f094be8efe3bdde143c06d06628b48b140cadd66034914ebc2d8f4c723c45c9f

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f094be8efe3bdde143c06d06628b48b140cadd66034914ebc2d8f4c723c45c9f.exe
Size

2.6MB
MD5

592f71b332370559b7e5b496f4c2ccf5
SHA1

5a51bb98acde1dcd1f0c2af30fdd3e6a7cbf4246
SHA256

f094be8efe3bdde143c06d06628b48b140cadd66034914ebc2d8f4c723c45c9f
SHA512

0c530b0cf2fbecb60d5fe9829640f65061c2b82f4d864d9ff14655739f03e29ddcd0915cafb8d10947e5aaccc5c3f79409d3c109b44c5bb293b9ff5bb25d3f4e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bS:sxX7QnxrloE5dpUpjb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	f094be8efe3bdde143c06d06628b48b140cadd66034914ebc2d8f4c723c45c9f.exe

Executes dropped EXE 2 IoCs

pid	Process
1380	sysadob.exe
1428	aoptiec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvCI\\aoptiec.exe"	f094be8efe3bdde143c06d06628b48b140cadd66034914ebc2d8f4c723c45c9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBZN\\boddevsys.exe"	f094be8efe3bdde143c06d06628b48b140cadd66034914ebc2d8f4c723c45c9f.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f094be8efe3bdde143c06d06628b48b140cadd66034914ebc2d8f4c723c45c9f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2800	f094be8efe3bdde143c06d06628b48b140cadd66034914ebc2d8f4c723c45c9f.exe
2800	f094be8efe3bdde143c06d06628b48b140cadd66034914ebc2d8f4c723c45c9f.exe
2800	f094be8efe3bdde143c06d06628b48b140cadd66034914ebc2d8f4c723c45c9f.exe
2800	f094be8efe3bdde143c06d06628b48b140cadd66034914ebc2d8f4c723c45c9f.exe
1380	sysadob.exe
1380	sysadob.exe
1428	aoptiec.exe
1428	aoptiec.exe
1380	sysadob.exe
1380	sysadob.exe
1428	aoptiec.exe
1428	aoptiec.exe
1380	sysadob.exe
1380	sysadob.exe
1428	aoptiec.exe
1428	aoptiec.exe
1380	sysadob.exe
1380	sysadob.exe
1428	aoptiec.exe
1428	aoptiec.exe
1380	sysadob.exe
1380	sysadob.exe
1428	aoptiec.exe
1428	aoptiec.exe
1380	sysadob.exe
1380	sysadob.exe
1428	aoptiec.exe
1428	aoptiec.exe
1380	sysadob.exe
1380	sysadob.exe
1428	aoptiec.exe
1428	aoptiec.exe
1380	sysadob.exe
1380	sysadob.exe
1428	aoptiec.exe
1428	aoptiec.exe
1380	sysadob.exe
1380	sysadob.exe
1428	aoptiec.exe
1428	aoptiec.exe
1380	sysadob.exe
1380	sysadob.exe
1428	aoptiec.exe
1428	aoptiec.exe
1380	sysadob.exe
1380	sysadob.exe
1428	aoptiec.exe
1428	aoptiec.exe
1380	sysadob.exe
1380	sysadob.exe
1428	aoptiec.exe
1428	aoptiec.exe
1380	sysadob.exe
1380	sysadob.exe
1428	aoptiec.exe
1428	aoptiec.exe
1380	sysadob.exe
1380	sysadob.exe
1428	aoptiec.exe
1428	aoptiec.exe
1380	sysadob.exe
1380	sysadob.exe
1428	aoptiec.exe
1428	aoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 1380	2800	f094be8efe3bdde143c06d06628b48b140cadd66034914ebc2d8f4c723c45c9f.exe	86
PID 2800 wrote to memory of 1380	2800	f094be8efe3bdde143c06d06628b48b140cadd66034914ebc2d8f4c723c45c9f.exe	86
PID 2800 wrote to memory of 1380	2800	f094be8efe3bdde143c06d06628b48b140cadd66034914ebc2d8f4c723c45c9f.exe	86
PID 2800 wrote to memory of 1428	2800	f094be8efe3bdde143c06d06628b48b140cadd66034914ebc2d8f4c723c45c9f.exe	87
PID 2800 wrote to memory of 1428	2800	f094be8efe3bdde143c06d06628b48b140cadd66034914ebc2d8f4c723c45c9f.exe	87
PID 2800 wrote to memory of 1428	2800	f094be8efe3bdde143c06d06628b48b140cadd66034914ebc2d8f4c723c45c9f.exe	87

