Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 22:20
Static task
static1
Behavioral task
behavioral1
Sample
53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe
Resource
win10v2004-20241007-en
General
-
Target
53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe
-
Size
3.1MB
-
MD5
c284c6203db5dba4a4b6f1ea9720bd0d
-
SHA1
874f0a69066689da4cca052d116f4d7348159b1e
-
SHA256
53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a
-
SHA512
2b4fd26bade0a083a96075a1e21e40ad30377276ea3f68aef3466718c3bfa1ab38fb007899721101db57a0c99a4c9cce67deca5c5cf2f7854f542a05e8de10cd
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUphbVz8eLFc
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe -
Executes dropped EXE 2 IoCs
pid Process 2372 sysxopti.exe 2820 aoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 2344 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe 2344 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocLU\\aoptisys.exe" 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxFG\\dobdevsys.exe" 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2344 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe 2344 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe 2372 sysxopti.exe 2820 aoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2344 wrote to memory of 2372 2344 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe 30 PID 2344 wrote to memory of 2372 2344 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe 30 PID 2344 wrote to memory of 2372 2344 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe 30 PID 2344 wrote to memory of 2372 2344 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe 30 PID 2344 wrote to memory of 2820 2344 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe 31 PID 2344 wrote to memory of 2820 2344 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe 31 PID 2344 wrote to memory of 2820 2344 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe 31 PID 2344 wrote to memory of 2820 2344 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe"C:\Users\Admin\AppData\Local\Temp\53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2372
-
-
C:\IntelprocLU\aoptisys.exeC:\IntelprocLU\aoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2820
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD54697ca82883e7a70f47e5fac2118fe4e
SHA16b8a443bdad12f52dd3d67d4f29126fa26d74549
SHA2567e7ed846f9e9feee7650e6fd3811570207c71dab7142adf0e2f653f16a04fc60
SHA5123746f33664dd4b0b84accf4cc9d9fd1aacb6afe451515edd8908e0052017ff720dd404e64372016e5e1af2ab80e56f3f7d5db58aff738335e4aa43325c1ffad5
-
Filesize
3.1MB
MD55426c2bba186c7bfb14c05654e5fc3f0
SHA1d432ece5634fe6372153c785828891fd197d9f33
SHA2564407a5f06a88a45538b21ab61b941f0ab491c2ee032b8e0b0d35350185e9b1c6
SHA5127bdb5dce337ae3eefd8d8781d5db3e4e2c45f029f68e1ce4dbecfd5e6211cf4292f8436432110a1bb8874dd9d2ba20043ff36c60fd2389df7b77f1d70b03bd17
-
Filesize
3.1MB
MD5b29a9b77e287e62b9682863711f531c3
SHA169a17bad287c0079d380e82daddd28cfc4f78342
SHA25661072589846599e9632fc62a5c90998ead8d9d83307665cfa918841997f0c6bc
SHA512aab49fad0f9ecb9be79a5f2b486618d462402fdae3b19835be966f0ae48b9cb5d337b2fb269e8165a40b42b0888cc008bba051cae5af6d46d5a8e29d6261994d
-
Filesize
177B
MD5a50d253f718408011f718d0178033b06
SHA16495e7ee7acd923b599d501dad0655e5e6137aac
SHA25672a203e834f6a79ae1ce9ee03761fcc104c8178a16ca7d354c85d9aedae51652
SHA5129876049cb049e5945acb1109446f84b8c4a465bff42e3c12903b8631f4d447fbfb8a9c7f827bbdff892bb9aa3e712d406450385e80a01c969234772d9609c2f7
-
Filesize
209B
MD5ab600124b994ee9fb1a667217fd9c034
SHA15fc8cfb48e5005e6a84928a4b6c87c82fdd8e55d
SHA25667c9fcb8cc188ce000398979d7680756ce991334652644dfbef5010a3e920e68
SHA512bd8d118258d70443e984d95f264074936647a917ba200cfd83b04566bcc5454c3f3c40cc658ab9d7563e39b93f0a74512372b21ec62a49cf24929dc3e2dd8252
-
Filesize
3.1MB
MD528e6ec3920dac9ebe6da4661c81aeed8
SHA1ac8090d4e868e436fbdd73c8eb05651dc2bec8c1
SHA256395b098cf81048c9e4a3246f217ae394e55dd5c6b077c1cd355042b35850de3c
SHA512d049b9bd8c6858cca2b9c957e223bcb272116f64387ba271a0d701d41bbb19adc534a2bf1f828ba68b944b0ce84b68dde6cbbcf33ef6d6e02df405f8b1d21ecd