Overview

overview

9

Static

static

3

0a68b84dab...0N.exe

windows7-x64

9

0a68b84dab...0N.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/09/2024, 03:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a68b84dabed3c17cc235316eaf57260N.exe

  • Size

    2.6MB

  • MD5

    0a68b84dabed3c17cc235316eaf57260

  • SHA1

    ed70d0dc147cd9c752863dd84f7b3aa2959ff507

  • SHA256

    4d1be3576ab73f7fcea87ed987f6265b0793beecbbca1c7ad1e3a2e7b9a8daca

  • SHA512

    7241b269ecb9c7bed5bd1cd5a44b3a006e6d1cda33ecca50abbcf88dbba500f812388bc6a52a8405990da3a38ea94217ba2183d0bbc358ea6bbf69ee49444eaa

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBSB/bS:sxX7QnxrloE5dpUpBb

Score
9/10
credential_accessdiscoverypersistencespywarestealer

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a68b84dabed3c17cc235316eaf57260N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a68b84dabed3c17cc235316eaf57260N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2800
    • C:\SysDrvU2\aoptisys.exe
      C:\SysDrvU2\aoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\SysDrvU2\aoptisys.exe
    Filesize

    2.6MB

    MD5

    926245229a370501f21025ebf485932c

    SHA1

    64cfbfbe1032eff7868b96b1f722e318e27eda0e

    SHA256

    f37593354e28db17bbf098b7bb4f95a788cb70b3f67c8b7f4c5798a3662aa925

    SHA512

    6ffee723c90a43f24a9c40c20eeb7e2206ee860b0686699c9a9f0612003360c6645c3d5c0f04a05deaf4eae1a9ccb542f79677a641c2a0b838c502ad239f6de7

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    170B

    MD5

    c6b0dd05a65ce03fb1982f074c872c3b

    SHA1

    e467ee748cc6e3e1a5f64755d0c8dff5f8227055

    SHA256

    7989086b20b88171c7a60656175bdeb699f36c62f969bb036f56653ad8d4b10b

    SHA512

    55c16b78a85f94c2fd3c889f8007b7e3da58a18aff0aa5e07d235d0fe71ebc96149bd2787fa1843abdce34697eeaad9cb48c73735478f73c11446f4ad98998a4

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    202B

    MD5

    617ab08d019b5787392021bae38e090c

    SHA1

    04fcc9972287efaa7d8566ea533dd38030a1870b

    SHA256

    a56cee898f9b1851c45425a80b803243e3153d7b4810123ee2a63def63202341

    SHA512

    3847c6739370637a897880cc2319f658d8a65434905d355b9416c4e819bc1a4eebe2233508390c90b3f1c349dfc3049745c2c4d3121489f6969347c1fe145279

    Download Submit

  • C:\Vid4I\bodxsys.exe
    Filesize

    1.4MB

    MD5

    a2af908747e0303548cbd2a5c06b8ea2

    SHA1

    a793c506ffe0cc3ddecf62f3eb616df558a761b7

    SHA256

    26b4a8936b61a7fba4027bd690fb5b8719ab5f18abc27a51cdfff6b11bb99f12

    SHA512

    1ba28df9c2b46dfc326249fc620be0a56588aecbee45692faf4644ac6c18b2eb182dc23e3e55b8d57581926d595b6503a60e8d705ef3dc6e2771bc6ade28b48a

    Download Submit

  • C:\Vid4I\bodxsys.exe
    Filesize

    2.6MB

    MD5

    1ed9e10abc91404cb82cf735a8738c88

    SHA1

    c7c1f801a51488bfbdc1d1f5fbb75d49dee16579

    SHA256

    746f65c4e3083bc89820ba8d00fdc8b888af869f8e38f7e6a14278d072d6d237

    SHA512

    2ae790567dd2da344021880910ce96a3ffd707fde2ca405246d7da75199dc3fe9669939cda3c18ba740529f39a2811d4874a46c9dce34582734ae2bb3d939c41

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
    Filesize

    2.6MB

    MD5

    6965da8b893b926eb2d67f7b4a02f000

    SHA1

    8219075754374322f365107d24b545c613b7d8a2

    SHA256

    3c60f7e4647984d6749d2bfa588cb791af7d6aadf8da04476732c257e71ca70c

    SHA512

    d9d0d7770f5f22b641743e5d842cd117b4662a9291ef4b266c3c2a9a982e7ee674ff2f79551231143caff3e4280f21ee857e258d452a381ecd8ab1d66886eb51

    Download Submit