b671a1f98d5d5f0421dbba4a3cd57a862e2f9c7bc2809b11e0d6b36edbe8df33

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b671a1f98d5d5f0421dbba4a3cd57a862e2f9c7bc2809b11e0d6b36edbe8df33.exe
Size

4.0MB
MD5

3987135e1ec591d3ba1d940a0b3aef1a
SHA1

13a79f681872fa721320f809d733ebc15df77714
SHA256

b671a1f98d5d5f0421dbba4a3cd57a862e2f9c7bc2809b11e0d6b36edbe8df33
SHA512

8461896c6bfeb9a68621365be50d5c74af017b6b13d90a3a170527c27713cf0d3951036ae781b16e848509068be102261f09751e1d87a58d19cbeb0f4baa46c0
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpgbVz8eLFcz

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	b671a1f98d5d5f0421dbba4a3cd57a862e2f9c7bc2809b11e0d6b36edbe8df33.exe

Executes dropped EXE 2 IoCs

pid	Process
4408	sysadob.exe
3852	aoptisys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotZH\\aoptisys.exe"	b671a1f98d5d5f0421dbba4a3cd57a862e2f9c7bc2809b11e0d6b36edbe8df33.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidOI\\dobaec.exe"	b671a1f98d5d5f0421dbba4a3cd57a862e2f9c7bc2809b11e0d6b36edbe8df33.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b671a1f98d5d5f0421dbba4a3cd57a862e2f9c7bc2809b11e0d6b36edbe8df33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2588	b671a1f98d5d5f0421dbba4a3cd57a862e2f9c7bc2809b11e0d6b36edbe8df33.exe
2588	b671a1f98d5d5f0421dbba4a3cd57a862e2f9c7bc2809b11e0d6b36edbe8df33.exe
2588	b671a1f98d5d5f0421dbba4a3cd57a862e2f9c7bc2809b11e0d6b36edbe8df33.exe
2588	b671a1f98d5d5f0421dbba4a3cd57a862e2f9c7bc2809b11e0d6b36edbe8df33.exe
4408	sysadob.exe
4408	sysadob.exe
3852	aoptisys.exe
3852	aoptisys.exe
4408	sysadob.exe
4408	sysadob.exe
3852	aoptisys.exe
3852	aoptisys.exe
4408	sysadob.exe
4408	sysadob.exe
3852	aoptisys.exe
3852	aoptisys.exe
4408	sysadob.exe
4408	sysadob.exe
3852	aoptisys.exe
3852	aoptisys.exe
4408	sysadob.exe
4408	sysadob.exe
3852	aoptisys.exe
3852	aoptisys.exe
4408	sysadob.exe
4408	sysadob.exe
3852	aoptisys.exe
3852	aoptisys.exe
4408	sysadob.exe
4408	sysadob.exe
3852	aoptisys.exe
3852	aoptisys.exe
4408	sysadob.exe
4408	sysadob.exe
3852	aoptisys.exe
3852	aoptisys.exe
4408	sysadob.exe
4408	sysadob.exe
3852	aoptisys.exe
3852	aoptisys.exe
4408	sysadob.exe
4408	sysadob.exe
3852	aoptisys.exe
3852	aoptisys.exe
4408	sysadob.exe
4408	sysadob.exe
3852	aoptisys.exe
3852	aoptisys.exe
4408	sysadob.exe
4408	sysadob.exe
3852	aoptisys.exe
3852	aoptisys.exe
4408	sysadob.exe
4408	sysadob.exe
3852	aoptisys.exe
3852	aoptisys.exe
4408	sysadob.exe
4408	sysadob.exe
3852	aoptisys.exe
3852	aoptisys.exe
4408	sysadob.exe
4408	sysadob.exe
3852	aoptisys.exe
3852	aoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 4408	2588	b671a1f98d5d5f0421dbba4a3cd57a862e2f9c7bc2809b11e0d6b36edbe8df33.exe	88
PID 2588 wrote to memory of 4408	2588	b671a1f98d5d5f0421dbba4a3cd57a862e2f9c7bc2809b11e0d6b36edbe8df33.exe	88
PID 2588 wrote to memory of 4408	2588	b671a1f98d5d5f0421dbba4a3cd57a862e2f9c7bc2809b11e0d6b36edbe8df33.exe	88
PID 2588 wrote to memory of 3852	2588	b671a1f98d5d5f0421dbba4a3cd57a862e2f9c7bc2809b11e0d6b36edbe8df33.exe	90
PID 2588 wrote to memory of 3852	2588	b671a1f98d5d5f0421dbba4a3cd57a862e2f9c7bc2809b11e0d6b36edbe8df33.exe	90
PID 2588 wrote to memory of 3852	2588	b671a1f98d5d5f0421dbba4a3cd57a862e2f9c7bc2809b11e0d6b36edbe8df33.exe	90

