Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-09-2024 16:48

General

  • Target

    167fb4e3a01a3775f86adb1cd3bf06e0N.exe

  • Size

    2.6MB

  • MD5

    167fb4e3a01a3775f86adb1cd3bf06e0

  • SHA1

    c08be65dbb711cca1383adac85058d0e2cc6e391

  • SHA256

    8f19a8d237bcf096f87950fa5d0b8b60c409378eedabcba4395045a83ffee2e4

  • SHA512

    dd9e46f9223adb5985dcfaec271491f250b745f76fa59d32f3d21163d49cd81b4a2edcc8ed1eebd8932a8d2a3d7c82bdae1c0b3c0f95ea83a25e2745097173b4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB9B/bS:sxX7QnxrloE5dpUpmb

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\167fb4e3a01a3775f86adb1cd3bf06e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\167fb4e3a01a3775f86adb1cd3bf06e0N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4792
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3536
    • C:\SysDrvQ5\devbodloc.exe
      C:\SysDrvQ5\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\KaVBPZ\optixsys.exe

    Filesize

    12KB

    MD5

    0f1dd959d43971bf7f79671305e25a3e

    SHA1

    6d8e0a16be92cc3f8829972a8f7c88ea3b37ed55

    SHA256

    e2062ac20c5890c0dbf890e43b316cea0da64e2c7e801a4c803faf7642f715ca

    SHA512

    04077a2a74d996c32ac387c8b5e877f1dbc8c0222ec32d484cee13b8913e5651839cc5c68091c96037c6a765cc4488e9bf08f5316ab9256cdbcb3fa5c7307623

  • C:\KaVBPZ\optixsys.exe

    Filesize

    7KB

    MD5

    84c3a9ef71c6c32cc10faa7a3122fe8d

    SHA1

    44094cadec949c065d4321a4cb7bb4c11cd999f9

    SHA256

    de832fdf2de3a5ef6ef5856b88230214e4a82f75e7bd75a06e26b26295f3f07b

    SHA512

    f1a129f7aed7cc664d5863e93709d5db2f4f45caf6e6372303a8d02f820d81b54c422a04eb54ae98bd4ba94cd7035a4f0faa9a15bf71b5210f2274fb4f64ac3a

  • C:\SysDrvQ5\devbodloc.exe

    Filesize

    1.8MB

    MD5

    4d257e02e7202584a136911273b0a85f

    SHA1

    33f0601cff1e0d6fb02861b9594d96c6ad97b097

    SHA256

    1d3853a8827e24c6302f23383728cce1085fb38a21e2530aa18d10897121b866

    SHA512

    e561f544f9457ce5d8001a1ee8d11bae93fe66343e9ccaab0e0e01d26fd1b2a25427d5bcd35e6ed7d9dcdfed308f477212835f16e8f60149fa88f6cdeb788df8

  • C:\SysDrvQ5\devbodloc.exe

    Filesize

    2.6MB

    MD5

    c3f8034306d4aaeff67f2c92c28a706a

    SHA1

    a6b2451fc892e6f8ec1506c428405b50c9c0d2c1

    SHA256

    307e4194c73510467242592d46c722d42da6e5e5b15982cb980cd2c384dd40ea

    SHA512

    647eb1885162754f3622edd6f95a43f9d8b8c7cc1c9d8de100e33233fcd8892ea6db089c35cebc39e5beaef82ba3ec44cb76d42b6ff5adf5a23911ed6448aed1

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    207B

    MD5

    8532edda77eb34500e313d18544f8bd6

    SHA1

    e679ff73e8332e05d553317c3a4a6a39e7636b2a

    SHA256

    075b87b63dfcdf62f0081bd6dcc5b7f090905ad1083787d9ed2014a3a0535e97

    SHA512

    9826e3e3011e596342bb02947c5725a2b31583a95ca5b6547e96f266616beecee53f357736ab5f0658a95061050449d278bf2e7fda1d7f3c70736a96206c7713

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    175B

    MD5

    41a834919133432e300d7ad11b0b8b38

    SHA1

    44afc6c50bc29736fd317b01130191e6ecca979b

    SHA256

    2a35d6a5139f15baa0b47f7d0f5eb643a12e054804fc8f615fed92f9b4441b0a

    SHA512

    40335ed0b0194287006ed04092742c18f74532e4d124372e2b54b58dacead0591e5bfc9c3657ce264ed71a56dff49499620bebca4d180ef46ad0e67350f0db55

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

    Filesize

    2.6MB

    MD5

    01874439a6f0ae97f43fb3474ba2203e

    SHA1

    bee50e79cf5ff6dc0b3f14eda2b778dbdccc89f1

    SHA256

    cbcd408a46de29e9395ccfc2acd185040e208c04c4c9f9965ef0c25b1fb5dbb3

    SHA512

    963f816d309deb4e552169b70481c83de814c74b8e39e0f4e5d6c145cc790fa20ecb5f46f72c39e2e1b478b7ebc21a43977516d0931023b68f03c9c785176877