Analysis

  • max time kernel
    119s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 22:03

General

  • Target

    12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe

  • Size

    2.6MB

  • MD5

    8055643b72c2a9b72f2499e0154d2650

  • SHA1

    504758b0653b2aca9a11866017e694311289ded0

  • SHA256

    12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9a

  • SHA512

    b4cca2e42cdfe0e78b40b2f580a1a4641d7fe00ce5906c80332ce4acbefe70d89b51d19834982828727eb26c002bf601c04bae9583cee9d92e0356d9207a2c02

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bS:sxX7QnxrloE5dpUpMb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe
    "C:\Users\Admin\AppData\Local\Temp\12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:108
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2532
    • C:\Intelproc1G\devoptiec.exe
      C:\Intelproc1G\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2784

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Intelproc1G\devoptiec.exe

          Filesize

          2.6MB

          MD5

          869b4d587ec8fb5e8cae9c25c685ec20

          SHA1

          44b12d303b4577f2f9bb41e1d10340482c18597d

          SHA256

          9110e958104377bb1f6e44b64342291121381291412566aeb7bf4f532fd0eb87

          SHA512

          f66a1cfb7099dd7edef5c36229e0070a501e4b44d0f08d953906db1fe2d7dd4629b43cbfffd6f2773897cf2a01938e516bf1417fafd87eab9c8e31598457374e

        • C:\KaVBWV\dobxsys.exe

          Filesize

          2.6MB

          MD5

          3af12101f00220c4c3fbc47a927fb514

          SHA1

          9ba037b241a3b6dab425f918c74ec8ed87988111

          SHA256

          41efff4b7c37d76b05a4d7966d4ce0cdda1abaf4f72c7e64471f4cebb20b4463

          SHA512

          53b61ffd9a3de62747fe93b5dbe487e8fbd4e4ace25f7e76e7341ec32321e5aa4186e653c8fcefc2e50a91e3ebdd4678b221b71379ae18387a9435e093b69014

        • C:\KaVBWV\dobxsys.exe

          Filesize

          2.6MB

          MD5

          1c3941cd4a18c484a9b1e32c2bf58884

          SHA1

          a6ca8bbd25ca32f4b110a59c0d144996c4baad59

          SHA256

          7436763bca8c7da2635bbd31e03ff7e4328650cc5392150eecba042a3d653db7

          SHA512

          55936dfcac462eff19c8d2821b7a11451262adb520c2fd4ed4e2e5a09491f35bee6700b70841360a739e4e31778c2818b74089a0f5e4c96ff901072e8c574f3c

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          175B

          MD5

          fa4eb8019a99762d7cd67092debce36b

          SHA1

          45af307883c4decf9dcbe655c9e303a3582fc998

          SHA256

          8eaba290a7758c6b157ed4381c0fac26f83f131d8b18912ae7245eddb9c50b06

          SHA512

          4521e37f24402daeba2419e4c6b719be20a9f41abd7aadded97d5cafe5060a9da24de1e15711b5f241004ed5e761986634810a7b850a5a472d26c78c3621b2fe

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          207B

          MD5

          ff94c7701f1782cd0e070285dc5c552a

          SHA1

          bcd5e4e95f47d39eedb2b1500241653d273899f4

          SHA256

          e5813500512ef9a09a7b3f78c1333726789e651ce193df16bd6e4801dbaec02b

          SHA512

          8ae9c8a39b14f700be51f8443dc8a3867f07348df0fe5b16d346bdeb895a505545adeed92b34abb23662d6ba5a8abc4596a85d7df02f3894c09e7322c907f50e

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

          Filesize

          2.6MB

          MD5

          4663b171841e4a8c3f03459b0d60c180

          SHA1

          cea97bfb20874fb59129ed899534f33aa271eb5d

          SHA256

          382594befc3826151c73de0414c562a455112c13f8108ac889b43686edab10a5

          SHA512

          e958bd8bbe479e96689d98071d0ed02613687cd75c4484f0edfccf9970484167cd67570beecc0c7cd4179c250479fa25668a3ac038e27cb10f961c6a1395d5fc