Analysis
-
max time kernel
119s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 22:03
Static task
static1
Behavioral task
behavioral1
Sample
12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe
Resource
win10v2004-20241007-en
General
-
Target
12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe
-
Size
2.6MB
-
MD5
8055643b72c2a9b72f2499e0154d2650
-
SHA1
504758b0653b2aca9a11866017e694311289ded0
-
SHA256
12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9a
-
SHA512
b4cca2e42cdfe0e78b40b2f580a1a4641d7fe00ce5906c80332ce4acbefe70d89b51d19834982828727eb26c002bf601c04bae9583cee9d92e0356d9207a2c02
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bS:sxX7QnxrloE5dpUpMb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe -
Executes dropped EXE 2 IoCs
pid Process 2532 sysaopti.exe 2784 devoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 108 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe 108 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc1G\\devoptiec.exe" 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBWV\\dobxsys.exe" 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 108 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe 108 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe 2532 sysaopti.exe 2784 devoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 108 wrote to memory of 2532 108 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe 29 PID 108 wrote to memory of 2532 108 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe 29 PID 108 wrote to memory of 2532 108 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe 29 PID 108 wrote to memory of 2532 108 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe 29 PID 108 wrote to memory of 2784 108 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe 30 PID 108 wrote to memory of 2784 108 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe 30 PID 108 wrote to memory of 2784 108 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe 30 PID 108 wrote to memory of 2784 108 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe"C:\Users\Admin\AppData\Local\Temp\12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2532
-
-
C:\Intelproc1G\devoptiec.exeC:\Intelproc1G\devoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2784
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5869b4d587ec8fb5e8cae9c25c685ec20
SHA144b12d303b4577f2f9bb41e1d10340482c18597d
SHA2569110e958104377bb1f6e44b64342291121381291412566aeb7bf4f532fd0eb87
SHA512f66a1cfb7099dd7edef5c36229e0070a501e4b44d0f08d953906db1fe2d7dd4629b43cbfffd6f2773897cf2a01938e516bf1417fafd87eab9c8e31598457374e
-
Filesize
2.6MB
MD53af12101f00220c4c3fbc47a927fb514
SHA19ba037b241a3b6dab425f918c74ec8ed87988111
SHA25641efff4b7c37d76b05a4d7966d4ce0cdda1abaf4f72c7e64471f4cebb20b4463
SHA51253b61ffd9a3de62747fe93b5dbe487e8fbd4e4ace25f7e76e7341ec32321e5aa4186e653c8fcefc2e50a91e3ebdd4678b221b71379ae18387a9435e093b69014
-
Filesize
2.6MB
MD51c3941cd4a18c484a9b1e32c2bf58884
SHA1a6ca8bbd25ca32f4b110a59c0d144996c4baad59
SHA2567436763bca8c7da2635bbd31e03ff7e4328650cc5392150eecba042a3d653db7
SHA51255936dfcac462eff19c8d2821b7a11451262adb520c2fd4ed4e2e5a09491f35bee6700b70841360a739e4e31778c2818b74089a0f5e4c96ff901072e8c574f3c
-
Filesize
175B
MD5fa4eb8019a99762d7cd67092debce36b
SHA145af307883c4decf9dcbe655c9e303a3582fc998
SHA2568eaba290a7758c6b157ed4381c0fac26f83f131d8b18912ae7245eddb9c50b06
SHA5124521e37f24402daeba2419e4c6b719be20a9f41abd7aadded97d5cafe5060a9da24de1e15711b5f241004ed5e761986634810a7b850a5a472d26c78c3621b2fe
-
Filesize
207B
MD5ff94c7701f1782cd0e070285dc5c552a
SHA1bcd5e4e95f47d39eedb2b1500241653d273899f4
SHA256e5813500512ef9a09a7b3f78c1333726789e651ce193df16bd6e4801dbaec02b
SHA5128ae9c8a39b14f700be51f8443dc8a3867f07348df0fe5b16d346bdeb895a505545adeed92b34abb23662d6ba5a8abc4596a85d7df02f3894c09e7322c907f50e
-
Filesize
2.6MB
MD54663b171841e4a8c3f03459b0d60c180
SHA1cea97bfb20874fb59129ed899534f33aa271eb5d
SHA256382594befc3826151c73de0414c562a455112c13f8108ac889b43686edab10a5
SHA512e958bd8bbe479e96689d98071d0ed02613687cd75c4484f0edfccf9970484167cd67570beecc0c7cd4179c250479fa25668a3ac038e27cb10f961c6a1395d5fc