Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 22:40
Static task
static1
Behavioral task
behavioral1
Sample
8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe
Resource
win10v2004-20241007-en
General
-
Target
8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe
-
Size
2.6MB
-
MD5
11f66d938dd1beae0be6c023b9aacd50
-
SHA1
968b5292f31dbb428accd5999f271c76b72196bf
-
SHA256
8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fec
-
SHA512
446f2c0cdafa16a915bdb676020f46665ad10dc5d652cfd5385b5ab21d23743cad78be47457b2cec0cfdc784d70175ceaaa8ff968e0794a1bbc24c9018fbdd9d
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bS:sxX7QnxrloE5dpUpIb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe -
Executes dropped EXE 2 IoCs
pid Process 2944 sysdevbod.exe 2880 xoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 2496 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe 2496 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesVQ\\xoptisys.exe" 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB0Q\\dobdevloc.exe" 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2496 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe 2496 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe 2944 sysdevbod.exe 2880 xoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2496 wrote to memory of 2944 2496 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe 30 PID 2496 wrote to memory of 2944 2496 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe 30 PID 2496 wrote to memory of 2944 2496 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe 30 PID 2496 wrote to memory of 2944 2496 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe 30 PID 2496 wrote to memory of 2880 2496 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe 31 PID 2496 wrote to memory of 2880 2496 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe 31 PID 2496 wrote to memory of 2880 2496 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe 31 PID 2496 wrote to memory of 2880 2496 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe"C:\Users\Admin\AppData\Local\Temp\8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2944
-
-
C:\FilesVQ\xoptisys.exeC:\FilesVQ\xoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2880
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD50cd20510b21780bb2e5b4b74b3b377cb
SHA1fa5be7e94658c776a4f909627d632ac292692323
SHA256051c30b5e561fc147c7ed588e2cccfe17a6547507b56c111409aabc5c6209679
SHA51290480dc202b77cd31aea15dad69ddc9a6f9d16da10a14af5742010e07d63bc8a673547bafb83b0853c32847c63131121cac2d764be2296c3c14308cbf3372e2a
-
Filesize
2.6MB
MD5d55e110c75c3dd15dd66c22499186705
SHA16fe95d78c9bacdbe39029edcbf7e4508f5a43869
SHA2562bd608f1726851cd174ec0f05e34854c0b2b439ab7d572e81f093cb47d47b41e
SHA5125f52fa873ba3118b9940574c32f1eed38ac442c9bc05392de248af57cd791db926408e04ca514358af2ac1f55fb02621913ca61c7deed56f2520d025f5269c0a
-
Filesize
14KB
MD53d45b0eaee6cd60ad4f5568ac16ef258
SHA1d7e11caa9a67cadd55724afe2d1d84adab824cea
SHA256ea6a4772229675d6d0144ac1cf4f7831259b4edd25d7706903c3f2e2e3ca7243
SHA5122d25a653389ee60d4d1a922b31cda5d7dac66d70cb6b72b1e60925b039a1066d16fe93dd478af6cc0fe4eb3b73c7cab86c4cc39eb4f0fb4da694adef8999708b
-
Filesize
173B
MD59c8443997158ac1216003b2933d1b19c
SHA15729e5afeccae88ed2482f040715272bfb155728
SHA2569f3642f619ce75513a07bf74e97c887b366ac21a21bb0f4f3dca68b0b323318b
SHA512b47071becc549dbc21315baeb8be0767c61349ccfafa93c2ed842662e3a6026a3b484ea3c1b0809958f63ec675a37cf0c39c8374905308464c32b7ca564055b3
-
Filesize
205B
MD5eab71a5c2494d3391a322105e93b377a
SHA17330b5792d3a6be394df0797350ce4eed8d13cef
SHA256e04c5a3f2a3e21488bc1d75f2c875572d99e1530fd68e8cbe85d59016b196e8b
SHA512980b97ece2ae3413ab27adceb6a556c6b24c6d6363deebd14be25c58934f6dd58fb8a0759cfed8836e67b5792e76a52751e7e5ad107fa46b917604d3559c4fc0
-
Filesize
2.6MB
MD5b49ae260063b59f31a3acebae8c92988
SHA1c2f35b074a1cf92f4c2fa9d62010330d57842123
SHA256f76471ac34cb76dc4d4c6f671af21261bc3fcb35d837fec3862a4d4235467c3e
SHA512d50b515a9dcbced392999ee6d579b1001e19f3aead44ec5c92134441fc3af0cf13a595b591b48bb9a4ed41dccacf83ab0f769fa4f69e3a17c52c9ec3555e899b