Analysis

  • max time kernel
    150s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 19:47

General

  • Target

    3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe

  • Size

    2.6MB

  • MD5

    f2b732029b7d0d90984c2257a1f69e4e

  • SHA1

    1d98d0465855ca94725b21b0fe22a76e82fc43de

  • SHA256

    3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2

  • SHA512

    8c3fa8dfaf1e202cdb20daf23417685bd65e6789e7472b680fc130b1e6ed860d68ccffb973bea6a71566c78646b5e52a0b25cf97d4e4c49d613c4af0f76fd973

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bS:sxX7QnxrloE5dpUpYb

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe
    "C:\Users\Admin\AppData\Local\Temp\3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4828
    • C:\SysDrv87\devdobec.exe
      C:\SysDrv87\devdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintYN\optiasys.exe

    Filesize

    1.8MB

    MD5

    5f56cd14a7959bb3ef7c4ba2068597b0

    SHA1

    940f6e5f63b389a331d1c601710fbc8630743852

    SHA256

    afa755b16d2c49b41651d22a1aac301992bcb690b0c6fde777fb7ff7d5e5b580

    SHA512

    1c82509c99fb08cccf54fbd17787a7e3ff49b848af0d052cabeb64ea6ba3d22aaad3cac701200773fb6e2965622926b70a6ddb6e07f7bf34c2d04b6b905d1fdb

  • C:\MintYN\optiasys.exe

    Filesize

    2.6MB

    MD5

    68d3d4e5f64e52b333a02cb6ebfad470

    SHA1

    4f254b85b9f7bdd0df640c2a7a6c93a5c95236da

    SHA256

    9342407d0997f59b345324702988864d2cce8d3172ab1a697ccc9a82bb7794ed

    SHA512

    31d27919d874e6f69d44c22bfdb657e4394f78f0b9b277b8a487ab324bbea2b0308226aad25b1b3bb05c8a0741af76b10055e264d749399f409ed7f2b3a0b06b

  • C:\SysDrv87\devdobec.exe

    Filesize

    2.6MB

    MD5

    c46d5902a8b7dc7d8193a4acf956a7d5

    SHA1

    a73c432aa9ae09956035197561a2dfd7dea16270

    SHA256

    9e68a3c76a5da72a61607e05c481cf88e9adecbb61ef3c9c02c2d3c06eded100

    SHA512

    3f6c07e14660ae19ee83fa1c747707446e9069e67dd0cde380f6b0e34e02bbd8b9e127f577617e5b793c9415dbe31aaa2395bcf98c686e4c3ed7ac17774c509f

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    9e7d057e1c486258ce0cf947d3d44f6e

    SHA1

    ab9b38f5d5574b3dcb4bc4674b791fcbfca399f2

    SHA256

    fa9525f60b328c003473fce413681d0dc32d5cae699e3812fb0fd33c6f85a94b

    SHA512

    41d1627719d8b0831eb1f7fd65ff51cd8d6fc423ac8841ae1e19517382d7854c9e2e0a405b66ba3e68d7582f38f805fb369bc8fe3804bd5fc1f4a238c1dd4304

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    ad5407c2ec688aa847d4b973670ace2e

    SHA1

    5180db9235fcff6e31ab926ec739109b49242311

    SHA256

    8f8e5ef6fefb485c51d633e697e1051e8299507dc4920d9554c968836311d26a

    SHA512

    8d3799032be229bdd1f00e78e0b032d19f48caa3bfa7a3de84912adbc74f555b98b20d3ca217c5f9f12650266aea46f9c79433184466bf28dba5397fb151e242

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

    Filesize

    2.6MB

    MD5

    918dbe9405b96d4c8685fbe2966c3c1b

    SHA1

    89dd3b08b0d71356d5b6efb7083dcf6f52954148

    SHA256

    4596c8b238d0a712b49ab7ef535654685a0278d38be0d3cb4a3b15bdbfae5bf2

    SHA512

    fc54a9e268e13b7871eb5546b30947def6e5495ca6e6261c282a1da43fe7544c06d6b8946d16be4b22a38fed1053d1930ad9a2d2d4386dacce3a08e832d203be