Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 12:59
Static task
static1
Behavioral task
behavioral1
Sample
3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe
Resource
win10v2004-20241007-en
General
-
Target
3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe
-
Size
2.6MB
-
MD5
3e6f50ee48a51e32b20aa767477164b0
-
SHA1
9ec5f2e7f8aa2bd95aa2c69b0d2ce3e2163ce213
-
SHA256
3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772
-
SHA512
9d20dca9f66d192f2f52488a41b323862e9d76758b6cb2b5899e6dfe0acac53ab3861778bfa43cfde73e5a3a2151e9de7dd3e6517254598473b0659873849b7c
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bS:sxX7QnxrloE5dpUphb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe -
Executes dropped EXE 2 IoCs
pid Process 2656 sysaopti.exe 4068 xoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc6Y\\xoptiloc.exe" 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZQK\\bodxloc.exe" 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2380 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe 2380 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe 2380 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe 2380 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe 2656 sysaopti.exe 2656 sysaopti.exe 4068 xoptiloc.exe 4068 xoptiloc.exe 2656 sysaopti.exe 2656 sysaopti.exe 4068 xoptiloc.exe 4068 xoptiloc.exe 2656 sysaopti.exe 2656 sysaopti.exe 4068 xoptiloc.exe 4068 xoptiloc.exe 2656 sysaopti.exe 2656 sysaopti.exe 4068 xoptiloc.exe 4068 xoptiloc.exe 2656 sysaopti.exe 2656 sysaopti.exe 4068 xoptiloc.exe 4068 xoptiloc.exe 2656 sysaopti.exe 2656 sysaopti.exe 4068 xoptiloc.exe 4068 xoptiloc.exe 2656 sysaopti.exe 2656 sysaopti.exe 4068 xoptiloc.exe 4068 xoptiloc.exe 2656 sysaopti.exe 2656 sysaopti.exe 4068 xoptiloc.exe 4068 xoptiloc.exe 2656 sysaopti.exe 2656 sysaopti.exe 4068 xoptiloc.exe 4068 xoptiloc.exe 2656 sysaopti.exe 2656 sysaopti.exe 4068 xoptiloc.exe 4068 xoptiloc.exe 2656 sysaopti.exe 2656 sysaopti.exe 4068 xoptiloc.exe 4068 xoptiloc.exe 2656 sysaopti.exe 2656 sysaopti.exe 4068 xoptiloc.exe 4068 xoptiloc.exe 2656 sysaopti.exe 2656 sysaopti.exe 4068 xoptiloc.exe 4068 xoptiloc.exe 2656 sysaopti.exe 2656 sysaopti.exe 4068 xoptiloc.exe 4068 xoptiloc.exe 2656 sysaopti.exe 2656 sysaopti.exe 4068 xoptiloc.exe 4068 xoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2656 2380 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe 87 PID 2380 wrote to memory of 2656 2380 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe 87 PID 2380 wrote to memory of 2656 2380 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe 87 PID 2380 wrote to memory of 4068 2380 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe 88 PID 2380 wrote to memory of 4068 2380 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe 88 PID 2380 wrote to memory of 4068 2380 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe"C:\Users\Admin\AppData\Local\Temp\3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2656
-
-
C:\Intelproc6Y\xoptiloc.exeC:\Intelproc6Y\xoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4068
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5133e3aa62a4f5b8d484640f5b695e9ea
SHA155b19c8b0c35a91af4798fa198e53edbcbd7be08
SHA256905d5fcfd5cca2ea0140ed260b82c77f715c05cd8fb189587a9408356d0c20a2
SHA5122abc6936076b6e7095aa920adc86997921578e3349a3930eb3d9f9f0eda07a12a0438c91268c6bc173cba784fa90547487bda482f73071414c6a317b106183ed
-
Filesize
615KB
MD541de40a79781386cd565f96a1bf86add
SHA1e6f570e175ab099a4b33799423d6a44885562e4f
SHA25609773ad1b2aa931c35dfdf509b076148e51de800e49517bc41ec3f6f9bd85b1f
SHA512f1b7182e9c3f2a756cd6dcfe71b76f5ee041bb5c56d8db69f53c0e2d901785f248fdad59331a39890d2d67934d9767cc11276945de8cb7cee463345e401fb0f4
-
Filesize
2.6MB
MD54a6907c42a18aea34c678ce306c1842a
SHA18784d2c3affb1de74bfa04c78602fb28648214b5
SHA256792d194047ce45761ea22696affda1b9f214b313f7acc1d3bdaf96b7edf5b8e1
SHA512b3535b5817359e2f04806d45f519ee7b0fec68e0a7455081c892f7fd58a718cc7611ad24eadb5a9aa93a53f6efddde18512f7a1069f0ea796d9e4b6e209d41ad
-
Filesize
206B
MD5be43caed81e77a04905770d1c9cb2d8c
SHA12b971fc541e031386ee289b143f5c962124dcc4c
SHA256b233dbac69bdeb9c747161490d22ce43d2c50d77fa21b1c625b3729ee8c23f31
SHA512944b45ae5bcfc76813eef8bd213dbedaca8f23a64a3747f6e59253abe4804fbaa38e860309156fa19a59f2d992abccf6115595e88f1b4b3d58f3c8ee76c6b983
-
Filesize
174B
MD59b9da5991f68ce879aab33c91e3ed676
SHA1290ed55f7b65ba5bdbc1d9c778d0e9062c0f2a34
SHA256ab3bd087fec7551afef258c923f95f2db59ea9f9a39b5f713b1b2a3a2092eb4e
SHA51232d233ef65043207b10d7cc89969c27ccd06faa8e3ef10963188bb7ba199c3848a6ee6e955b34e9a8ac728560070ebdd0404e7012287bf6c4bf693db1c03548d
-
Filesize
2.6MB
MD5e6a91c807c0f6db73716bc68049c3d5b
SHA12ff33c23eb21e5b07686569017d63cba27200684
SHA256f56fc33525e8dc582c64d15e78b80f8024831f842fe048ee13ecbb0c3973f367
SHA512954ac4a2645af7b0184b6fff5aef866658e7e93a695f85d43ebaa8052d48ee1216f627c6fa71fed8bd5ffe91dcaef69e8b07fa2d6b02b4ea50690e67907bdd36