Analysis
-
max time kernel
120s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 22:38
Static task
static1
Behavioral task
behavioral1
Sample
c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe
Resource
win10v2004-20241007-en
General
-
Target
c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe
-
Size
2.6MB
-
MD5
44e34eb4cc19d4dd6e2cd8838b5bdb80
-
SHA1
e87d983c1eb39ef25554dec73e82ef355c9fb613
-
SHA256
c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4c
-
SHA512
71cd4921c9a49e5e6e3224372223053e03169b0e6ca2b58080e421aee98abfa9703d4e26c556b88dab89bf0143b0212505c7411aae1dd8dcb0d430556b9a69d9
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUpHb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe -
Executes dropped EXE 2 IoCs
pid Process 1948 sysaopti.exe 2488 xoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 2296 c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe 2296 c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOS\\xoptisys.exe" c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxN8\\boddevec.exe" c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2296 c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe 2296 c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe 1948 sysaopti.exe 2488 xoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2296 wrote to memory of 1948 2296 c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe 31 PID 2296 wrote to memory of 1948 2296 c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe 31 PID 2296 wrote to memory of 1948 2296 c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe 31 PID 2296 wrote to memory of 1948 2296 c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe 31 PID 2296 wrote to memory of 2488 2296 c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe 32 PID 2296 wrote to memory of 2488 2296 c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe 32 PID 2296 wrote to memory of 2488 2296 c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe 32 PID 2296 wrote to memory of 2488 2296 c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe"C:\Users\Admin\AppData\Local\Temp\c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1948
-
-
C:\FilesOS\xoptisys.exeC:\FilesOS\xoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2488
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5f47d3ed1ec0191e8e04342d56042d404
SHA1048d0a6133bdb3c34459590b4461b37b8b7a9bd6
SHA256d51705ce4bd3500a7460f8b0d2b3eaa8e3c96647121b2a5b7093c1cd65bfc11e
SHA512b3aab846a94f8eca9f1ea3dd2da460f381875661013cb7e663e6743c503e4cf6687dbb488921c4c21abd0a5653431348b4d7f3facfc5508417702272cb422c24
-
Filesize
2.6MB
MD5dc722a0a73cee1cc98262cd5e6551c77
SHA19305e0c49e5fe4f8f5df90c79a63c2832d90ae47
SHA256010279982d9eb2ab3a880f63542ed5e190e6ccf1a9e8607686d7506927d41663
SHA512f0f62750b5c5a7687883873260ce96176427dc16fb9b9591e6c69e637712b83465b1092df3c61ae407f3f0e4f4511d1800aae62b7d5860866b9e3739e7b40266
-
Filesize
2.6MB
MD5863123681298bd5462c226091bda452b
SHA10fd460c9579adf2bb754d8186541fe4372ea9d1d
SHA256fcf83987c86f3b54956a6279341961ab17402e83058b0bb8436bb70a00c457a2
SHA512681fbb44aa718a465fa1022a7944c2c87946272cc0b48b81c9b12a5a30b54ae5790e02e1ffaca7b369fe6750e9b1cf1baf373840f80b8498de53365f0cabb9e9
-
Filesize
172B
MD543e74dae0f285af34c742be1346ca218
SHA16c09d5a8da5a52e35d4482c553a711ef0fbc71ca
SHA2560f434aeaef313ef65ce514450359afb87441c09360be659c5226ce05dc1d1221
SHA512640352961e0722d6dcf8a720a3a38229f5d99f0f83222a7f5dd6ea2e664a6b46b029ca49cc88efbf558330d0a6a194789efd76bb27d2e524eb20c41c766b98e9
-
Filesize
204B
MD5d6a5b10902594aec6712842891e21201
SHA12c53ed6e6cde78f565507cea31bbbadadce29250
SHA256cd6fb8a0ab697b6cd8b90b03f4ae52727d635712f7744c4365011992bcf99977
SHA512bc6518b5497b4e9019588037685e0c2dce7f4550d8134a8c00d74629ebacb82d731d41c7e63199c83f5e93536489f3561999e581473e550dd5fe6dd640159648
-
Filesize
2.6MB
MD53c9f37de37548bbb66872f1666b93df6
SHA16c5aec038e2f7c4c89d29d67248144fc0b102877
SHA256804647d727de232030e04d06a988f05e41909d59f4b023680be204c6a30add98
SHA512ef590ac0ef8f78748cd3a0008625c5a69968a6a9e1f859bae071e21903f3bac5e96de62765603c410d9851855468653b10a88fd3ccd3e40e975ad80f2eaf7440