Overview

overview

7

Static

static

3

6f754c0b49...aN.exe

windows7-x64

7

6f754c0b49...aN.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/09/2024, 01:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f754c0b494187d0c3f9b919b50e06d632174838b259052afa6a62c75629676aN.exe

  • Size

    2.6MB

  • MD5

    daf4c043dcd84085d781cf1a8e695e80

  • SHA1

    205b37888227fb069797317c0b68d9129d4a47f4

  • SHA256

    6f754c0b494187d0c3f9b919b50e06d632174838b259052afa6a62c75629676a

  • SHA512

    776e1712646a99cc801e0bb801faa2c41490674a00b4fbad33cbcf9e5aa5b6474be8ef3c001aa21483cb41a3ac710702696f5c549dd428848669c3bb18a59d17

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bS:sxX7QnxrloE5dpUp7b

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f754c0b494187d0c3f9b919b50e06d632174838b259052afa6a62c75629676aN.exe
    "C:\Users\Admin\AppData\Local\Temp\6f754c0b494187d0c3f9b919b50e06d632174838b259052afa6a62c75629676aN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1984
    • C:\Adobe85\aoptiloc.exe
      C:\Adobe85\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Adobe85\aoptiloc.exe
    Filesize

    2.6MB

    MD5

    ba3f30a9585e3ba5190e13d2efd03e64

    SHA1

    cf3e865e824a0f0fa525eac81a7699d20c5d9ac9

    SHA256

    253f5272cd8b6aa3a1869dea4676ce0c4e0c939b518ae9516c76f2c4cd60dc3f

    SHA512

    1c15f0b66c292220cda89abc6b03c1995ba048370cd1ea6311ce5c7b7d7b0543d125dcaedf41e75d8a0ca91ea5c03a1ff5caa9d4a2a62ed899d0a2f72c8e616f

    Download Submit

  • C:\GalaxWV\optiasys.exe
    Filesize

    2.6MB

    MD5

    f0147162aa332b4096e34a341a0c32bc

    SHA1

    a6805a4fe90d313c7604a3bd032d237d043efd1a

    SHA256

    6802adde07222317c40fccad2f0046b38d19dafd7ecc3518643ee508a9975ba0

    SHA512

    32e590e3fc349c96c4cacfd8057ed6bdf526d5a84599d47f6696ea971d5e7857b1956a2f5bf4696dc97c3ac8849ff4962e42ca2eaea4232f97edc67cc0b6ee4f

    Download Submit

  • C:\GalaxWV\optiasys.exe
    Filesize

    63KB

    MD5

    1754e9fe985ad47870a1029ba0cdfb25

    SHA1

    029ec938d16ab8fd4337ddccb36eff07183b3e57

    SHA256

    f65bfd349bee783787ad1d829523845389f236c4d059b95fb1811acf0c3d3562

    SHA512

    2e0a050a775f66c499868d3f064b7c1edd9e41fc6cb0ac46933ace0ce92753768b39b0ad29de0b8e53dd8e9f19c3dc9c6aafc11574264488017afbf82531e325

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    171B

    MD5

    415ec8f286038b3eabfd41737582420c

    SHA1

    c6b333ebb6d5d81f6d4ec7113e747963be99eef1

    SHA256

    2074831ccbeef1dc119471e09c45e391cd1a25f34723f71c0e6c6aec8d7d6a01

    SHA512

    cc2ac2c13f7fb0daca7403f20567b79011999f2528631a22a3d16afa23e3b826393f6aed0ce71cf22d8b5b78c41405aad0006b8896a1fc79144d8ae4dddf5dba

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    203B

    MD5

    1305678bf20ffb753d63de71b841fa78

    SHA1

    6de304e16cc14d034ca2f49f0692d9d36b83d766

    SHA256

    3f2671b9aa1f81fe5b3768a4d44672662b0646a338d029dc24352457587dcc0d

    SHA512

    9a28ec7c4f13ed48fae26d9143c4f58dc96615f3067903e7af6050dd037c5afbd5e971758bc0f29e46f252effca948b04f2b91ef54175c0397a71c38593e19f4

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
    Filesize

    2.6MB

    MD5

    7137f547b35d9c7b2a60086353187c91

    SHA1

    faf2df7aedc2d098da8585a2811845e29c67b981

    SHA256

    2607eb5cf2d4beecbd50c0d99b036cc4f47e57c97c0aefe9cdf7cdaf49a20fef

    SHA512

    b6be1a55c9f0e0657f200df022f3c83c2c18c50a2a5ce6d394c703d9b20c11c6fa748a6aed80ccc923f4241b42966ce6e37c00343a550d01f408b6b63aa25116

    Download Submit