e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8

Analysis

max time kernel
149s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe
Size

2.6MB
MD5

e42456cd503692c77a790d7d8a6edec3
SHA1

af6bf64b482e44feb223baa426393b883922c098
SHA256

e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8
SHA512

c9ac8dadeb8fd3b35239f873fc64e5e4090f79caa0ac48cee436fbe5c0ec520e77c311207edee284ee55e02f5b39baf6ce6e8af0304717fe4771c36b8c060f98
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bS:sxX7QnxrloE5dpUp4b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe
Executes dropped EXE 2 IoCs

Processes:

locdevdob.exexoptisys.exe

pid process

744 locdevdob.exe
4888 xoptisys.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe

pid	process
744	locdevdob.exe
4888	xoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint4M\\optiasys.exe"	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7S\\xoptisys.exe"	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exelocdevdob.exexoptisys.exe

pid	process
4892	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe
4892	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe
4892	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe
4892	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe
744	locdevdob.exe
744	locdevdob.exe
4888	xoptisys.exe
4888	xoptisys.exe
744	locdevdob.exe
744	locdevdob.exe
4888	xoptisys.exe
4888	xoptisys.exe
744	locdevdob.exe
744	locdevdob.exe
4888	xoptisys.exe
4888	xoptisys.exe
744	locdevdob.exe
744	locdevdob.exe
4888	xoptisys.exe
4888	xoptisys.exe
744	locdevdob.exe
744	locdevdob.exe
4888	xoptisys.exe
4888	xoptisys.exe
744	locdevdob.exe
744	locdevdob.exe
4888	xoptisys.exe
4888	xoptisys.exe
744	locdevdob.exe
744	locdevdob.exe
4888	xoptisys.exe
4888	xoptisys.exe
744	locdevdob.exe
744	locdevdob.exe
4888	xoptisys.exe
4888	xoptisys.exe
744	locdevdob.exe
744	locdevdob.exe
4888	xoptisys.exe
4888	xoptisys.exe
744	locdevdob.exe
744	locdevdob.exe
4888	xoptisys.exe
4888	xoptisys.exe
744	locdevdob.exe
744	locdevdob.exe
4888	xoptisys.exe
4888	xoptisys.exe
744	locdevdob.exe
744	locdevdob.exe
4888	xoptisys.exe
4888	xoptisys.exe
744	locdevdob.exe
744	locdevdob.exe
4888	xoptisys.exe
4888	xoptisys.exe
744	locdevdob.exe
744	locdevdob.exe
4888	xoptisys.exe
4888	xoptisys.exe
744	locdevdob.exe
744	locdevdob.exe
4888	xoptisys.exe
4888	xoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe

description	pid	process	target process
PID 4892 wrote to memory of 744	4892	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe	locdevdob.exe
PID 4892 wrote to memory of 744	4892	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe	locdevdob.exe
PID 4892 wrote to memory of 744	4892	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe	locdevdob.exe
PID 4892 wrote to memory of 4888	4892	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe	xoptisys.exe
PID 4892 wrote to memory of 4888	4892	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe	xoptisys.exe
PID 4892 wrote to memory of 4888	4892	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe	xoptisys.exe

C:\Users\Admin\AppData\Local\Temp\e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe
"C:\Users\Admin\AppData\Local\Temp\e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4892

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:744

C:\Adobe7S\xoptisys.exe
C:\Adobe7S\xoptisys.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4888

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe7S\xoptisys.exe
Filesize
2.6MB

MD5
52a17de72d739ecc39db10618ddf11e4

SHA1
d24ed85b2bc81dd4a7c9508cb8d404240b775ea5

SHA256
dbb1eb07c93043188235014e5e45b0e33fd1e32e7c582182691759296a576d6a

SHA512
2b7ee5515aa07e328ade4292f24b01e656324f2901b6be420f466ab2956e79e2d655ac1f5e2fc63f295bfb80b7d75e6e6ba4eaaf11a6bc982e5c5f4cc0586fef

Download Submit
C:\Mint4M\optiasys.exe
Filesize
1.6MB

MD5
04c68ac5cf12474cce12a0af3a9c27b4

SHA1
e0d8753a7740f5ccc4f8f66080eccfae577aa650

SHA256
9c222a9a4c6a0eb0f258fe5f0d641f8f075989308117ddfa148378f30a912f52

SHA512
598952708af7f286915d1e7c644590e5a88c183ed49f0d53120f41b16f85ccbf3ce5b6b5332438383f9cc7f2457e3a9cc68dd0c35ece6f5578115c641bf1a08f

Download Submit
C:\Mint4M\optiasys.exe
Filesize
2.6MB

MD5
647056ba4322dff674b3ed76b7304732

SHA1
cb9691ec0eb6f2271328f8f2b8cc837fdff8d77d

SHA256
6816abbd7f8da3982fcf6040d6d1e2887ad7c3364e2bf950580845d3e29a6ecb

SHA512
5a78a415775477d7ab150c6a4bb09e7f6119abc2083e8645ce0b0e0621ed6419d9da72bebbc507ab8ac12e54c4f70eefa2ff61305da7305b00f10fd52066e0ed

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
204B

MD5
583d47cb63f20784b90b99f4caa4cf27

SHA1
c7953a07fc8d7f60a4edd0bdde74c051d21605a9

SHA256
19fa191f81f7045a36ceca36baa597e372bb94b75a0e3d6548538d89971b1900

SHA512
297a61715173adb9ec8c3fe481b3fdf26212f6bf19fe42bd30855e500a56b4e849d81b2099622dd561c6211bbf912e89a98548587ebfd9a041e7fd7bb04094a5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
172B

MD5
62f42898600ed1c96364c0092a6a7006

SHA1
072d83ac79e1e17f79d789db1bb0e6cfb12c93e6

SHA256
a353c9b5bb77d8905454c70a34311d36ac06b5650d907d4aae829b9ed04cc175

SHA512
b3595f15960ee7e8140900d30625c2794b2a257e06d348c524e72c527ea180d9fc6dd16acf1a03d7026f5f8749e5e3183bddf6c259a18f8720cca59bfa18299d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
Filesize
2.6MB

MD5
a42ac4f821b53941d430acd4a3049981

SHA1
3b6238af5f16ee20907e5931cffe89bd7e5f87d8

SHA256
22f6f9df39ffbf5288a32aa1fe52f84cef28eb50a5f3dbc684aa31ca9ff4bf37

SHA512
e2e7805159a1851e2d2e228fbd41edd18437864fb62115b2be83caa6f752b9cffe2f99d5f18497aae4617935041ed83df91e8bd0dd7c77f9e64da7ce0b139d8a

Download Submit