Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 05:37

General

  • Target

    f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe

  • Size

    3.1MB

  • MD5

    4f5d3df84940771701815930ef5fd25a

  • SHA1

    5e304be597a6e89fe2ab986e61bf9ea571226d59

  • SHA256

    f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d

  • SHA512

    aa6dac202564b89ae6a8eed1a6baf45d39264b83dde37f1c0641eee76f01ac54a46a2cb292ea4fc385955ae6005fd2a186454113d11b06c50f4bd555751a8be1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBtB/bSqz8:sxX7QnxrloE5dpUp2bVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe
    "C:\Users\Admin\AppData\Local\Temp\f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1444
    • C:\IntelprocPC\devbodec.exe
      C:\IntelprocPC\devbodec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocPC\devbodec.exe

    Filesize

    931KB

    MD5

    db8b90a1e2c680d6b4903dd6a427762b

    SHA1

    c86f9629fd3e2f7d0b7e60a1a51c9127e6f45180

    SHA256

    e6f555a5ab87dbb7cd8e28d0c86e4025337860d3a261fbf08e01855e95d0c63c

    SHA512

    451d06cc93032b1beba273789eaad617760ae0daf6e1c44c005857d168bb55b99a0d03385154b78de07083ee91c4da48ac65c92f9fd09e60821a5c95dc18771d

  • C:\LabZL3\optidevloc.exe

    Filesize

    4KB

    MD5

    b61f1c7ad73efe910c92dd7a7c9a7a0e

    SHA1

    da9ddf3e1877afc7efd9c8d203fc7f7be3458ddd

    SHA256

    b362504c75e4817110ee35bd9d522710e988aa3feb5cfb08054cbe0cfa6e45f0

    SHA512

    224073e4b1011e45541352166fffbcb47dc06282baa16dc5279ee78e858f642e1495bf79dc1ee547b1db3adc2c1a1fbb08ea75a50ef49d2a238000e931ebc155

  • C:\LabZL3\optidevloc.exe

    Filesize

    3KB

    MD5

    b85ef880820ad2f02706b10170e533fb

    SHA1

    71378239fb161e35c8f79d7a951d7d09d4f45b33

    SHA256

    824b6d312a2dde817fb21948332f4b59c54118a25d0c2deb5bfc92aa1a9daa78

    SHA512

    f430b5b60b9ef1cf4efe9787c7b0f161b12f4212956a065e1f0b6a07907600fe307c8323482f6e6d85953fe9576ba09e3b9876d9c27e916f7ee62a9c3665a6d3

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    177B

    MD5

    731615a8ffefabe1fe4a5cde7a04b729

    SHA1

    a6cf7d0517e2e7ecb2dad5673a5edfa7d15aac7b

    SHA256

    0082e24907aab61d01028e118116f9ba543a5216cfbd29ff5863d50489ff2ead

    SHA512

    dddb4dff10558959c0174769ca57d41d2a896f13d8dae79e07afe6c0984df1936340ce39a7363794d28b6dc2a930a7bf2d9dac4a40ea6e212be5a93296e8fd78

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    209B

    MD5

    672bf2510a2e4fa4267fa8fb0f010fe4

    SHA1

    dc0f9af00f2edda6201473d80d5edf271229b553

    SHA256

    6e0dbbcea7b51301b40cc8d7807a6a014235bfffb3669e833e18f71b5bffc269

    SHA512

    9994705291061efe651a68e0441883130a0356fb6493faca98f9feb40b636d226d97ed51ca9a5a3b274a5e2f1d3468e29a7a0a7d4e75b2eeb7f1f70760c01920

  • \IntelprocPC\devbodec.exe

    Filesize

    3.1MB

    MD5

    4c1347ab26ea24322b08b6b85bfe2bbc

    SHA1

    b11ab69a08d49798e428837af666b3ee52a35b2f

    SHA256

    300debed46c8f798b67aa9b0f26f16907873a1105c21a2106e7b95c40ee23155

    SHA512

    54f1663196dd1388d9259848e6ae9ed80800ac99c1445890ca9a54a5c63499e7ed215ecac8910fbccc13c6210619e6bdaf99bf462db6dc2710bb2c0898f114ea

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

    Filesize

    3.1MB

    MD5

    f4119ce62573f7bbcb0c8addcae774e0

    SHA1

    5c44e843da3d4a96889a2a8abdddf46a261883a6

    SHA256

    3dfc0d1fedc84cc95e2ab82faaf29cd5629cd6e257bde6a4e0eca18c418ae827

    SHA512

    02481c55a807729af45ca919fff74558de9c07200a73a9e1b65711d8cd125a7f154852ada64ef799361fccd2132ccc63e1d8917995719d3bbb4be6dedd904a9a