3ff0b34b37769
SHA256

835de684255c31fb62160d82f1973e49f132a6f4476d055233356db3088aa73e
SHA512

ba11b8d3b1a42c0a5bda0894c7d5e620443eaff5a75497d2f712fa36dde878ba605e14a41404f1f6987d701cf4ebb6ced4de536caae0953f893ccf7ae98b2371
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bS:sxX7QnxrloE5dpUpBb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	158356ef887e9e9901760c933cd85740N.exe

Executes dropped EXE 2 IoCs

pid	Process
2804	sysdevopti.exe
2732	aoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2472	158356ef887e9e9901760c933cd85740N.exe
2472	158356ef887e9e9901760c933cd85740N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe9M\\aoptisys.exe"	158356ef887e9e9901760c933cd85740N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint0U\\dobdevloc.exe"	158356ef887e9e9901760c933cd85740N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptisys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	158356ef887e9e9901760c933cd85740N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevopti.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2472	158356ef887e9e9901760c933cd85740N.exe
2472	158356ef887e9e9901760c933cd85740N.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe
2804	sysdevopti.exe
2732	aoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2804	2472	158356ef887e9e9901760c933cd85740N.exe	30
PID 2472 wrote to memory of 2804	2472	158356ef887e9e9901760c933cd85740N.exe	30
PID 2472 wrote to memory of 2804	2472	158356ef887e9e9901760c933cd85740N.exe	30
PID 2472 wrote to memory of 2804	2472	158356ef887e9e9901760c933cd85740N.exe	30
PID 2472 wrote to memory of 2732	2472	158356ef887e9e9901760c933cd85740N.exe	31
PID 2472 wrote to memory of 2732	2472	158356ef887e9e9901760c933cd85740N.exe	31
PID 2472 wrote to memory of 2732	2472	158356ef887e9e9901760c933cd85740N.exe	31
PID 2472 wrote to memory of 2732	2472	158356ef887e9e9901760c933cd85740N.exe	31

C:\Users\Admin\AppData\Local\Temp\158356ef887e9e9901760c933cd85740N.exe
"C:\Users\Admin\AppData\Local\Temp\158356ef887e9e9901760c933cd85740N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2804
- C:\Adobe9M\aoptisys.exe
  C:\Adobe9M\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe9M\aoptisys.exe

Filesize
2.6MB

MD5
9d8a7785849a9a59ca434d7e9e5c7d25

SHA1
3dfa9eea91d22a151b235b0c28bb44658b4c74cb

SHA256
cd5210850fb415247d75a76c0f6c5a8e27a188c273c996e22fb17a36240a496e

SHA512
1794d98949f72e65d54016e90e430abe10b76375368b8303858c950762b8c24777d6f284ce625d6d339aaee503725c434d2f1039b44c1a83af056d019b66bf86

Download Submit
C:\Mint0U\dobdevloc.exe

Filesize
2.6MB

MD5
0fef0355073ccbb62f8fe60a945a699d

SHA1
9574df6dc98635549c3ad6a95d37cb05e996f7ac

SHA256
a013c2b9eb87d302748c59efe21376b8148543c1dbfbe7787702592adc6cd0b7

SHA512
1f003f930b44753b14f3ea91a5dc4bfd477f408f7e5de6baf40c17967a5ed04d168bee7083220eeca653b59b02b691ab286957e6e53f8bf5f7fff876d678b3c6

Download Submit
C:\Mint0U\dobdevloc.exe

Filesize
2.6MB

MD5
00ad71aa0f95457d87f2945144665ee1

SHA1
551d3e4dfb017e00dd00dd719954c317afb1e9f5

SHA256
e1a5bd2bb2a39aec14d105b743a2cc9c72fc07858e150ce093e617edab7c1e21

SHA512
673e53c4ed5fd7c7a4de4b553a40ff5186d7187e78624bf68bb3ccbbfa4c342547c355c3ba62b2b0f60d4a61698854172c771bb2113d37dd08c13fe6180a3dfc

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
741312b630f7e58a1ee78517252fb110

SHA1
3390693f6a06d73dc60472006e84ce4d0aebe6fb

SHA256
1f7c0aeb284bdb2c47e5ca778255018d39ebb61659915b2f7d14c9c1e368c7c3

SHA512
aadeb9d203473f74168a6abe4e1017852d0cb7b7e7cd4653cb11082270d2f5635552d1fe0e5cd69c8c16122e7c1b9bb6957ccbcaef1d60ae0e49968d70b7be7f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
f9926a366b08a6312299e1a4731bd08b

SHA1
9fc4fb724f8a45a20d8d74a54206829e98371e99

SHA256
17e0e9c62293000a824a50ca2b7f6909fd990c9b364df624177b3ec0594bd95c

SHA512
c7645823ee2b62e5a7001fcd7fea238feb7576e73e8ca82f3ff6d282259c5e6d8e68120117c0ef624b8629ad2c40eae17bb1cea31206f5116ac587dc5229b896

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
2.6MB

MD5
3f033349d9d845369b9bc62ccddace97

SHA1
3a6b0413c34db87854f7641efe20e9720ea04d49

SHA256
7333460cc4435f02fc98a59ecd9dc60586462e6387d5fa999a10a32a2f3caf2b

SHA512
7fd7c94e919a1ac8a15f6229c3451feb86e38f94b0c48bb61ace1587f8157e0b4781092b00ed5c6cb76276a093a934ab669b6cb3e4b2bbdb8d40598133891200

Download Submit