Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 22:20

General

  • Target

    53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe

  • Size

    3.1MB

  • MD5

    c284c6203db5dba4a4b6f1ea9720bd0d

  • SHA1

    874f0a69066689da4cca052d116f4d7348159b1e

  • SHA256

    53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a

  • SHA512

    2b4fd26bade0a083a96075a1e21e40ad30377276ea3f68aef3466718c3bfa1ab38fb007899721101db57a0c99a4c9cce67deca5c5cf2f7854f542a05e8de10cd

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUphbVz8eLFc

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe
    "C:\Users\Admin\AppData\Local\Temp\53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2372
    • C:\IntelprocLU\aoptisys.exe
      C:\IntelprocLU\aoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxFG\dobdevsys.exe

    Filesize

    3.1MB

    MD5

    4697ca82883e7a70f47e5fac2118fe4e

    SHA1

    6b8a443bdad12f52dd3d67d4f29126fa26d74549

    SHA256

    7e7ed846f9e9feee7650e6fd3811570207c71dab7142adf0e2f653f16a04fc60

    SHA512

    3746f33664dd4b0b84accf4cc9d9fd1aacb6afe451515edd8908e0052017ff720dd404e64372016e5e1af2ab80e56f3f7d5db58aff738335e4aa43325c1ffad5

  • C:\GalaxFG\dobdevsys.exe

    Filesize

    3.1MB

    MD5

    5426c2bba186c7bfb14c05654e5fc3f0

    SHA1

    d432ece5634fe6372153c785828891fd197d9f33

    SHA256

    4407a5f06a88a45538b21ab61b941f0ab491c2ee032b8e0b0d35350185e9b1c6

    SHA512

    7bdb5dce337ae3eefd8d8781d5db3e4e2c45f029f68e1ce4dbecfd5e6211cf4292f8436432110a1bb8874dd9d2ba20043ff36c60fd2389df7b77f1d70b03bd17

  • C:\IntelprocLU\aoptisys.exe

    Filesize

    3.1MB

    MD5

    b29a9b77e287e62b9682863711f531c3

    SHA1

    69a17bad287c0079d380e82daddd28cfc4f78342

    SHA256

    61072589846599e9632fc62a5c90998ead8d9d83307665cfa918841997f0c6bc

    SHA512

    aab49fad0f9ecb9be79a5f2b486618d462402fdae3b19835be966f0ae48b9cb5d337b2fb269e8165a40b42b0888cc008bba051cae5af6d46d5a8e29d6261994d

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    177B

    MD5

    a50d253f718408011f718d0178033b06

    SHA1

    6495e7ee7acd923b599d501dad0655e5e6137aac

    SHA256

    72a203e834f6a79ae1ce9ee03761fcc104c8178a16ca7d354c85d9aedae51652

    SHA512

    9876049cb049e5945acb1109446f84b8c4a465bff42e3c12903b8631f4d447fbfb8a9c7f827bbdff892bb9aa3e712d406450385e80a01c969234772d9609c2f7

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    209B

    MD5

    ab600124b994ee9fb1a667217fd9c034

    SHA1

    5fc8cfb48e5005e6a84928a4b6c87c82fdd8e55d

    SHA256

    67c9fcb8cc188ce000398979d7680756ce991334652644dfbef5010a3e920e68

    SHA512

    bd8d118258d70443e984d95f264074936647a917ba200cfd83b04566bcc5454c3f3c40cc658ab9d7563e39b93f0a74512372b21ec62a49cf24929dc3e2dd8252

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

    Filesize

    3.1MB

    MD5

    28e6ec3920dac9ebe6da4661c81aeed8

    SHA1

    ac8090d4e868e436fbdd73c8eb05651dc2bec8c1

    SHA256

    395b098cf81048c9e4a3246f217ae394e55dd5c6b077c1cd355042b35850de3c

    SHA512

    d049b9bd8c6858cca2b9c957e223bcb272116f64387ba271a0d701d41bbb19adc534a2bf1f828ba68b944b0ce84b68dde6cbbcf33ef6d6e02df405f8b1d21ecd