Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 21:57
Static task
static1
Behavioral task
behavioral1
Sample
a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe
Resource
win10v2004-20241007-en
General
-
Target
a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe
-
Size
2.6MB
-
MD5
9ebc951d9f3d04ba4d47f1505fee8b90
-
SHA1
e0a79e1dd7d32d225df7099fde992c04bfd4c97c
-
SHA256
a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2d
-
SHA512
802fef0c5e9258932e1d4e973edac26d60cfb1399c38593e15a2a484a6b75aa6d15c3a874762d805ea86e6ad7cb31e8141753b9bf053ad06596f5b67edf0b7e4
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bS:sxX7QnxrloE5dpUpJb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe -
Executes dropped EXE 2 IoCs
pid Process 2448 sysaopti.exe 2248 xoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 1456 a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe 1456 a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvAM\\xoptiec.exe" a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB06\\optixec.exe" a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1456 a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe 1456 a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe 2448 sysaopti.exe 2248 xoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1456 wrote to memory of 2448 1456 a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe 29 PID 1456 wrote to memory of 2448 1456 a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe 29 PID 1456 wrote to memory of 2448 1456 a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe 29 PID 1456 wrote to memory of 2448 1456 a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe 29 PID 1456 wrote to memory of 2248 1456 a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe 30 PID 1456 wrote to memory of 2248 1456 a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe 30 PID 1456 wrote to memory of 2248 1456 a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe 30 PID 1456 wrote to memory of 2248 1456 a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe"C:\Users\Admin\AppData\Local\Temp\a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2448
-
-
C:\SysDrvAM\xoptiec.exeC:\SysDrvAM\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2248
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5942f6c4c2384b145aec0867ce4aefe20
SHA12d23d42520d8481ef0e29117e5a00b0f55db9279
SHA256d3b6d95d083b99271d0580d7a9638ca46bc6fcad11c9d81d90b46f8bf8dc04e5
SHA512280cbd3e67158a18ada67734aa5de0e30f988fbdc5db42cc5c2827088d7b9eee385e65ba4c0ad519a8d22099e5c8654a9501dcd60d04aa796f5ef7468bfc11a9
-
Filesize
2.6MB
MD5afd7f4578acfa0d270b991586cdfd22e
SHA1db686f7ed8de446e6605868fb3b2b4a684e30f85
SHA256112f19f8b1e8347f1ad74b3026d45e809479e0439cf466b4e0f118e8db936084
SHA5124c72edab1880006fd21238609e484d07a1d7b82bc7055b75245b937356dcc5b23b6a3927bd5e28360b79aa69e4109bbc9aa535cc32d16cf93b44f8da9bbbc2f8
-
Filesize
2.6MB
MD5d60e6b91843229018a8d7faa63897350
SHA1681efeda7061d44185d10ca124b9356b3ac16fbf
SHA256fa96b80a0aede2e756b47a23365a805ad7f74d148262748166ffe1a8eaa670f1
SHA512ac3ac18238ef9d29d587c29b38b8bab96e95b4f12bcf87ea71c2e3749166c18c8f61304ba581abc927d1c41284b9f8000c41821660c59044b7e1c511578ef786
-
Filesize
170B
MD520bfd7124296a56be4ad1b3cd72ce61e
SHA1a840c36d50054e439364034c96f218ccaa74446b
SHA25625c578ef5919737405e67595e15bc20a2a49a0c658bb9fb42279fcc186e0afc6
SHA512a168901cc403242ed61eda206937402e003029ae314e4fdda536feae9015eacfcd1f4b8cc2071c430722c941ad525ebd695e9e39bd1b3112e7b729a647402e99
-
Filesize
202B
MD5b6b0776da040f7198cd5e70f71295726
SHA1088bf8ccaff40cf51346df8c630bd0a9632e79c0
SHA256d12f7f57fdabf7f7fde3ebef65bd8e33b1bf7de1e4c83b7d1730fa2cf56a5ef9
SHA51211f3b57fe37c99b6dcb706b3ae53c52526846f95a2e8a04c94c3a3cf1c296901374e91b7bd9cf9d512cdbbd74316fb6dd89cbc1ca732cdea916d54fc62855cdc
-
Filesize
2.6MB
MD55a061281d10a77bd1563f6e00cb64bdb
SHA1866119ec0fbf5b59de45f9f22073a87306cd07b5
SHA2566f385fb226000a378408202e3e3d438e8e57dad1916aa430510afcaa9471b609
SHA512285d33318a575121ef9d852fc6d9a99234cc388e39a439ad51fc58fb179b2f9ee5370900c79607150875ca32ecdc81acce6f7c17b7053edb827b1c4b59e63f11