Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 12:59

General

  • Target

    3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe

  • Size

    2.6MB

  • MD5

    3e6f50ee48a51e32b20aa767477164b0

  • SHA1

    9ec5f2e7f8aa2bd95aa2c69b0d2ce3e2163ce213

  • SHA256

    3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772

  • SHA512

    9d20dca9f66d192f2f52488a41b323862e9d76758b6cb2b5899e6dfe0acac53ab3861778bfa43cfde73e5a3a2151e9de7dd3e6517254598473b0659873849b7c

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bS:sxX7QnxrloE5dpUphb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe
    "C:\Users\Admin\AppData\Local\Temp\3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2656
    • C:\Intelproc6Y\xoptiloc.exe
      C:\Intelproc6Y\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4068

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Intelproc6Y\xoptiloc.exe

          Filesize

          2.6MB

          MD5

          133e3aa62a4f5b8d484640f5b695e9ea

          SHA1

          55b19c8b0c35a91af4798fa198e53edbcbd7be08

          SHA256

          905d5fcfd5cca2ea0140ed260b82c77f715c05cd8fb189587a9408356d0c20a2

          SHA512

          2abc6936076b6e7095aa920adc86997921578e3349a3930eb3d9f9f0eda07a12a0438c91268c6bc173cba784fa90547487bda482f73071414c6a317b106183ed

        • C:\LabZQK\bodxloc.exe

          Filesize

          615KB

          MD5

          41de40a79781386cd565f96a1bf86add

          SHA1

          e6f570e175ab099a4b33799423d6a44885562e4f

          SHA256

          09773ad1b2aa931c35dfdf509b076148e51de800e49517bc41ec3f6f9bd85b1f

          SHA512

          f1b7182e9c3f2a756cd6dcfe71b76f5ee041bb5c56d8db69f53c0e2d901785f248fdad59331a39890d2d67934d9767cc11276945de8cb7cee463345e401fb0f4

        • C:\LabZQK\bodxloc.exe

          Filesize

          2.6MB

          MD5

          4a6907c42a18aea34c678ce306c1842a

          SHA1

          8784d2c3affb1de74bfa04c78602fb28648214b5

          SHA256

          792d194047ce45761ea22696affda1b9f214b313f7acc1d3bdaf96b7edf5b8e1

          SHA512

          b3535b5817359e2f04806d45f519ee7b0fec68e0a7455081c892f7fd58a718cc7611ad24eadb5a9aa93a53f6efddde18512f7a1069f0ea796d9e4b6e209d41ad

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          206B

          MD5

          be43caed81e77a04905770d1c9cb2d8c

          SHA1

          2b971fc541e031386ee289b143f5c962124dcc4c

          SHA256

          b233dbac69bdeb9c747161490d22ce43d2c50d77fa21b1c625b3729ee8c23f31

          SHA512

          944b45ae5bcfc76813eef8bd213dbedaca8f23a64a3747f6e59253abe4804fbaa38e860309156fa19a59f2d992abccf6115595e88f1b4b3d58f3c8ee76c6b983

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          174B

          MD5

          9b9da5991f68ce879aab33c91e3ed676

          SHA1

          290ed55f7b65ba5bdbc1d9c778d0e9062c0f2a34

          SHA256

          ab3bd087fec7551afef258c923f95f2db59ea9f9a39b5f713b1b2a3a2092eb4e

          SHA512

          32d233ef65043207b10d7cc89969c27ccd06faa8e3ef10963188bb7ba199c3848a6ee6e955b34e9a8ac728560070ebdd0404e7012287bf6c4bf693db1c03548d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

          Filesize

          2.6MB

          MD5

          e6a91c807c0f6db73716bc68049c3d5b

          SHA1

          2ff33c23eb21e5b07686569017d63cba27200684

          SHA256

          f56fc33525e8dc582c64d15e78b80f8024831f842fe048ee13ecbb0c3973f367

          SHA512

          954ac4a2645af7b0184b6fff5aef866658e7e93a695f85d43ebaa8052d48ee1216f627c6fa71fed8bd5ffe91dcaef69e8b07fa2d6b02b4ea50690e67907bdd36