1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe
Size

2.6MB
MD5

b80a0c83e33316345ac05c9fc227e4b7
SHA1

7ed63abadf1a1a22db61c4f50e7c1fcbb8592186
SHA256

1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a
SHA512

f938542aa4bc9fe57b74792107054b4994cb1f7a120ec0db27eb562a286d72d052a5a1a5a3bf5824149a63df5c418469132ec9cce012092ab652e968830f118d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBsB/bS:sxX7QnxrloE5dpUpzb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe

Executes dropped EXE 2 IoCs

pid	Process
4828	locdevopti.exe
3596	devoptisys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv8K\\devoptisys.exe"	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ22\\optiasys.exe"	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
716	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe
716	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe
716	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe
716	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe
4828	locdevopti.exe
4828	locdevopti.exe
3596	devoptisys.exe
3596	devoptisys.exe
4828	locdevopti.exe
4828	locdevopti.exe
3596	devoptisys.exe
3596	devoptisys.exe
4828	locdevopti.exe
4828	locdevopti.exe
3596	devoptisys.exe
3596	devoptisys.exe
4828	locdevopti.exe
4828	locdevopti.exe
3596	devoptisys.exe
3596	devoptisys.exe
4828	locdevopti.exe
4828	locdevopti.exe
3596	devoptisys.exe
3596	devoptisys.exe
4828	locdevopti.exe
4828	locdevopti.exe
3596	devoptisys.exe
3596	devoptisys.exe
4828	locdevopti.exe
4828	locdevopti.exe
3596	devoptisys.exe
3596	devoptisys.exe
4828	locdevopti.exe
4828	locdevopti.exe
3596	devoptisys.exe
3596	devoptisys.exe
4828	locdevopti.exe
4828	locdevopti.exe
3596	devoptisys.exe
3596	devoptisys.exe
4828	locdevopti.exe
4828	locdevopti.exe
3596	devoptisys.exe
3596	devoptisys.exe
4828	locdevopti.exe
4828	locdevopti.exe
3596	devoptisys.exe
3596	devoptisys.exe
4828	locdevopti.exe
4828	locdevopti.exe
3596	devoptisys.exe
3596	devoptisys.exe
4828	locdevopti.exe
4828	locdevopti.exe
3596	devoptisys.exe
3596	devoptisys.exe
4828	locdevopti.exe
4828	locdevopti.exe
3596	devoptisys.exe
3596	devoptisys.exe
4828	locdevopti.exe
4828	locdevopti.exe
3596	devoptisys.exe
3596	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 716 wrote to memory of 4828	716	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe	87
PID 716 wrote to memory of 4828	716	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe	87
PID 716 wrote to memory of 4828	716	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe	87
PID 716 wrote to memory of 3596	716	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe	88
PID 716 wrote to memory of 3596	716	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe	88
PID 716 wrote to memory of 3596	716	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe	88

C:\Users\Admin\AppData\Local\Temp\1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe
"C:\Users\Admin\AppData\Local\Temp\1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:716
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4828
- C:\SysDrv8K\devoptisys.exe
  C:\SysDrv8K\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ22\optiasys.exe

Filesize
2.6MB

MD5
e1bccdd261d831292f00022db7727e12

SHA1
58b396579254de5f8dabe753e096169f66e2b8ce

SHA256
6ad6ac9f18eed7d65119b11ad1140db5894a846732718878dbd3ceedd14a7dab

SHA512
532661915457369c34b6072ac2c5c78b2a5951146cdae9b40da889bc312ae93ce8d2769c5069aeceff30b5dde974051223fe2562822d09c218f3a5e0109d2ff9

Download Submit
C:\LabZ22\optiasys.exe

Filesize
2.6MB

MD5
b0da92add64464eddbe5f991ebabfaf0

SHA1
f1267327c0c37ebfc5bc449b692c649ce00de1a8

SHA256
fbf23dc11a088b68025aa9e95e40f4ec80064439b9ad99b87c2f72bcd30fa2a4

SHA512
49d1ba0b77508ff790fe8dacd6d4760218e711e277c7f7c001380976e36979892bba75438762e82cf66bdbdaba9ccfdd73ce640d7f9c9d2add813b6f5545dc33

Download Submit
C:\SysDrv8K\devoptisys.exe

Filesize
2.6MB

MD5
c5d9fc92a161937bb14c00abd975ba5d

SHA1
43008ec5e7d06a3b461810129ad60d930f49c1e6

SHA256
de8e1002e27d99db114d970a0feec37c7f3ad036357255d464e2e89c6b0305a5

SHA512
287fc24f03ad33a94d1bc43af4646ab4a55c36f2d6fc23a41069aa35ac076f04419ed1fd0c78823880b4205153d2fd4734f3f7eef06b420091757e1feeea59e7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
208B

MD5
34c723fb60c2bcd0c7f27106929732f5

SHA1
9a455f3b18d350c935157ae2807d554106589b2d

SHA256
e7aa5569d5aff7e6c3be50dd2de635d9bb262eb1371edc9f7b6ad0f4184a1649

SHA512
3fe0e56bbe52000d4fa73cceb2709ea9964a8c0fa0ee863a5bf6044333c8584eedf4ca2515be51da318cecdee3e77ce7f7b3085f0e846b3502b348728d1d379f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
176B

MD5
7b90099361e67572bb4a0f13c7d5ed63

SHA1
faa2df5c609b5bdf73aa58e0e7bdb30a61f63dd8

SHA256
3635dc9e7df864e796c59d0ba901a314406101d3ee48722aea24490c007d4822

SHA512
cde954af8a18815d2e16a5095584796335e609591595463ed23050e50e19ab703856058ea47b7100c7e74d82e186f1d939bd5e05aab8c7293a0b852a07f1d44b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
2.6MB

MD5
80e5b667ff317f47b9c6efea35fce1bd

SHA1
648e30ad86f23c75d2c3ea7b34491a6c95874b1b

SHA256
a84f5ee385cf0573356f11d558ab0db4fea2bc403c840ae53be231704bb209a7

SHA512
ca62a793b6a3fb568b155db63324cd62ca6eb270e97a9b51428b6c6911ab72ede3c87a906ec57f6904d009bd9e86492e50830b586bac8895c056fcd77b642a1d

Download Submit