67e3fb3193427369cf6cfdc2084a95ffde2ec3b8d739fe5a1f8d45bde8ce377d

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06835cff0c4a008d639c5d2747284940N.exe
Size

2.6MB
MD5

06835cff0c4a008d639c5d2747284940
SHA1

06979f10baa4ac7e38e651c5b2faa3347f19afef
SHA256

67e3fb3193427369cf6cfdc2084a95ffde2ec3b8d739fe5a1f8d45bde8ce377d
SHA512

36ecef71efbded860ce8229a479579a3e86b060d4669fe62a11a3f6281eb191d66b0efaa6906c3b57f9a1a0417d57dc294eccbfe9570509cf21c841f3502ba9c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bS:sxX7QnxrloE5dpUpyb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	06835cff0c4a008d639c5d2747284940N.exe

Executes dropped EXE 2 IoCs

pid	Process
1244	sysdevopti.exe
3000	aoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
1864	06835cff0c4a008d639c5d2747284940N.exe
1864	06835cff0c4a008d639c5d2747284940N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeYQ\\aoptisys.exe"	06835cff0c4a008d639c5d2747284940N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidK8\\optixec.exe"	06835cff0c4a008d639c5d2747284940N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06835cff0c4a008d639c5d2747284940N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1864	06835cff0c4a008d639c5d2747284940N.exe
1864	06835cff0c4a008d639c5d2747284940N.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe
1244	sysdevopti.exe
3000	aoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 1244	1864	06835cff0c4a008d639c5d2747284940N.exe	30
PID 1864 wrote to memory of 1244	1864	06835cff0c4a008d639c5d2747284940N.exe	30
PID 1864 wrote to memory of 1244	1864	06835cff0c4a008d639c5d2747284940N.exe	30
PID 1864 wrote to memory of 1244	1864	06835cff0c4a008d639c5d2747284940N.exe	30
PID 1864 wrote to memory of 3000	1864	06835cff0c4a008d639c5d2747284940N.exe	31
PID 1864 wrote to memory of 3000	1864	06835cff0c4a008d639c5d2747284940N.exe	31
PID 1864 wrote to memory of 3000	1864	06835cff0c4a008d639c5d2747284940N.exe	31
PID 1864 wrote to memory of 3000	1864	06835cff0c4a008d639c5d2747284940N.exe	31

C:\Users\Admin\AppData\Local\Temp\06835cff0c4a008d639c5d2747284940N.exe
"C:\Users\Admin\AppData\Local\Temp\06835cff0c4a008d639c5d2747284940N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1244
- C:\AdobeYQ\aoptisys.exe
  C:\AdobeYQ\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeYQ\aoptisys.exe

Filesize
2.6MB

MD5
4291cd208bd9814daad4fc92512d1786

SHA1
044f35cea6935d38d8089c8f3bc54bee731db191

SHA256
6ff798705b632d57c9b7fb2a1f163abfd6628d15fd627522501bf158085899b1

SHA512
c327f967c278ffa85630eca037fbb3bcc955edaeb4eba205d68a6f135cbf3e9a999f3d27d2e7fea15d81cdc76cf21b31a0b218a12ae7d2e8c303179af20f0c63

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
b47a43cc256062b16b6bb6d0745aca1b

SHA1
236f9b92dda0081df1bb2db5eff0e0c0f5e61784

SHA256
9b7bba7ced163c39be11de2497f9aa019094d7b47b7b8ab60679cc6d7519d54c

SHA512
494fee1d1434d1d7473f1b489b21e15150863423e5906114398931eb4c7a88acf90e6a5e28ec67c33c57022b8deef9cca972467083d9f44a68a6870b0fb16d57

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
3be3d11614e9d8ef0658a531a3855523

SHA1
9b2f27cef16894aa5bf217c449ea446b12230aa1

SHA256
c373897cc65778cdc6ddf52451e35305dd839251699083a114c1e36f84f85cc6

SHA512
88918dc5b08fe45ad8082ebdb8fc5ef494c61da656179b9e01662d81820cee4153a6a8f8d36308df6707971ba54c579532843ef20481f051033dfecb54a10cd4

Download Submit
C:\VidK8\optixec.exe

Filesize
2.6MB

MD5
0458700d00822d2ddc34940163ace6a5

SHA1
a69828c7a2fa03d3e119cecc6f94ec27e50fabda

SHA256
2332d048b9eb96f22ae261e1aa5aa55646d0bd524c668bb4431745de7dc5c82b

SHA512
b5c13e46a6ad6202a4d5d70729c41f0ccec9fd1323f14d4428c394ed73305a7245e956ed6369ec81e1e55c753982c57f6c3f876bb2af1106642177ad46d479de

Download Submit
C:\VidK8\optixec.exe

Filesize
2.6MB

MD5
306f0145f5607ae16bbf0ac435fb3207

SHA1
5f857c9c43b4b7c75bb78d35457c2386071d71c0

SHA256
9ebf6efa070e11dbbf2c9fe8c9d216da6660bf072dc656a76102d6e06ae3bcca

SHA512
5c5893991224a53d9350a24669782f94b153bc8e0ee033de06f56fa78c1a998de56afdcdadd0caedf6bbe2a3566152c6f968d89182d6b2a6a92df43ecac60e03

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
2.6MB

MD5
9ae5b1f0c9dfb101ac0a4f43085da184

SHA1
beb7834ca233417e7f286a053528fc739d5caeea

SHA256
9afae64bd94f9db7e2a776adbdba9e91883e8f8c1d722df1da579e6110149f36

SHA512
77196ef705629c9fbc616dfcf4ae5143af8ded2c4ee8757de8876c7f261f6cc72ee25d5e762c00522484313cb18195c361aab0c7fce38298803e7ccc6645e341

Download Submit