Analysis

  • max time kernel
    120s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 22:38

General

  • Target

    c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe

  • Size

    2.6MB

  • MD5

    44e34eb4cc19d4dd6e2cd8838b5bdb80

  • SHA1

    e87d983c1eb39ef25554dec73e82ef355c9fb613

  • SHA256

    c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4c

  • SHA512

    71cd4921c9a49e5e6e3224372223053e03169b0e6ca2b58080e421aee98abfa9703d4e26c556b88dab89bf0143b0212505c7411aae1dd8dcb0d430556b9a69d9

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUpHb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe
    "C:\Users\Admin\AppData\Local\Temp\c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1948
    • C:\FilesOS\xoptisys.exe
      C:\FilesOS\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2488

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesOS\xoptisys.exe

          Filesize

          2.6MB

          MD5

          f47d3ed1ec0191e8e04342d56042d404

          SHA1

          048d0a6133bdb3c34459590b4461b37b8b7a9bd6

          SHA256

          d51705ce4bd3500a7460f8b0d2b3eaa8e3c96647121b2a5b7093c1cd65bfc11e

          SHA512

          b3aab846a94f8eca9f1ea3dd2da460f381875661013cb7e663e6743c503e4cf6687dbb488921c4c21abd0a5653431348b4d7f3facfc5508417702272cb422c24

        • C:\GalaxN8\boddevec.exe

          Filesize

          2.6MB

          MD5

          dc722a0a73cee1cc98262cd5e6551c77

          SHA1

          9305e0c49e5fe4f8f5df90c79a63c2832d90ae47

          SHA256

          010279982d9eb2ab3a880f63542ed5e190e6ccf1a9e8607686d7506927d41663

          SHA512

          f0f62750b5c5a7687883873260ce96176427dc16fb9b9591e6c69e637712b83465b1092df3c61ae407f3f0e4f4511d1800aae62b7d5860866b9e3739e7b40266

        • C:\GalaxN8\boddevec.exe

          Filesize

          2.6MB

          MD5

          863123681298bd5462c226091bda452b

          SHA1

          0fd460c9579adf2bb754d8186541fe4372ea9d1d

          SHA256

          fcf83987c86f3b54956a6279341961ab17402e83058b0bb8436bb70a00c457a2

          SHA512

          681fbb44aa718a465fa1022a7944c2c87946272cc0b48b81c9b12a5a30b54ae5790e02e1ffaca7b369fe6750e9b1cf1baf373840f80b8498de53365f0cabb9e9

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          172B

          MD5

          43e74dae0f285af34c742be1346ca218

          SHA1

          6c09d5a8da5a52e35d4482c553a711ef0fbc71ca

          SHA256

          0f434aeaef313ef65ce514450359afb87441c09360be659c5226ce05dc1d1221

          SHA512

          640352961e0722d6dcf8a720a3a38229f5d99f0f83222a7f5dd6ea2e664a6b46b029ca49cc88efbf558330d0a6a194789efd76bb27d2e524eb20c41c766b98e9

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          204B

          MD5

          d6a5b10902594aec6712842891e21201

          SHA1

          2c53ed6e6cde78f565507cea31bbbadadce29250

          SHA256

          cd6fb8a0ab697b6cd8b90b03f4ae52727d635712f7744c4365011992bcf99977

          SHA512

          bc6518b5497b4e9019588037685e0c2dce7f4550d8134a8c00d74629ebacb82d731d41c7e63199c83f5e93536489f3561999e581473e550dd5fe6dd640159648

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

          Filesize

          2.6MB

          MD5

          3c9f37de37548bbb66872f1666b93df6

          SHA1

          6c5aec038e2f7c4c89d29d67248144fc0b102877

          SHA256

          804647d727de232030e04d06a988f05e41909d59f4b023680be204c6a30add98

          SHA512

          ef590ac0ef8f78748cd3a0008625c5a69968a6a9e1f859bae071e21903f3bac5e96de62765603c410d9851855468653b10a88fd3ccd3e40e975ad80f2eaf7440