Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 02:39

General

  • Target

    ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe

  • Size

    3.9MB

  • MD5

    913cbc7960bb52b182613064a135b7ad

  • SHA1

    474902ce8d516b979bf4d6159421d593ddc06e4b

  • SHA256

    ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8

  • SHA512

    e8811cc8146fa9adb304cb2eb149d0b009e7b413a05585eb91ef91d35d5155cb46eef0bb28d3b4b1253f058e01f23d8da48a2f0d38f2f85c979cbffed437cec4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBtB/bSqz8:sxX7QnxrloE5dpUpibVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe
    "C:\Users\Admin\AppData\Local\Temp\ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1956
    • C:\AdobeDC\xdobec.exe
      C:\AdobeDC\xdobec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeDC\xdobec.exe

    Filesize

    3.9MB

    MD5

    ac8b84de2ef02c209b5d436897654144

    SHA1

    90217544818199d5acb207cab48505761046e6aa

    SHA256

    bb8ecc3b20baee42891bb30c9a29ba745e684d3fe6317dddee036252c67d470b

    SHA512

    2c905b904f5a7ff51bb73ccee85288a9ff7cc5b6c6c62a5dd7f124ee4912357708d3020a69262db33410bd781d508daf4bb47938d3bb97aff9d194a7edaa0979

  • C:\MintFS\optixloc.exe

    Filesize

    3.9MB

    MD5

    911718cf9fd68249fa72550c9a0367ba

    SHA1

    b7a5d5d83ad4e744a42fabc2fa997abf818816bd

    SHA256

    444a7cecaec95ce5f3c2e860928284efc3636f5deab7d8d502946d46b2287fef

    SHA512

    add8f482a578cdecfde134dd0bba51f4518ce4cbdf588271fae780907bd10db82121aa1250deda8239013f16d683d82eba80d26960935e9bc31a313a5335242f

  • C:\MintFS\optixloc.exe

    Filesize

    3.9MB

    MD5

    0cf8f7a32b36373a305e984ab116b9f8

    SHA1

    f27519d66f8049af865a4c89dd91fc2c13c5d1b8

    SHA256

    16db583900ad18d9db4a39ffd0ee8e799dd50c2e6b0835c2dfe56096dfded6a3

    SHA512

    37033de9a9efeb58f5554c66370600de78fdd47f26e4c335e7dda1e04bec71486465c55d6e946decfb266ed2ef9561a116595c22a35521ba2a28726d7b8bb9c2

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    201B

    MD5

    ba81e38dd0e9cff3aa09a79b0246d276

    SHA1

    99bf7941e257a5dab1da1fddb383bc9a117aaf3d

    SHA256

    ff24410626a87b464f8c8b3c5feac1d28fb898d2b1688934a0f9435271522d08

    SHA512

    4dd4f0e95fd36fa2cc174ffad3638b12467678bb3a42cfd4a01b830cf379f5c70269a3a289c918403151f8b95839bbf9e2fbf006f31a6ab24d61e675adecf9af

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    169B

    MD5

    8d5aa016941f66628f1f1802f90c9e02

    SHA1

    b99cfe0c86bd8d3d8cb3054c34f411932e45acc4

    SHA256

    a9c2aec5e0acaf2fc4b7f1df598fdfed89a1aa1461ac898dd67e26cbdfedfe7b

    SHA512

    8a862ed6ed84d8b3051f877e8a943789c9f2d5489c1e7afb1d17cd2c1fe3fcb8c5c568e3ef01475a6b30ca3765d728cb2cd7e324d2e9377466e54e818942451e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

    Filesize

    3.9MB

    MD5

    4e3efe2b0794cea687e6b97bd9e09a17

    SHA1

    5fad11be672baf5a40d8e41ee3cfd1cd0aa88d3b

    SHA256

    29e223ef13cd55d79cb3c5f8a044e43f117d0eca37c6e1b4d1bff8cf60e783f9

    SHA512

    8e8b3f8c42976077c6bcd295c9ebebaebc774dac6eed7d799d2d7b6465354de9e060beec2c4554aa5134de82452af3efdabedcb98691645bd9352eebac3cc01a