d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bd

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe
Size

2.6MB
MD5

3a137d321bcdc3939aec35a7c4166a40
SHA1

2077412f1ee5fdd1304d1c57b1b06b477acfa3e2
SHA256

d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bd
SHA512

3fde7eb42ffd99de0fefc2453221e4dea1187771a2d199e2f43bb9142fffbc27951a28042cfe41595d20e61af9d7c99dc76c6765c0882e0431e066cc4b162006
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bS:sxX7QnxrloE5dpUpvb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe

Executes dropped EXE 2 IoCs

pid	Process
2760	locdevdob.exe
2784	aoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2156	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe
2156	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeOG\\aoptisys.exe"	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid7A\\dobdevloc.exe"	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2156	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe
2156	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe
2760	locdevdob.exe
2784	aoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2760	2156	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe	30
PID 2156 wrote to memory of 2760	2156	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe	30
PID 2156 wrote to memory of 2760	2156	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe	30
PID 2156 wrote to memory of 2760	2156	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe	30
PID 2156 wrote to memory of 2784	2156	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe	31
PID 2156 wrote to memory of 2784	2156	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe	31
PID 2156 wrote to memory of 2784	2156	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe	31
PID 2156 wrote to memory of 2784	2156	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe	31

C:\Users\Admin\AppData\Local\Temp\d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe
"C:\Users\Admin\AppData\Local\Temp\d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2760
- C:\AdobeOG\aoptisys.exe
  C:\AdobeOG\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeOG\aoptisys.exe

Filesize
2.6MB

MD5
05667e0218d04bc383513308bd14eaa5

SHA1
9e335b5073b0252570b531166f222b8a96a43bb1

SHA256
da40a9db9ca6f4cd12400c48a97b3e5249847eb235777b5a57b5986d56e5605b

SHA512
bf9023d18d41b50589daedbfeec23c37cad38b23bfb31ba465fabfe686308551b253bf56e945cd7481a0d662d939e2900863d0a8313d2b4c0a4f1b369de271e8

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
64b3bb08a06fbfeab7846f5219c04b16

SHA1
c08f4f4648c636439c3d9dcf15c37ffa19313071

SHA256
d247d09566f7aeb37867372b5ff2b28bd67775c31e66b75fb19a3d605d330668

SHA512
a6410e8f91f85797a4a53b8fffa54ac0c2c73a8a29c03e091565a7e55efe2d19abc693083fac4bd661eee132dc9b4a98142f8d048b8c05000640c5a54b2552a2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
2b138fd52d5a38ba471fffed93dbfa9d

SHA1
bf96d95a83eaad864ae7354f4ba5f4b201c5c83c

SHA256
789bc4c231ff804b9df6481351af2a6d617d193455fb069908f3d0ade25920b7

SHA512
ec214cd26a55174cdcfea2ad4ab52a9ac7e208ecbbb5839c3f73e64d7609861794dbe9a442127a922862221d31a65f2a1d717cf658d11d94456f04ba6e545e15

Download Submit
C:\Vid7A\dobdevloc.exe

Filesize
2.6MB

MD5
c9e1cf3d11ad4f5031d11bd7dd4a443f

SHA1
a6e98a185271605b2bade8dc703ecb48544298d4

SHA256
8db74dc6906e525c967e5103fedea47aa7c343efa657d25139f58b98d313bebc

SHA512
70ec9ae93c4511ea6f81e3c84f01ce9839b9c7b9f87fdab13cae4ab604ca8c3d8b0e9d6e49b16358e391727211d6974689c827dbdbafbc867ba2338e5917037f

Download Submit
C:\Vid7A\dobdevloc.exe

Filesize
2.6MB

MD5
e3c3d83fb5730e022a260136ab94d2d8

SHA1
a7a3b08eee2c9fd376db61d0d9855fe70e4f6095

SHA256
ef37023fd1b1a744a29ea38e6a7cf7201f4e6d6d0d1ab42f5e1849ac8cbf27d9

SHA512
f793a7193f3c3b997590fa18413531f0894966cd28d56c3aa197f22fa01d6d1b6164ec72e01f0b339dc873ec71c688fd43bc16a9333e8a2c392abf074bf2d5a0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
2.6MB

MD5
25c462d4fdf4ae011df973a755b47780

SHA1
1acdaaf1400ed1faf90da8929f0de291667d5825

SHA256
41d283e6802c6b47afddd41911e721c65fd4ae8c16422a92aeca129ad08bfe2c

SHA512
594c153d80f0fb619037e40954212ecf8d10079dff516481364e18f45be3bed0b92a5a793730caaeea0e2b7d20c1fd0a1dd52bb7019ba1f0adbfd9d7905619f6

Download Submit