79651e8616f701122275edd7444d7f62478bc2a786d204ec2c59e9f01a5d417b

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virussign.com_c527d92958bc1247a6471765e5449c60.exe
Size

2.6MB
MD5

c527d92958bc1247a6471765e5449c60
SHA1

84fba87a0998698d3b6040dcfb83667a3eb2109b
SHA256

e9b4211e90f2c15e783c73a5998e3284b75b4afe70dae956e6dab0eb17732125
SHA512

1fdcac718581fa8fbdf15b3d3cdb0c2cf06f6a9a56facab47cf1841578264a1a6014cc51c07488939005852a569ae8c4c45b61b54e0b99d4d1f0bc78c1daa8da
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bSq:sxX7QnxrloE5dpUpUbV

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	virussign.com_c527d92958bc1247a6471765e5449c60.exe

Executes dropped EXE 2 IoCs

pid	Process
4980	sysaopti.exe
2776	aoptiec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotYD\\aoptiec.exe"	virussign.com_c527d92958bc1247a6471765e5449c60.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidBS\\optixec.exe"	virussign.com_c527d92958bc1247a6471765e5449c60.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	virussign.com_c527d92958bc1247a6471765e5449c60.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4904	virussign.com_c527d92958bc1247a6471765e5449c60.exe
4904	virussign.com_c527d92958bc1247a6471765e5449c60.exe
4904	virussign.com_c527d92958bc1247a6471765e5449c60.exe
4904	virussign.com_c527d92958bc1247a6471765e5449c60.exe
4980	sysaopti.exe
4980	sysaopti.exe
2776	aoptiec.exe
2776	aoptiec.exe
4980	sysaopti.exe
4980	sysaopti.exe
2776	aoptiec.exe
2776	aoptiec.exe
4980	sysaopti.exe
4980	sysaopti.exe
2776	aoptiec.exe
2776	aoptiec.exe
4980	sysaopti.exe
4980	sysaopti.exe
2776	aoptiec.exe
2776	aoptiec.exe
4980	sysaopti.exe
4980	sysaopti.exe
2776	aoptiec.exe
2776	aoptiec.exe
4980	sysaopti.exe
4980	sysaopti.exe
2776	aoptiec.exe
2776	aoptiec.exe
4980	sysaopti.exe
4980	sysaopti.exe
2776	aoptiec.exe
2776	aoptiec.exe
4980	sysaopti.exe
4980	sysaopti.exe
2776	aoptiec.exe
2776	aoptiec.exe
4980	sysaopti.exe
4980	sysaopti.exe
2776	aoptiec.exe
2776	aoptiec.exe
4980	sysaopti.exe
4980	sysaopti.exe
2776	aoptiec.exe
2776	aoptiec.exe
4980	sysaopti.exe
4980	sysaopti.exe
2776	aoptiec.exe
2776	aoptiec.exe
4980	sysaopti.exe
4980	sysaopti.exe
2776	aoptiec.exe
2776	aoptiec.exe
4980	sysaopti.exe
4980	sysaopti.exe
2776	aoptiec.exe
2776	aoptiec.exe
4980	sysaopti.exe
4980	sysaopti.exe
2776	aoptiec.exe
2776	aoptiec.exe
4980	sysaopti.exe
4980	sysaopti.exe
2776	aoptiec.exe
2776	aoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 4980	4904	virussign.com_c527d92958bc1247a6471765e5449c60.exe	84
PID 4904 wrote to memory of 4980	4904	virussign.com_c527d92958bc1247a6471765e5449c60.exe	84
PID 4904 wrote to memory of 4980	4904	virussign.com_c527d92958bc1247a6471765e5449c60.exe	84
PID 4904 wrote to memory of 2776	4904	virussign.com_c527d92958bc1247a6471765e5449c60.exe	88
PID 4904 wrote to memory of 2776	4904	virussign.com_c527d92958bc1247a6471765e5449c60.exe	88
PID 4904 wrote to memory of 2776	4904	virussign.com_c527d92958bc1247a6471765e5449c60.exe	88

