e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9d

Analysis

max time kernel
119s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2024, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe
Size

3.6MB
MD5

73d8ccf4d90dc848c8a6fbee1b69feb0
SHA1

27e9df68ab43e4f4fef535e653b367d855b6d8a7
SHA256

e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9d
SHA512

77f9509820a7b6615d6b6cfeae2b3900e00ad78a71554db6d253451a8f486f7dabb9c58b95ed26f0b75b14774248a63ca0f6017de610073e044a06b78c2b5697
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpAbVz8eLFcz

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe

Executes dropped EXE 2 IoCs

pid	Process
1648	sysdevbod.exe
3188	aoptiloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxOZ\\dobaloc.exe"	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe0Q\\aoptiloc.exe"	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4992	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe
4992	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe
4992	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe
4992	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe
1648	sysdevbod.exe
1648	sysdevbod.exe
3188	aoptiloc.exe
3188	aoptiloc.exe
1648	sysdevbod.exe
1648	sysdevbod.exe
3188	aoptiloc.exe
3188	aoptiloc.exe
1648	sysdevbod.exe
1648	sysdevbod.exe
3188	aoptiloc.exe
3188	aoptiloc.exe
1648	sysdevbod.exe
1648	sysdevbod.exe
3188	aoptiloc.exe
3188	aoptiloc.exe
1648	sysdevbod.exe
1648	sysdevbod.exe
3188	aoptiloc.exe
3188	aoptiloc.exe
1648	sysdevbod.exe
1648	sysdevbod.exe
3188	aoptiloc.exe
3188	aoptiloc.exe
1648	sysdevbod.exe
1648	sysdevbod.exe
3188	aoptiloc.exe
3188	aoptiloc.exe
1648	sysdevbod.exe
1648	sysdevbod.exe
3188	aoptiloc.exe
3188	aoptiloc.exe
1648	sysdevbod.exe
1648	sysdevbod.exe
3188	aoptiloc.exe
3188	aoptiloc.exe
1648	sysdevbod.exe
1648	sysdevbod.exe
3188	aoptiloc.exe
3188	aoptiloc.exe
1648	sysdevbod.exe
1648	sysdevbod.exe
3188	aoptiloc.exe
3188	aoptiloc.exe
1648	sysdevbod.exe
1648	sysdevbod.exe
3188	aoptiloc.exe
3188	aoptiloc.exe
1648	sysdevbod.exe
1648	sysdevbod.exe
3188	aoptiloc.exe
3188	aoptiloc.exe
1648	sysdevbod.exe
1648	sysdevbod.exe
3188	aoptiloc.exe
3188	aoptiloc.exe
1648	sysdevbod.exe
1648	sysdevbod.exe
3188	aoptiloc.exe
3188	aoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 1648	4992	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe	87
PID 4992 wrote to memory of 1648	4992	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe	87
PID 4992 wrote to memory of 1648	4992	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe	87
PID 4992 wrote to memory of 3188	4992	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe	90
PID 4992 wrote to memory of 3188	4992	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe	90
PID 4992 wrote to memory of 3188	4992	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe	90

C:\Users\Admin\AppData\Local\Temp\e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe
"C:\Users\Admin\AppData\Local\Temp\e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1648
- C:\Adobe0Q\aoptiloc.exe
  C:\Adobe0Q\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe0Q\aoptiloc.exe

Filesize
73KB

MD5
dc15e86e319ef185540511b77b43aa8f

SHA1
8a43b3cafc32391559f9308331f6eeb2dc06f750

SHA256
511c0ba1c55934b3abb666a5d065ba70ec22b6f46bcd10f359acf311132fb4e6

SHA512
c2c2794a0105d7e9a74f5ba6beb99c6e6fab698f142944719234ee326b39f342b36164b40a802c4d2352002fc8aa637a11ef4632c81ab1cad3cc933d6142a667

Download Submit
C:\Adobe0Q\aoptiloc.exe

Filesize
3.6MB

MD5
5d2863d8e498f6a796a54acfcb6abe44

SHA1
4ba192b47a993e2e4b425c14c54b49d3dd867b85

SHA256
c04daa64ecabdf426aa692ef7a158d531aaa6bbf1794e52660465942469e6513

SHA512
b29b1f19fa733d36f958fea04e8b11d45075eff9b06d88af7dcb3dcd6fcbe7ceb44e6c678f040878c06ab39a5c9d3fa2470234bf61bf29d1ebdeaf58daa21271

Download Submit
C:\GalaxOZ\dobaloc.exe

Filesize
3.6MB

MD5
5a5cf10e5a56c6d3e0b96df51339d3a8

SHA1
b8f1869bada4a5d3848be1526e3eac3387b71d3e

SHA256
ba660795a3a033b96af65cb3cc6c64823bf3a3e4af50353340bcd8adf02e96d9

SHA512
3e7bbbe2a5349c5c842f13cfc36560d586cf06c4d093d74a513a9ddeab46dcdf9d3bea3962247122e1f18bc03196e9ab38fbcdc8701a8b6c10c34df605c244bc

Download Submit
C:\GalaxOZ\dobaloc.exe

Filesize
6KB

MD5
eca5ea25f6a32a95c09d2d11f140c43b

SHA1
fc7c4ffc46b345747cc079073a62c80c129f2442

SHA256
7d956fbd2f73b9d56dbb1fa91bb438857ce1495cd868cdc6d6daea38edfcff17

SHA512
27d28a94c6c9d88714e07d1c5d856b348aaffe7164a680aa4aa760c4a738cf9fed9f373ea895b3dfa3e80ea1b8702679ff32bafeb7e84ada4fe30ff30b1add61

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
45696ab53c4adf84249c03855173f7dd

SHA1
4bbe2e6144b02b3ddce2cfeb2514e9eca7785173

SHA256
355e3af3d10b30adb62c9dbeb7b2a0396f675f42964a358d3989f8aaf35299fd

SHA512
a7090306c82b5f210e56295cad60d3c04c8a4ef2017e1dc79966e3b7b7491551a1e9f234ed3ecabf866033f2698fd4667d3a1da19f0f9fa11b8522861d2dfd5b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
00e3b16de99fcef7d36c1cac4f03f8c0

SHA1
ef0aef00c488306ea94cd008a23cc5585352e459

SHA256
ccbee8ad25d4fd4ba4b2f400e7c8f6af08b43ea1d9b11de9ff5993d84b28f157

SHA512
44bc44da3e10ba55e35769c244c8ad271aaa75923f6fc5eadf79301a66d8ef93bea552c63f2c9899a557977ee032b8d1e6f2c1228003cff01f0d8ac5016f080e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
3.6MB

MD5
fa50632dac8793ace27ceb84e3f874b5

SHA1
c3ad07e66b240366198b94e5875ede5a8070d653

SHA256
dfddcbda6c1b83236d28af9f591246018d02412f6ca738692384d295b370e90a

SHA512
4fd4e15dcf593459350cf6174d9c99382728a6e44210a657bbcb8a0bc06aeec21cc33ef28a9536c9f5fd18a9e5b9c7afe625410a59f88afdb21574d518d64d9a

Download Submit