C:\Users\Admin\AppData\Local\Temp\f094be8efe3bdde143c06d06628b48b140cadd66034914ebc2d8f4c723c45c9f.exe
"C:\Users\Admin\AppData\Local\Temp\f094be8efe3bdde143c06d06628b48b140cadd66034914ebc2d8f4c723c45c9f.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1380
- C:\SysDrvCI\aoptiec.exe
  C:\SysDrvCI\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBZN\boddevsys.exe

Filesize
13KB

MD5
8c3627c138b69a29f1f3e7743c377ac9

SHA1
38d00db20d4ccba9fef285bc5b2c50eb73f352a7

SHA256
2d835e282b9a7e65559019000af2d36aea1151090066ff801f25da276c99e627

SHA512
0e81b2f188fef8742620e583da5a47aa6eae70cf24a798f64d916f01fad49d5ad6f3e883deed9cc6b3dbd7301c28e483ebcc324d83c8a63b41ef839432ef7a21

Download Submit
C:\KaVBZN\boddevsys.exe

Filesize
1.4MB

MD5
b64c73b7d7f7f81df1da370ae65ba8e6

SHA1
38ffbe17167bc3a71b9aa4353a37e295a20a941d

SHA256
51abe48f70ea072d1b66118419748b83bfa7b627fd6a974ad6a4f7edf290288e

SHA512
39d5c2cd236c445fd1052d2f2e2761b9f08f5d226ceb76cd640aaafe7ce4fcd382913bc8c6aba8f4480d386f90c41892b644ef37f973dbcf34f3a452fdb28655

Download Submit
C:\SysDrvCI\aoptiec.exe

Filesize
134KB

MD5
4e3f0403281081be22e935b61607e38a

SHA1
8a353b0fd989513c50be92552a084e2b464cde55

SHA256
a2d5837eccdc818c27f27ea24182bd347934612294d034840411da38b39f857c

SHA512
56e64b0abe8de2cdaf46de63e20bb49330fe6df252496e15f2157795f67067eb6a5f7f5dfc0d9c65f7ef3db170f0cc5e09b78fdd2522d84b05e57bfb83b52471

Download Submit
C:\SysDrvCI\aoptiec.exe

Filesize
2.6MB

MD5
46d5086f0ef2ec7b3ac988cb48c3bd02

SHA1
16a14ac28ea885f951ccefbb7a890406ae1e31d0

SHA256
65721ac22c5bc24536c7287b7cf318392070891cef3895d377a9c4fc8b8da3d3

SHA512
a986894610458174abf8677029c6bac7aa2dcabbf92db653b919fc14f72d42580a2de8398211d0101826c44b1edb6468f996ad205eadc188ac546302f75199a3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
ea9914d24593b0d7f12a46fe5e8fcb81

SHA1
96eada596b1cec05c8cb80fc461d2c002fd848ed

SHA256
894e50481cdfef04ec13211f7f67d0d824b50860db0bdffab3c8c165b1b2967d

SHA512
eb225b1aa07750495de2ada6c007eebe38cbf167df520862805885a137555425f2bb45129b89b4a19d52a98fa714e420f367c352269e3159694cdf1379ab4416

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
4187f9f547287e6575ff2fc8bbf2bb39

SHA1
e8ef4c829d23d791967a4480adab3035646a401c

SHA256
6fbc11a1608b121e79617bc6ac2561fc2cbcfe54f8feeaf5cbce697452f31914

SHA512
598de4f11e4564363774cd7941b5c038b00567218096d03624902b2c0661f8717e80ad679fdb379ff0ec96455abb5485407042ba2d37186c3f62d14d88128bcd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
2.6MB

MD5
20c2f9cff7f28261d188595849971536

SHA1
61bcc75cab72a5de395066eba20f7814fba296fc

SHA256
c78bdb34382907b1e882fdfcd503438df56950b530f100b80dc48352aa988a98

SHA512
497fd03b2cf3d28722242501bc37d14421e579342868f68623009b9edf391c1c77db30d4a2da9e8e761b42f9ec30cfdcb5ac1cd9f09086c6d10af4245ff39e5f

Download Submit