C:\Users\Admin\AppData\Local\Temp\virussign.com_c527d92958bc1247a6471765e5449c60.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_c527d92958bc1247a6471765e5449c60.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4980
- C:\UserDotYD\aoptiec.exe
  C:\UserDotYD\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotYD\aoptiec.exe

Filesize
272KB

MD5
20637ffcf1493d677450ba3dcf3b3015

SHA1
4a304e2bf9e418106d2fa8fe3968a88806d4562d

SHA256
8c2d546f232c74c51f7585c96e5be2f971a0053cd3b929f53c5c26dd6cbc7c56

SHA512
8432523afb43babdb05b48fbc6a9b75ee6c23902a3f15645fa1957fe2597ee81c46a8307f34fb2e9f2dab41fab17722609cba40cfa9cc5c8f8056cf5ac0437e5

Download Submit
C:\UserDotYD\aoptiec.exe

Filesize
2.6MB

MD5
f66e6d83a6c63d6ddb2efbadc1b2c973

SHA1
f6c474a86f7f12ec47cb49fd92c7159e14dd2b83

SHA256
cf1917e79d860849436b24d4dc83bb3cefbb23ad81e9bc462b38b870d39339b1

SHA512
896d8330e21562fe5af89325bed39561babf8e052da9da4774b8c9cdc403641907ccdc19f9655f242395a48cd303ad75da9c4a61080f77cc75ae3b5329c22d44

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
2fd72b4320225b098c29f1adaea103ef

SHA1
c9fcc4e76ad2172f52fc631f3e4e5d559a540c3b

SHA256
5e02025f76baa6fdc94db990600ab2c7aae44f51926b5cbe8f3f7c36072a9c2e

SHA512
d323b29f040d7360ddaf3f6f2cf7710da114ae13532b0152d957ec5de839ef1b4d3a357b278bffed77180191b178e5fe9b84dc7a8f07abdf38bec6111cb2b007

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
e0f01def667777f2ffca0fb99d9e7749

SHA1
8fd84a229d2eeeb8731e77611b16285d1b46b4c4

SHA256
07e504fd81b6d9eb1c5911521644014c0545fe3254f3073e70247858926e3145

SHA512
864dc79157e7fe51300c57943e2c5a9a9ef8787954afe24511207e07b136dc115051cd6ba76028940ce5a8b528167d2de455cf78f533284257719b7459cadede

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
2.6MB

MD5
50594f36d9b053bd57b5b00b592aa99e

SHA1
5c6066bc50e1f3a1c6901cf63fc4e40a10ac2fbd

SHA256
39f52b26eb97939dccda23320116b1d038d546d726f35c49cb03d835584c2741

SHA512
9632d3f1f219b05f9734ccbb6c53b78e285cb12d884a3cbe791c9a5cc60e2698f301e8c7d03f83d66c629fde2fd7c522a7be638c53c9c8adb57c48fa54eebcd4

Download Submit
C:\VidBS\optixec.exe

Filesize
2.6MB

MD5
e02550d2dbaa2cc06bdd7411f9755619

SHA1
128c468da8475db95140ba7acf083cf22b2d4a6f

SHA256
241a267b9c19d50ed714e4f933f7149acd46737839c0ba396496c23f4e5c6d5d

SHA512
9c44562981677561b1a553701636e41b80def2ae914452cc47120a2668e42c66659afacf5cf01e60419c9c248ba39d704dc503473d801caed4c320c21340363e

Download Submit
C:\VidBS\optixec.exe

Filesize
2.6MB

MD5
12f459465bd8c0fd135cd22ecbfb1585

SHA1
45ac1ea02b1bfaf39a4611cc6c5fff9825b245bb

SHA256
64c9b8dbc5255f36a2282797910e4325de3069a251c418b602d639fc0adbd9b5

SHA512
ea22341b8bf9c81f594953e58a7caa757d95fd3e9de9fd46f0f1eb801cc307d9ba83eef9f428a7af0a0bf08dbb8d9c633184fc450cf4446bc917abf442c4ffcc

Download Submit