de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 10:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe
Size

2.6MB
MD5

0367a98996624894fa2ded250c3c0350
SHA1

50c6b6d03a3f58387a37fd515ef558cf1071f886
SHA256

de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0
SHA512

e3f69bb4ceb96027c242cb42ab4f21c07fdd526d72f28d17b4d8d9a1c0646bead3216352961c46ac140b7aa83255f14750735744f2f3190e75791c97549b2d80
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bS:sxX7QnxrloE5dpUpHb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2820	sysaopti.exe
1432	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2136	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe
2136	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvJD\\devoptiec.exe"	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZYW\\optidevsys.exe"	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2136	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe
2136	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe
2820	sysaopti.exe
1432	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2820	2136	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe	31
PID 2136 wrote to memory of 2820	2136	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe	31
PID 2136 wrote to memory of 2820	2136	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe	31
PID 2136 wrote to memory of 2820	2136	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe	31
PID 2136 wrote to memory of 1432	2136	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe	32
PID 2136 wrote to memory of 1432	2136	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe	32
PID 2136 wrote to memory of 1432	2136	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe	32
PID 2136 wrote to memory of 1432	2136	de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe	32

C:\Users\Admin\AppData\Local\Temp\de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe
"C:\Users\Admin\AppData\Local\Temp\de3c2d41b50bd3f8650bf3fb78c34a94e0dacce650012677719e2d3757aafbf0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2820
- C:\SysDrvJD\devoptiec.exe
  C:\SysDrvJD\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZYW\optidevsys.exe

Filesize
103KB

MD5
10f744dc293735fe906429e485f5da87

SHA1
5b0d1423397259c2e22cea56aa5763e83355cf69

SHA256
57b9943706121558d44ed188b2e9c5a243331fd233f077bed7e4e5adbdb0532e

SHA512
621cb712abf4cd25fc95eeed560d6eb5bc4136a508561e76413a7509eaf847e4b591ceca4e54c1167072f6e14eb2576ad7faef2f511e6615e898c4f60e3b7196

Download Submit
C:\LabZYW\optidevsys.exe

Filesize
2.6MB

MD5
45db1f034dd9ff84aa8a4846dd2135aa

SHA1
a9d090bc1d2822564e37746718086b0bc8f62e95

SHA256
8e115e4b733948c069c419ac6ed208da749f09bcb30a09f9ea5266a638d4c57c

SHA512
fba7ce13aa6a36054161d8815a273fbb4860ee1974d6a22aefc4956083591aa714bc11af8119ea13a70c8d13f2ca7e75fc8114e7d0ebaebb9044db499dc5bbe5

Download Submit
C:\SysDrvJD\devoptiec.exe

Filesize
63KB

MD5
1754e9fe985ad47870a1029ba0cdfb25

SHA1
029ec938d16ab8fd4337ddccb36eff07183b3e57

SHA256
f65bfd349bee783787ad1d829523845389f236c4d059b95fb1811acf0c3d3562

SHA512
2e0a050a775f66c499868d3f064b7c1edd9e41fc6cb0ac46933ace0ce92753768b39b0ad29de0b8e53dd8e9f19c3dc9c6aafc11574264488017afbf82531e325

Download Submit
C:\SysDrvJD\devoptiec.exe

Filesize
2.6MB

MD5
108a0ddbd3dcf6e059873314dc8ca9c6

SHA1
cc061f977a4dc884710ab60003b763965264f7b7

SHA256
61864eb8c88de1a7af1fb93827ded366d7a9fd1aad82d5bcc2b5033c03db9ac0

SHA512
fddb5379c15822e059ed0c1630b756d62b155208fdd59596001f8e216346e581d45bc8b3a2a55e5b4752e98ee0a91df1c483b062d4e74843f1fd1a5a62cf415d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
d12265c102375248ac6b62191cbb0241

SHA1
f466121851b8793bfbbfa8c55bd333a3455205aa

SHA256
d935e96d1a8fcf9059cd048f6417bb4ac039bdf9c25a356f53b3df5f04924810

SHA512
c7b2a2628d69035ff452df48426309960ddeaef697d05be2a0fe4aaa394a9e7f81e9d5db607934f103c18b0c39ac575acdb97b856c7275babe779e31dec52856

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
31d541541abdfa4a1aec637938c6ccaa

SHA1
e1e92db932721c8050588a147687f27853cf6de9

SHA256
5b1d91c6b3e00af54e50756f7cdf86ec6e7555e2187b908f463b86df1d1dde09

SHA512
048064be3b85d57b671c4e187838d063a16e2b86ac9cd36e6519d77a93a954424c690ebcb4d955c745380e54a11fb7696624c9268cb9c9a78d870259ae6205df

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
2.6MB

MD5
db048c4fe9329dbc28a5ff34b71bab2c

SHA1
f8e535cc1cd81f82b127237581ae9a1e647f65db

SHA256
d1911215279c3e82e192b3561cc7d56c14cd66b03618867a64bf5c21ba49f7eb

SHA512
9ddbd9efe8efc214311a5e8744b0d951c4a4e5f212fa2153db38d5fcbee9a41c375219ca081f14bf71041b38245159eb53f0514b2eef83dbb2faa0227a3dc27c

Download Submit