Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 22:40

General

  • Target

    8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe

  • Size

    2.6MB

  • MD5

    11f66d938dd1beae0be6c023b9aacd50

  • SHA1

    968b5292f31dbb428accd5999f271c76b72196bf

  • SHA256

    8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fec

  • SHA512

    446f2c0cdafa16a915bdb676020f46665ad10dc5d652cfd5385b5ab21d23743cad78be47457b2cec0cfdc784d70175ceaaa8ff968e0794a1bbc24c9018fbdd9d

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bS:sxX7QnxrloE5dpUpIb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe
    "C:\Users\Admin\AppData\Local\Temp\8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2944
    • C:\FilesVQ\xoptisys.exe
      C:\FilesVQ\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2880

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesVQ\xoptisys.exe

          Filesize

          2.6MB

          MD5

          0cd20510b21780bb2e5b4b74b3b377cb

          SHA1

          fa5be7e94658c776a4f909627d632ac292692323

          SHA256

          051c30b5e561fc147c7ed588e2cccfe17a6547507b56c111409aabc5c6209679

          SHA512

          90480dc202b77cd31aea15dad69ddc9a6f9d16da10a14af5742010e07d63bc8a673547bafb83b0853c32847c63131121cac2d764be2296c3c14308cbf3372e2a

        • C:\KaVB0Q\dobdevloc.exe

          Filesize

          2.6MB

          MD5

          d55e110c75c3dd15dd66c22499186705

          SHA1

          6fe95d78c9bacdbe39029edcbf7e4508f5a43869

          SHA256

          2bd608f1726851cd174ec0f05e34854c0b2b439ab7d572e81f093cb47d47b41e

          SHA512

          5f52fa873ba3118b9940574c32f1eed38ac442c9bc05392de248af57cd791db926408e04ca514358af2ac1f55fb02621913ca61c7deed56f2520d025f5269c0a

        • C:\KaVB0Q\dobdevloc.exe

          Filesize

          14KB

          MD5

          3d45b0eaee6cd60ad4f5568ac16ef258

          SHA1

          d7e11caa9a67cadd55724afe2d1d84adab824cea

          SHA256

          ea6a4772229675d6d0144ac1cf4f7831259b4edd25d7706903c3f2e2e3ca7243

          SHA512

          2d25a653389ee60d4d1a922b31cda5d7dac66d70cb6b72b1e60925b039a1066d16fe93dd478af6cc0fe4eb3b73c7cab86c4cc39eb4f0fb4da694adef8999708b

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          173B

          MD5

          9c8443997158ac1216003b2933d1b19c

          SHA1

          5729e5afeccae88ed2482f040715272bfb155728

          SHA256

          9f3642f619ce75513a07bf74e97c887b366ac21a21bb0f4f3dca68b0b323318b

          SHA512

          b47071becc549dbc21315baeb8be0767c61349ccfafa93c2ed842662e3a6026a3b484ea3c1b0809958f63ec675a37cf0c39c8374905308464c32b7ca564055b3

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          205B

          MD5

          eab71a5c2494d3391a322105e93b377a

          SHA1

          7330b5792d3a6be394df0797350ce4eed8d13cef

          SHA256

          e04c5a3f2a3e21488bc1d75f2c875572d99e1530fd68e8cbe85d59016b196e8b

          SHA512

          980b97ece2ae3413ab27adceb6a556c6b24c6d6363deebd14be25c58934f6dd58fb8a0759cfed8836e67b5792e76a52751e7e5ad107fa46b917604d3559c4fc0

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

          Filesize

          2.6MB

          MD5

          b49ae260063b59f31a3acebae8c92988

          SHA1

          c2f35b074a1cf92f4c2fa9d62010330d57842123

          SHA256

          f76471ac34cb76dc4d4c6f671af21261bc3fcb35d837fec3862a4d4235467c3e

          SHA512

          d50b515a9dcbced392999ee6d579b1001e19f3aead44ec5c92134441fc3af0cf13a595b591b48bb9a4ed41dccacf83ab0f769fa4f69e3a17c52c9ec3555e899b