38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe
Size

3.2MB
MD5

26d35b9a18e3a46998e470e36bdb81ce
SHA1

33144304532a6fe70057161dd63a69ff5a51b1e0
SHA256

38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93
SHA512

37a4938b766bd1dfc3391d28c519aac1fc5f2cf4d996645833cd6b8115cb76500e6f445b0531261ad8a7bed1db027bee9852b8d04e4f41600be9ac5efdbbecd0
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSqz8b6LNXJqI20t+:sxX7QnxrloE5dpUpdbVz8eLFczz

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe

Executes dropped EXE 2 IoCs

pid	Process
1264	sysaopti.exe
2192	devbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2096	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe
2096	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeY7\\devbodec.exe"	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid1S\\optiasys.exe"	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2096	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe
2096	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe
1264	sysaopti.exe
2192	devbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 1264	2096	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe	30
PID 2096 wrote to memory of 1264	2096	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe	30
PID 2096 wrote to memory of 1264	2096	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe	30
PID 2096 wrote to memory of 1264	2096	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe	30
PID 2096 wrote to memory of 2192	2096	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe	31
PID 2096 wrote to memory of 2192	2096	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe	31
PID 2096 wrote to memory of 2192	2096	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe	31
PID 2096 wrote to memory of 2192	2096	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe	31

C:\Users\Admin\AppData\Local\Temp\38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe
"C:\Users\Admin\AppData\Local\Temp\38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1264
- C:\AdobeY7\devbodec.exe
  C:\AdobeY7\devbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeY7\devbodec.exe

Filesize
3.2MB

MD5
670b8780837fe9a7e5245ed12c5babaa

SHA1
9436b9cce63e790483c7aa410649d70f7ca02ec2

SHA256
e35e8ff25d9c5921ac3a9683d279a519fbe56bafe2554bc0cdeae54d85540697

SHA512
2b8650b1359062fdc1c1011438570ec2ee2676f308ab517677d80e3720fb46ec8fbbbb2501dcb8f85d3d7401e3b2262b8c66206098ef949da2bc2d69fc44f49e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
e1459fac89ee736eb8a425089d40cfbb

SHA1
57ea91dae811e896b45a2963397f3d0dd7cbc4c9

SHA256
80403462331d58689ae76913b4da3e3ab0fe9a8ea8aebde83bfde3073a3f1224

SHA512
3467a15e6a14b5816337bc59944b5b3fa438d77f6615a8d71d87b2c45519ae1623402c29cf3b8d48624671c0639182e9916969e6ee3b36aa03ba13e3ab1ce2e1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
e90317d43a09dfb713146b11a1fa135b

SHA1
a49876d5fcd38bd0f06f78f40bcc4973e08213a1

SHA256
bf0cb164dba67d61bcd0c8a89d58c965d97725bdc523bcfb7c1250b521df7190

SHA512
0f401135bb9dc769a3a0b7c58a54176b7490ce3918b1465dd02a7ee1a3cfd08624e177ec8d307fde6756bcf084147832a794b3bd576408f71d854ed7774d61b0

Download Submit
C:\Vid1S\optiasys.exe

Filesize
3.2MB

MD5
dd42ccde59efff60abc0a52e977122fd

SHA1
c90edc31e4e1485671d1a803bf943f77ccd3aa51

SHA256
0261a19b09e095e00b2e47af4436f58ec00764233aa3696cd587181f5b6da632

SHA512
65b5d54f808494ce11e4c833bc9f14ed5411d02bd1c6bd51851c6d3dc8882b0e65b423d6738fd8c2b10b7112a88bbf10d8efea8161cd7a4275d6272565283910

Download Submit
C:\Vid1S\optiasys.exe

Filesize
3.2MB

MD5
9c4cc01d9611118daf73087792af5c1d

SHA1
5018ca16ab6152fdc83033bb705662b45e199ce6

SHA256
d04edd4e00b8e74c58a45ae3d06e86a1d7220b2ac90594cd2709a4e8e0b2f598

SHA512
b225dc471debaaccfcba4662e347a7e0ef013104d16ba0d9c79a73bcc4ea620c06d3ba0bc863a94cad2a1632ffdd9938c1d78018f2a6e833c299f156255b310d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.2MB

MD5
5945c204febe205887803004c209b390

SHA1
f5e525c04a1300b5994cc9e7676bb7003e3556e6

SHA256
3d88ac5d1b161f2c62829e19785d9d6847b542d701e367efb90975f8598f5526

SHA512
3eb798e0db1498549d7ebcfeac9f22a515c50f953a5f95a11bf70491ace8397ab77a93355fb86ad4926f9b2634bf9971aaf879ae1ccc5643c82b461331519097

Download Submit