0e1a23e35a53936e2336bd82ab9ad1bd49435a131cbcbc2e977ef9bcaa159b03

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e1a23e35a53936e2336bd82ab9ad1bd49435a131cbcbc2e977ef9bcaa159b03.exe
Size

3.1MB
MD5

bacbfad486adb2ad0396be6928d9f76b
SHA1

967ce8d9150225341c447b7b0d1391ff2f48b4a1
SHA256

0e1a23e35a53936e2336bd82ab9ad1bd49435a131cbcbc2e977ef9bcaa159b03
SHA512

1e08f548bf3a39c99636287800a01690b4270ba820e8af6e040596664a17c9344a4442e05de999be7fdb13813e922590548ace1e4ea523198f8a76785d4c8a3f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpKbVz8eLFc

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	0e1a23e35a53936e2336bd82ab9ad1bd49435a131cbcbc2e977ef9bcaa159b03.exe

Executes dropped EXE 2 IoCs

pid	Process
2776	sysdevdob.exe
2700	aoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2892	0e1a23e35a53936e2336bd82ab9ad1bd49435a131cbcbc2e977ef9bcaa159b03.exe
2892	0e1a23e35a53936e2336bd82ab9ad1bd49435a131cbcbc2e977ef9bcaa159b03.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe0R\\aoptiloc.exe"	0e1a23e35a53936e2336bd82ab9ad1bd49435a131cbcbc2e977ef9bcaa159b03.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB87\\boddevloc.exe"	0e1a23e35a53936e2336bd82ab9ad1bd49435a131cbcbc2e977ef9bcaa159b03.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e1a23e35a53936e2336bd82ab9ad1bd49435a131cbcbc2e977ef9bcaa159b03.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2892	0e1a23e35a53936e2336bd82ab9ad1bd49435a131cbcbc2e977ef9bcaa159b03.exe
2892	0e1a23e35a53936e2336bd82ab9ad1bd49435a131cbcbc2e977ef9bcaa159b03.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe
2700	aoptiloc.exe
2776	sysdevdob.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2776	2892	0e1a23e35a53936e2336bd82ab9ad1bd49435a131cbcbc2e977ef9bcaa159b03.exe	30
PID 2892 wrote to memory of 2776	2892	0e1a23e35a53936e2336bd82ab9ad1bd49435a131cbcbc2e977ef9bcaa159b03.exe	30
PID 2892 wrote to memory of 2776	2892	0e1a23e35a53936e2336bd82ab9ad1bd49435a131cbcbc2e977ef9bcaa159b03.exe	30
PID 2892 wrote to memory of 2776	2892	0e1a23e35a53936e2336bd82ab9ad1bd49435a131cbcbc2e977ef9bcaa159b03.exe	30
PID 2892 wrote to memory of 2700	2892	0e1a23e35a53936e2336bd82ab9ad1bd49435a131cbcbc2e977ef9bcaa159b03.exe	31
PID 2892 wrote to memory of 2700	2892	0e1a23e35a53936e2336bd82ab9ad1bd49435a131cbcbc2e977ef9bcaa159b03.exe	31
PID 2892 wrote to memory of 2700	2892	0e1a23e35a53936e2336bd82ab9ad1bd49435a131cbcbc2e977ef9bcaa159b03.exe	31
PID 2892 wrote to memory of 2700	2892	0e1a23e35a53936e2336bd82ab9ad1bd49435a131cbcbc2e977ef9bcaa159b03.exe	31

C:\Users\Admin\AppData\Local\Temp\0e1a23e35a53936e2336bd82ab9ad1bd49435a131cbcbc2e977ef9bcaa159b03.exe
"C:\Users\Admin\AppData\Local\Temp\0e1a23e35a53936e2336bd82ab9ad1bd49435a131cbcbc2e977ef9bcaa159b03.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2776
- C:\Adobe0R\aoptiloc.exe
  C:\Adobe0R\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe0R\aoptiloc.exe

Filesize
3.1MB

MD5
4ef6f019c8e797d5a7094e888fde0fc4

SHA1
897d5efeae6169c6638bef84d6a8e603527bd837

SHA256
8aa4138b97216b9835da93b61adceff51ec26e59b0262bc23f63cbfe49dccf0a

SHA512
71216d505584d12380c41bf8852497bc234f35e5298ed07ceca980b86edbb788299a4c571b5e68c1f6045a8b774f1cfe688736081eeee97cb847b417bf2be5f3

Download Submit
C:\KaVB87\boddevloc.exe

Filesize
3.1MB

MD5
01d1928f95e93e4a2dae0e8dd029ff32

SHA1
d945e57b2f7612efdc443219f936c4e6d6ca67b7

SHA256
f9e12e494af5ae0d38b9213128524bc5c9e164554bf883c5dcfa9b9a9ac42820

SHA512
6cab8b9f0c0bb68069f0877bada3e7e6a61bc4db1214104790655160cb3d8699e150654560a74862d4b8234cd5e4c12616b2a8760d9b0714fecafbbaa2748526

Download Submit
C:\KaVB87\boddevloc.exe

Filesize
3.1MB

MD5
fc6f9eb4558306ff35ac6e5d4665163d

SHA1
04528f6e966924bb9516ab24a11eb9cd7b96ea42

SHA256
33303b8835b1615f3e610766bf065e125d796fb68b75ab0a82a760ecffd85786

SHA512
5a981511da45df96ad45812f09619ecde2faa72499d15583025f654c0f2fb37b5b948665ea9eaae2f2e2f10469ce4628f890e1c43f0b942ae7ff768f6c62afb6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
95bfec9048c59185dccfcd68afb0908b

SHA1
fe30334937d63c5c7ff796c75f289d658dacd140

SHA256
1465b4fb668163cb375ba5e625170c4af6436dea21f209c88602f9ac6e54fd72

SHA512
8a9e30cceeee4ef3eae62c554369e5739488110da51ee9f2164273bee2114e17f09999821876fcde6aeaacd7a7e679337c60cd6048d0f809e18657ff4fe57518

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
e45fe9fe6a3541bfb8514b0a167883cf

SHA1
01ac4d98bb84c93a06eb1209d70a57b173d55575

SHA256
030197140d075dec37c2ed95eb51efd0dcd6ce4953d12a8739611707701bfce5

SHA512
770e2b465ba498cbd6f573e5af22cd53ab10c7d96263f1826461336208a055d641dec528d9aba5ed7e9d6995808606937bbee5bcec11fe5341a2478240074586

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
3.1MB

MD5
193e71b3129b5045b801c276665f93e0

SHA1
f35cc6389b505b172c9f1b6a245f1425facbb037

SHA256
bf5d79dd1f268f90054dc82384dd8c7ddb6523cbcbcf4854a1e4c4717c7f9e0f

SHA512
6045bac66ad618b9755818139037c2dec9fc626733e90d5d2ad8f87f59c5406bcb2009afc13e2222d0f14a1c289c95ac3a65b96b17e8c74603265c005ff63b8e

Download Submit