38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93

Analysis

max time kernel
119s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe
Size

3.2MB
MD5

26d35b9a18e3a46998e470e36bdb81ce
SHA1

33144304532a6fe70057161dd63a69ff5a51b1e0
SHA256

38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93
SHA512

37a4938b766bd1dfc3391d28c519aac1fc5f2cf4d996645833cd6b8115cb76500e6f445b0531261ad8a7bed1db027bee9852b8d04e4f41600be9ac5efdbbecd0
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSqz8b6LNXJqI20t+:sxX7QnxrloE5dpUpdbVz8eLFczz

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe

Executes dropped EXE 2 IoCs

pid	Process
5008	sysadob.exe
4652	aoptiec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvCI\\aoptiec.exe"	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBZN\\boddevsys.exe"	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4748	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe
4748	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe
4748	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe
4748	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe
5008	sysadob.exe
5008	sysadob.exe
4652	aoptiec.exe
4652	aoptiec.exe
5008	sysadob.exe
5008	sysadob.exe
4652	aoptiec.exe
4652	aoptiec.exe
5008	sysadob.exe
5008	sysadob.exe
4652	aoptiec.exe
4652	aoptiec.exe
5008	sysadob.exe
5008	sysadob.exe
4652	aoptiec.exe
4652	aoptiec.exe
5008	sysadob.exe
5008	sysadob.exe
4652	aoptiec.exe
4652	aoptiec.exe
5008	sysadob.exe
5008	sysadob.exe
4652	aoptiec.exe
4652	aoptiec.exe
5008	sysadob.exe
5008	sysadob.exe
4652	aoptiec.exe
4652	aoptiec.exe
5008	sysadob.exe
5008	sysadob.exe
4652	aoptiec.exe
4652	aoptiec.exe
5008	sysadob.exe
5008	sysadob.exe
4652	aoptiec.exe
4652	aoptiec.exe
5008	sysadob.exe
5008	sysadob.exe
4652	aoptiec.exe
4652	aoptiec.exe
5008	sysadob.exe
5008	sysadob.exe
4652	aoptiec.exe
4652	aoptiec.exe
5008	sysadob.exe
5008	sysadob.exe
4652	aoptiec.exe
4652	aoptiec.exe
5008	sysadob.exe
5008	sysadob.exe
4652	aoptiec.exe
4652	aoptiec.exe
5008	sysadob.exe
5008	sysadob.exe
4652	aoptiec.exe
4652	aoptiec.exe
5008	sysadob.exe
5008	sysadob.exe
4652	aoptiec.exe
4652	aoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 5008	4748	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe	88
PID 4748 wrote to memory of 5008	4748	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe	88
PID 4748 wrote to memory of 5008	4748	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe	88
PID 4748 wrote to memory of 4652	4748	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe	91
PID 4748 wrote to memory of 4652	4748	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe	91
PID 4748 wrote to memory of 4652	4748	38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe	91

C:\Users\Admin\AppData\Local\Temp\38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe
"C:\Users\Admin\AppData\Local\Temp\38880a64e1b58849988b3b27fee878a259997800b69d20b759e8eec9fff7ee93.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5008
- C:\SysDrvCI\aoptiec.exe
  C:\SysDrvCI\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBZN\boddevsys.exe

Filesize
3.2MB

MD5
ecda1aff905616d3dae664b69706146a

SHA1
d2a6fcd49a53c0c5ef7a45d2f8f4172e22e473f9

SHA256
16c4432c2fbad38bb948cee381635e66434b444818526d1d3ce71a8713c9b2d5

SHA512
b6d73700efa51635e25b884fb3ff502decc40136e6f230e14369d524dd78cc18146fd94d64ea563f4d4a821709ca760ff3946be605ef5fdbb3be1c1e00b428b8

Download Submit
C:\KaVBZN\boddevsys.exe

Filesize
392KB

MD5
505a7dbc4589d83a21b78c653aa4192f

SHA1
2eba860a03f679ae14c60d641560887b246f0cdb

SHA256
9b29807e03255121733a1f64b496761b88b20821526d32a63895c4a37e2d2046

SHA512
d819305362ef5209463ed68a92ae5614ca4ef71f5a3914d951262969c124463c0ee595244f23ca487a63f36364a8d776f7f5c99d86deba7fd2009e9243cb0dec

Download Submit
C:\SysDrvCI\aoptiec.exe

Filesize
3.2MB

MD5
f04b4a9ec7c98507a79b7403cb5c7822

SHA1
bda42cacfd6e687fdcc1512513f1db6d21a96b2d

SHA256
ecd8f9cedf07987d490143aeecfd8b943c38c13febe37e659598ad36afd412dd

SHA512
82c912d2fee5824124fcb0237ec4e0badf1a1070535fba0a9122d90a7f98e7150efbdde7ae09508e488b825e2603dfd5f9a3190474d0641d5318314d54365bb1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
ea9914d24593b0d7f12a46fe5e8fcb81

SHA1
96eada596b1cec05c8cb80fc461d2c002fd848ed

SHA256
894e50481cdfef04ec13211f7f67d0d824b50860db0bdffab3c8c165b1b2967d

SHA512
eb225b1aa07750495de2ada6c007eebe38cbf167df520862805885a137555425f2bb45129b89b4a19d52a98fa714e420f367c352269e3159694cdf1379ab4416

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
4187f9f547287e6575ff2fc8bbf2bb39

SHA1
e8ef4c829d23d791967a4480adab3035646a401c

SHA256
6fbc11a1608b121e79617bc6ac2561fc2cbcfe54f8feeaf5cbce697452f31914

SHA512
598de4f11e4564363774cd7941b5c038b00567218096d03624902b2c0661f8717e80ad679fdb379ff0ec96455abb5485407042ba2d37186c3f62d14d88128bcd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
3.2MB

MD5
2b87fc80db43a8ce172294eee992deb8

SHA1
83610574694ca2f8148b6bbb1ed1c0fe783e8818

SHA256
1d040e263ff2a6a2d36232660197669c66a331d8b6b586d4ae03b4eb6527d859

SHA512
7c0257c8d15515ab3b57d9d16cf7bfc8a152041bc49570232426ad4625828e41fadfe9bf1379017356c2c9b812f25a219a49c5c7a3c53d8a6871c2eb14f6e1e3

Download Submit