Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    30/05/2024, 23:23

General

  • Target

    74fe4b130e5d9616fdb0a41c2adc84bcc4b8fe3f31caf3074e3eec9817259c53.exe

  • Size

    3.1MB

  • MD5

    7dfb1bccca0f224d17a0fdf983b98e3a

  • SHA1

    93e2b24041efc59eab7666c9175a37da463ddcb5

  • SHA256

    74fe4b130e5d9616fdb0a41c2adc84bcc4b8fe3f31caf3074e3eec9817259c53

  • SHA512

    41095cdf7c6e69fa75374ab18e089f7718b17da7744d5a3f96a7c49467eec720d795b4506e29e63987c4d288d37bdfbe4082abe2c8110a251ef80f8fc5204d2e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpmbVz8eLFc

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74fe4b130e5d9616fdb0a41c2adc84bcc4b8fe3f31caf3074e3eec9817259c53.exe
    "C:\Users\Admin\AppData\Local\Temp\74fe4b130e5d9616fdb0a41c2adc84bcc4b8fe3f31caf3074e3eec9817259c53.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1856
    • C:\SysDrvZH\xoptisys.exe
      C:\SysDrvZH\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2136

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\LabZCH\boddevsys.exe

          Filesize

          3.1MB

          MD5

          460e56ca99d91a92176ba282e2e731e3

          SHA1

          41fb8122aa2cea4537a22a35a9b407b8e8ad9872

          SHA256

          f7af2bb32efdffb4cce119a37026689efef87b1d2e8149ba3e5f454b675d6cd1

          SHA512

          43ebffe1b1cbcea16ab809f27235e08886635799f350e952a3046a5a87e5e41de289292d155f2ea8407c48dc81a6637f53ede57873e40150be892c10702e7d00

        • C:\SysDrvZH\xoptisys.exe

          Filesize

          3.1MB

          MD5

          9e9dbab2a06419de8f4b5895f44ea3fb

          SHA1

          eb4b245247510b993d704d2f831aa88c4ad4df54

          SHA256

          bd6d49ff207e1e72263dffbd601dae08b6055074e4b50ec43792995b03fff423

          SHA512

          83f56afcdcf755d2804441878a8d784835137fb3f499afc4338b4c129e7593967b52e7c8a903237cd29e3476f0d54f42acc402952feade67fc510f5d69385af2

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          173B

          MD5

          aa6290ccc148bd85a17aad625f3b0044

          SHA1

          eb11cc695b6d581f8e77db03ec642e486395901a

          SHA256

          73cea574acdb24085793fed5faba25b864ba06b486ef191eda4504a5f0df1ac1

          SHA512

          4affd6dfa23bc007b323db0b9e646807b26dac15958c25d2668766e07e7fb303a8978a79cee28a25dc9f7671b535126a546a009af6842e79e1e191b50ec5221f

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          205B

          MD5

          28ab746b8b66c40f0be5f727e1edf301

          SHA1

          6622bca60302bae14a7dd6d2170450963bed1132

          SHA256

          0be919c52954e93225944d36165f7c70818f3b5ffd9d9d54b2bf98250b1f6784

          SHA512

          0958bc5198dd6b7d5ec3b0e046425755971a7adfada8d76ba8aa45d5efe9a6b7c59a9fbd221f7e5442741f3af05c48465f71997f752b75242f10d41db2a6d399

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

          Filesize

          3.1MB

          MD5

          c25abac9a56b77f2fa85f5a8dee33877

          SHA1

          c90a534c3d600533c340c016e9f02a5feccd9604

          SHA256

          291ac0a2ded680d2782b1713ebb67d37fcad90e4ad6e849cf5f86ed3c33b5c2d

          SHA512

          f542dbbbb68bd5b405513f0ef01fba6504afe91ced6a7d9aebc46e02e179a5678d44fc8de3c96f19108125c08dc031bb02968fc02e0fb9db044780ff5a8efdbe