Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 21:09
Static task
static1
Behavioral task
behavioral1
Sample
352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe
Resource
win10v2004-20240709-en
General
-
Target
352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe
-
Size
3.1MB
-
MD5
7326e2cc8b19595770965d72e1041325
-
SHA1
e1758cbd4eea1c45ef714d1c0651abe27d91fe93
-
SHA256
352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c
-
SHA512
a94365d8c26f6042c75f9fe0eb7945509ef6d5f2fc3f7e5252678efb3bb1fc2dc1efeaaa007e849c279703f66074c08a63686e96c780a35287ebbb2c4fd92236
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpobVz8eLFc
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe 352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe -
Executes dropped EXE 2 IoCs
Processes:
sysdevbod.exexoptisys.exepid process 2640 sysdevbod.exe 3624 xoptisys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesLL\\xoptisys.exe" 352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid7I\\optidevec.exe" 352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exesysdevbod.exexoptisys.exepid process 556 352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe 556 352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe 556 352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe 556 352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe 2640 sysdevbod.exe 2640 sysdevbod.exe 3624 xoptisys.exe 3624 xoptisys.exe 2640 sysdevbod.exe 2640 sysdevbod.exe 3624 xoptisys.exe 3624 xoptisys.exe 2640 sysdevbod.exe 2640 sysdevbod.exe 3624 xoptisys.exe 3624 xoptisys.exe 2640 sysdevbod.exe 2640 sysdevbod.exe 3624 xoptisys.exe 3624 xoptisys.exe 2640 sysdevbod.exe 2640 sysdevbod.exe 3624 xoptisys.exe 3624 xoptisys.exe 2640 sysdevbod.exe 2640 sysdevbod.exe 3624 xoptisys.exe 3624 xoptisys.exe 2640 sysdevbod.exe 2640 sysdevbod.exe 3624 xoptisys.exe 3624 xoptisys.exe 2640 sysdevbod.exe 2640 sysdevbod.exe 3624 xoptisys.exe 3624 xoptisys.exe 2640 sysdevbod.exe 2640 sysdevbod.exe 3624 xoptisys.exe 3624 xoptisys.exe 2640 sysdevbod.exe 2640 sysdevbod.exe 3624 xoptisys.exe 3624 xoptisys.exe 2640 sysdevbod.exe 2640 sysdevbod.exe 3624 xoptisys.exe 3624 xoptisys.exe 2640 sysdevbod.exe 2640 sysdevbod.exe 3624 xoptisys.exe 3624 xoptisys.exe 2640 sysdevbod.exe 2640 sysdevbod.exe 3624 xoptisys.exe 3624 xoptisys.exe 2640 sysdevbod.exe 2640 sysdevbod.exe 3624 xoptisys.exe 3624 xoptisys.exe 2640 sysdevbod.exe 2640 sysdevbod.exe 3624 xoptisys.exe 3624 xoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exedescription pid process target process PID 556 wrote to memory of 2640 556 352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe sysdevbod.exe PID 556 wrote to memory of 2640 556 352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe sysdevbod.exe PID 556 wrote to memory of 2640 556 352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe sysdevbod.exe PID 556 wrote to memory of 3624 556 352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe xoptisys.exe PID 556 wrote to memory of 3624 556 352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe xoptisys.exe PID 556 wrote to memory of 3624 556 352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe xoptisys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe"C:\Users\Admin\AppData\Local\Temp\352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2640 -
C:\FilesLL\xoptisys.exeC:\FilesLL\xoptisys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
418KB
MD5867044c4ccd6bf9ea58fc98c9570b562
SHA1304a3ea13463ab62b794e0b1f93480a071fc4e88
SHA256b58e4afbbbc08988520b7661e72278b32b68021eb780e8e6b57e2988ad140f34
SHA5127a8585a57e172c8b5f2c85edf3726c1a70568b78cac2c712010cbc64b0d6e460bc9f7e53ca2dda46b6e5f71540eb5a99d100c801a172520a569a7a4cc6e9ef5f
-
Filesize
3.1MB
MD51ef66234510edcb89f07f23d7cb6b38b
SHA182dec903f995e3e629533f540ddc0db774e0622f
SHA25614189ddf81adf54f8be3ab5c46bab54e7665396edb0de77d91290db17a153a8c
SHA5125a13220d5b7ac1b08d009a92d791e87f057c1987c2ad63cbfe4d22db1bf77535f6a8b5cb01f366a4fc7766ac5e517a8c29e3016cc158d5d766a67c789f45c9d3
-
Filesize
204B
MD56ef809ad6285007fd331d283207603bb
SHA1568137f425e456de0d7d5559e841302b31ae0d22
SHA2565cca0c9f74cf3e6787753d8414d7c9ca2c3504798971ccfa58f1c8f2300b39f0
SHA5122e5065f0a28ec81d22679858fc93e22d930aaf0ea63df23ca1a1d4f67d0f0e6f4b2a84ad38e22e4b49a76b34ca26c4b65d41dd4d0766b508ee67ee981345b481
-
Filesize
172B
MD5ddab588476db71f63510ab421445093e
SHA1a586377b6145ceb58628c5a38dd465927b4fb675
SHA2561fd0a33856103347398af0a8b3edb4afae664378c1a153001762b37415d48ac0
SHA512b122e380ca8ab48fe1952b8780cd38eb7538eeee5342c551a1c34b5d8f1bebb26b3939609ba490dc4488556a3d69d0d35d58319bdb611cd73684791b2ef048b0
-
Filesize
3.1MB
MD5ad970105fe4001b753240eb418a96a14
SHA1226b48140fab7b188ae2f8bd609b045629899c47
SHA256edbabf4b1a7e7c17ac46946fc1e9e70daeb8a02ce3e0df5dcb9cf909ddfe4a14
SHA5126aee8a6f064db04e13200e878a9b6c35c5af33c95da6e1f4ba2bd78e3fcb2857cc757d43d997a84a44d3b378fac2803ad04a0218c1b66c8c017fa263defe5dfa
-
Filesize
25KB
MD55762bac0acb51c17f2d50d3089e9a468
SHA10050c15f18fcfb7ccb580d1b978828a14dfe5548
SHA2569ba88174226e3e60f0e21fe9ea512cc1b77c4e88e7cd924a32a5d3ca62dd78fe
SHA512c653b3411dcef476e2330af4f8649c7cd0bee4d00aa083bcee7ee9e5fa618df1779ef8f2c1a39238cb514b17f7ef07ea5a11b68b1ada79e11743feca9cf8a93c
-
Filesize
181KB
MD519edbfac35ee4cc2ec541fb6f49eff31
SHA1ce97af3e3af303bdcb36bda362d154682ca7ccfc
SHA256246bc5f7c083c7754b5256617facde076f75b0c4672c152c6010090385547321
SHA5129609adc7265ff031b1648051900f1a42a800c2632d73e33223ea2bb3f6b17ebcd7942b3ab5bd82a43d969500728bd9f6fe7af335a4b5849f338fd1780ff326c4