Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 21:57

General

  • Target

    a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe

  • Size

    2.6MB

  • MD5

    9ebc951d9f3d04ba4d47f1505fee8b90

  • SHA1

    e0a79e1dd7d32d225df7099fde992c04bfd4c97c

  • SHA256

    a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2d

  • SHA512

    802fef0c5e9258932e1d4e973edac26d60cfb1399c38593e15a2a484a6b75aa6d15c3a874762d805ea86e6ad7cb31e8141753b9bf053ad06596f5b67edf0b7e4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bS:sxX7QnxrloE5dpUpJb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe
    "C:\Users\Admin\AppData\Local\Temp\a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2448
    • C:\SysDrvAM\xoptiec.exe
      C:\SysDrvAM\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2248

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVB06\optixec.exe

          Filesize

          2.6MB

          MD5

          942f6c4c2384b145aec0867ce4aefe20

          SHA1

          2d23d42520d8481ef0e29117e5a00b0f55db9279

          SHA256

          d3b6d95d083b99271d0580d7a9638ca46bc6fcad11c9d81d90b46f8bf8dc04e5

          SHA512

          280cbd3e67158a18ada67734aa5de0e30f988fbdc5db42cc5c2827088d7b9eee385e65ba4c0ad519a8d22099e5c8654a9501dcd60d04aa796f5ef7468bfc11a9

        • C:\KaVB06\optixec.exe

          Filesize

          2.6MB

          MD5

          afd7f4578acfa0d270b991586cdfd22e

          SHA1

          db686f7ed8de446e6605868fb3b2b4a684e30f85

          SHA256

          112f19f8b1e8347f1ad74b3026d45e809479e0439cf466b4e0f118e8db936084

          SHA512

          4c72edab1880006fd21238609e484d07a1d7b82bc7055b75245b937356dcc5b23b6a3927bd5e28360b79aa69e4109bbc9aa535cc32d16cf93b44f8da9bbbc2f8

        • C:\SysDrvAM\xoptiec.exe

          Filesize

          2.6MB

          MD5

          d60e6b91843229018a8d7faa63897350

          SHA1

          681efeda7061d44185d10ca124b9356b3ac16fbf

          SHA256

          fa96b80a0aede2e756b47a23365a805ad7f74d148262748166ffe1a8eaa670f1

          SHA512

          ac3ac18238ef9d29d587c29b38b8bab96e95b4f12bcf87ea71c2e3749166c18c8f61304ba581abc927d1c41284b9f8000c41821660c59044b7e1c511578ef786

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          20bfd7124296a56be4ad1b3cd72ce61e

          SHA1

          a840c36d50054e439364034c96f218ccaa74446b

          SHA256

          25c578ef5919737405e67595e15bc20a2a49a0c658bb9fb42279fcc186e0afc6

          SHA512

          a168901cc403242ed61eda206937402e003029ae314e4fdda536feae9015eacfcd1f4b8cc2071c430722c941ad525ebd695e9e39bd1b3112e7b729a647402e99

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          b6b0776da040f7198cd5e70f71295726

          SHA1

          088bf8ccaff40cf51346df8c630bd0a9632e79c0

          SHA256

          d12f7f57fdabf7f7fde3ebef65bd8e33b1bf7de1e4c83b7d1730fa2cf56a5ef9

          SHA512

          11f3b57fe37c99b6dcb706b3ae53c52526846f95a2e8a04c94c3a3cf1c296901374e91b7bd9cf9d512cdbbd74316fb6dd89cbc1ca732cdea916d54fc62855cdc

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

          Filesize

          2.6MB

          MD5

          5a061281d10a77bd1563f6e00cb64bdb

          SHA1

          866119ec0fbf5b59de45f9f22073a87306cd07b5

          SHA256

          6f385fb226000a378408202e3e3d438e8e57dad1916aa430510afcaa9471b609

          SHA512

          285d33318a575121ef9d852fc6d9a99234cc388e39a439ad51fc58fb179b2f9ee5370900c79607150875ca32ecdc81acce6f7c17b7053edb827b1c4b59e63f11