79651e8616f701122275edd7444d7f62478bc2a786d204ec2c59e9f01a5d417b

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe
Size

2.6MB
MD5

b793dc2ed636fdaee1a701e05fde1640
SHA1

23741caf22809c1bfb9b9d803a070f45b95dfa26
SHA256

4e243bfc150e3df8b0b6c3f274c51e21a61c58b261c4ee963ff3cc1b000b55c9
SHA512

d4f0e7a3aea5cb7216cb7fa0a290845fcf92413c83edd3de3302ffda45a52ee3a28c7faa6da9391be03f7818441b68b96c1c95548e28dc1419eb79f469b92e94
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bS:sxX7QnxrloE5dpUpJb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe

Executes dropped EXE 2 IoCs

pid	Process
1040	sysaopti.exe
1680	devdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1748	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe
1748	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocCF\\devdobloc.exe"	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidJA\\optixloc.exe"	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1748	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe
1748	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe
1040	sysaopti.exe
1680	devdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1040	1748	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe	30
PID 1748 wrote to memory of 1040	1748	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe	30
PID 1748 wrote to memory of 1040	1748	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe	30
PID 1748 wrote to memory of 1040	1748	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe	30
PID 1748 wrote to memory of 1680	1748	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe	31
PID 1748 wrote to memory of 1680	1748	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe	31
PID 1748 wrote to memory of 1680	1748	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe	31
PID 1748 wrote to memory of 1680	1748	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe	31

C:\Users\Admin\AppData\Local\Temp\virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1040
- C:\IntelprocCF\devdobloc.exe
  C:\IntelprocCF\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocCF\devdobloc.exe

Filesize
2.6MB

MD5
5fb1621becdc75cf65c083a2a8c7c08e

SHA1
0758b6b8c1f1b946d0a71043c81cb59a96f22397

SHA256
6f6637af3e9a0d06c258b96cba9ff451a7e2e0f3c7d639151575863c49099e5e

SHA512
5a3eca7fa71ce3a6865865e53a9e10b39e99d8d60eec4f6f30c333c425d7c22d035677ab7f254dbc330749b80144f51f66aae1d96440a0aaa113e418c93fc1fb

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
d9647b52767758a2015a2485f98747aa

SHA1
19068ecc020885cbbbfe2c391e5452095f3293d5

SHA256
de8bb1bba912a61f18adf77540b8e5c94d241bf16f6f1b3da2d704949314571c

SHA512
94049e8aae074c358ddb3d99b6958abc350c7a7913cec0bcee234f6a51f1b0a22ef3e5de55759cf6c8d0fbeb5d6c87b0f0dbb0463920bab102d4c930e76a0169

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
abdfa41080cd1d15ce13136983b54894

SHA1
397f3d6c6cf2ea6fa55880b1b9c6495690d26fb6

SHA256
8afe086412ba394c1e3ce3699acc2217191133c29fb8b59ba37723a408c353ce

SHA512
4f7baf289487ecee3123608a277cc60fa3daa93ebe40e9f2bae7353fd4d345430d672616ef21a2e4ae52722daecc33c857445e9513f4fc3c6ce54514f54772bd

Download Submit
C:\VidJA\optixloc.exe

Filesize
42KB

MD5
966f180f552aa615715f6e8ba8c58a17

SHA1
bfacaa444b38c5f78430b33fa82493cc7e00ab5a

SHA256
4845428cf5919ecfe20bc1cfb9eb5027c7f54fba580c4d822841645fe6211742

SHA512
a37d8d45e0d0ae4c1492dc4e2745c0e2ac7cecebbc848f1ef4a4a83f182957bfe5d82d72290599b4a1fbd526a3d52d72a1a1b4d32eb7c287fb6991e333d1bb8f

Download Submit
C:\VidJA\optixloc.exe

Filesize
2.6MB

MD5
2201283b56a4aba552d163a8818ddc4f

SHA1
c6d9b65027377ae62da66dd78d06faefd5388df1

SHA256
b14b38f9ba76b7682c96ba8cfd8d3a2399855aeacf2e718799b38816502ae455

SHA512
09e9ffa8676cb4a0eddf99e274c1b7a52219a96f1382945a0f12cdfde9c62e236991f71b31c0cb5085b250148be68c2946162fc235bdf3d78988475002380571

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
2.6MB

MD5
22206f20c86bc20590595c48417bc825

SHA1
0bcd4ed5f9f7d34012a4db14106457354b4daa66

SHA256
c3a145786d8cab252b165ad4418917d6c83581056e9fec43bf56c203ffceff35

SHA512
51d1e494990a6852659b9d089df4ff0eda59d28c8f43509245f7a232e4df0ec715e1105aa98b98db6615481f98042564025a301e9c25474c71eaafe7d6580bf9

Download Submit