Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2024, 23:04

General

  • Target

    0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe

  • Size

    2.6MB

  • MD5

    bd49b46ba24fc504eaa1d96739c009e0

  • SHA1

    701764bbec0e3cd74b1c025fd497c3476077f382

  • SHA256

    0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1

  • SHA512

    5f70f5ba4d83149211c0e670720707e841c6ef9a91957d65173e05e1e812758c4e7debb9d166eebc2cd94ed8a5a169bff8091c06dfa403a6a0f11d9dd2ba9e44

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUprb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe
    "C:\Users\Admin\AppData\Local\Temp\0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4172
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3800
    • C:\UserDotBW\devoptiloc.exe
      C:\UserDotBW\devoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3500

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxD9\optidevsys.exe

    Filesize

    380KB

    MD5

    a7cc740a430934da04eb3f571c7a7cbd

    SHA1

    fdeae034da43207075d42f4a951cc97226bb86a5

    SHA256

    4de236c80eabd7946d61b52b416a00e992b4c2a42adb8677ee7dde52ef6405a4

    SHA512

    4aa9c4081ddd749cdd515b11b97ea5f43783da85cbd44112e452455e150e4cced9f9e8a5d7bf009ab634978861ef82f6376e5f5c991436c9f9dcf37c0d3c37f5

  • C:\GalaxD9\optidevsys.exe

    Filesize

    2.6MB

    MD5

    7e705ced0d9357cc86f15d634421ecaf

    SHA1

    31638b5b55161b47004c6a583b98d0804e062b76

    SHA256

    bd0f8fc1cf7588ab5f531e36cd7b70191c6b48cd711e7de993b4a0cca34c2dcb

    SHA512

    d28c9d6f434f1f8e3e630beeffbda0feefe7df0f5b3d30de1439ac196fca8899503e2456d11500f7b2f065abf03d2c549d7f6bcc0966944e7af38b70d608c07e

  • C:\UserDotBW\devoptiloc.exe

    Filesize

    177KB

    MD5

    305ae6bd1e14b9d5fe4529c9526cbcd2

    SHA1

    b27f323de9d7187f2f0404748582a0d8f7355b5b

    SHA256

    af339106aa6e197389800858c1a2c7adaa21e0c29bec7a43fdf7ff2d1f37be2b

    SHA512

    3c90a35ed844019bda1da1ed31320e7d55b697b6ae27c17efa0fd74e8a1daaf38cdc8bd9416008326a363cecc1ee076f0ad7f64310a574b656b418058ef3e3bf

  • C:\UserDotBW\devoptiloc.exe

    Filesize

    2.6MB

    MD5

    14681211e8077f75047beb5e49e6c8f8

    SHA1

    6342748a494ae5c1595aa182ebd2f276b036f253

    SHA256

    ddc0b7c216473601767528ca243a3331399a0b1003408e6f1d13cdb5afa9ef26

    SHA512

    d2b6cdfb0924bb663bd88f6f7f429cb36dc00a74c4922cae6054cb8199a5775397e05a8de117b66c76abe6ef285cffb69937ae90bcbb2a737aac089dfdede16e

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    212B

    MD5

    c57474348e8f6b85a392b7dc240857a1

    SHA1

    7895f59f9b3d4e6438c2ebcdae23cc969904983f

    SHA256

    c950905b3b8d409c9baf6ecb4bb571212055cb5817af551a71818084d54637ce

    SHA512

    c84615ff05f771006fcf5896917e24e4e56d6bfde34441c2db59b34e7589256c5ed947f1414ab64ebf26a3b84a45cdd86a186c29b965270e9b48cb17b7b3b4a6

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    180B

    MD5

    17809bdce7c926b9996e2cd159c50a4d

    SHA1

    bf1eb5c2b27bb53353c1be647d8e59d66d2a2c88

    SHA256

    7c68c73df98ed731f6c122f830de863319e0f3ccc23f8bad5079f7423b8e0a96

    SHA512

    30f52ad4d78beaa168a316534e73d8288c5e02012a1543b0489124a81876994e2490f249251965d4ddcb3de577c8bab1c0909cfba20bc0db75ad5687e0e93292

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

    Filesize

    2.6MB

    MD5

    04f02dc69ce51c51a5adcfa292367fff

    SHA1

    d73f6dceb83225054a0a239bef426f40ee244e47

    SHA256

    3de80a8ec2c30e979a9b60cedd881ea4225aad6744a4ce1970502a569766083a

    SHA512

    bed8794e1cf3ece43fef7428ab5d35a6931fa2b4c7fa481add2c0ca2016f6a61b0d041d5bdd0cd88f1106db60608040414fc16dcb5424dcb10b04f570f7ba4aa