C:\Users\Admin\AppData\Local\Temp\b671a1f98d5d5f0421dbba4a3cd57a862e2f9c7bc2809b11e0d6b36edbe8df33.exe
"C:\Users\Admin\AppData\Local\Temp\b671a1f98d5d5f0421dbba4a3cd57a862e2f9c7bc2809b11e0d6b36edbe8df33.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4408
- C:\UserDotZH\aoptisys.exe
  C:\UserDotZH\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotZH\aoptisys.exe

Filesize
3.2MB

MD5
484b55de1c24fe715febcb377f815d26

SHA1
134c2944429662a50ac03d12c469459deec22c77

SHA256
eddc868f919df8879e665bbf30781890a31510a459c59a37aa9c082c48dbf09f

SHA512
fb6dc3899ec49559c2c03fa1bdf34c57b876ca801128e38d6678c719005b0db3dde27491cbc3db7e6949e2f9569b933ce59a28f7af2a1383b0b6e4c11e0f393b

Download Submit
C:\UserDotZH\aoptisys.exe

Filesize
4.0MB

MD5
6beccbe160a557542e4959d9c88937ff

SHA1
3f6409b036e993662a7de26728e172569610cb36

SHA256
f28f4163e7c27fcc03385787ac75df67255a24c55c7448a8174534a030e5b48f

SHA512
5528bb3e806bafbfd47a9d75d1c174d4dd4882137b3de69bac134892944a5001a2e50dced63fa0a52824569571379bc2fa66f58686e84037b493f2fd1d64e69d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
d304315dadfd6ca4f560aaf07d1ac577

SHA1
89f64b6fa3b726c7ad4ac0a0c57e25904589d6c7

SHA256
831d68d1df3bf886e44b44fc4b938b499bb4acfb0d3b8b46872bfdb7c6c52570

SHA512
9efd48b4eccc649a98502af3ab0f22fd06de1d23c345f2cf70ddc1ea9107a3d87e97e0dcfd57e95d2a1a546037434ad8e35d83735c713153cf4d96056e4ef262

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
1abd2854dcc8d8b8e22b82a9e16a3d65

SHA1
e85dfe32fcdd567249de3c41a87729c9efb55d58

SHA256
c1260adbdf9e3264f1bd41b554ac8b9ca0a808022f2ad4a508c5a17ab3fe6007

SHA512
83c9de1fd32c972ae30129622c362ee8ba405621a88c68876e627e5124375c6c8abe8ba361e913432657e59aa8961f16798f208b4d8173877c9cee874490e453

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
4.0MB

MD5
3cffe215de5de21628250a83267b7f3b

SHA1
c34c3435d4044d5875756305ef1260dddfdefadf

SHA256
f9bf2cc77e3425211bcde5a04dd94533e540995a275cb6cc109ae83bbc87a0d9

SHA512
00797cd3768de8eb50037fdb9646f71df8452c31afa6d3ee974abfe1970ea91d22d7c796092f550cf8865445f61818cb59ecb5f0a4c580ca5698db16bab69141

Download Submit
C:\VidOI\dobaec.exe

Filesize
4.0MB

MD5
a20e62e31a053da5dc5a211cc6f5a702

SHA1
be3a6a8de85439fd2165075ed20866f184328e7f

SHA256
0e6e80e14dcde47800dbb4c7efcf03836428349aa632ef8b578507d1b62f5f59

SHA512
7cae17c14db7329b1d49a5bd9875442e08d49020cad6a30355bae43274048daac85c202927e1ec539d0e1cc328b233ad8100b4b8f26b038e7c55e144abd10dd7

Download Submit
C:\VidOI\dobaec.exe

Filesize
4.0MB

MD5
f3bbbfa13cc766baadc339ecf296d48a

SHA1
72a5d76ebb830406341742a0efaad74ff9973460

SHA256
91935734369b1354fcefd3fc33155c298d17f1b832b0eb790f0e10209c3d5b47

SHA512
ce18d0cdafaac97dde14725c178a9dbd8c954e4e701f6fb87825de378e497aed01abc10076da761a8d2d336f66fb16e305396d8ab1404e830f98b00f15bad8d3

Download Submit