Analysis

  • max time kernel
    120s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 22:21

General

  • Target

    1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe

  • Size

    2.6MB

  • MD5

    86cb45f2cd0a7ccf91393b4954cce8d0

  • SHA1

    14343d9d8807eb1e90f0da27fff66c1a8c5f5a68

  • SHA256

    1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5

  • SHA512

    c3a1d0becae18e7216135ab61dcaec9f7b98342fd566c2943f88f847e22f8d39ae1d0b88f0569044d97a942f6762e90958d804b592057bbdacc123dfb56097f1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bS:sxX7QnxrloE5dpUpFb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe
    "C:\Users\Admin\AppData\Local\Temp\1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1284
    • C:\IntelprocQT\xbodec.exe
      C:\IntelprocQT\xbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocQT\xbodec.exe

    Filesize

    2.6MB

    MD5

    787fd77929ecd6aee5e511846f7d25e2

    SHA1

    d5c8feb39388d2138a4fbfae8db9f7296af04718

    SHA256

    d88cf49b4f07e0f6fdbf7a2ea28e0465d66d2dbdf8fab2aa0e55d8c7a81b33e9

    SHA512

    db55ae5cf272bd300990d1420c841b13ae0f674a46f9977d05500f8146a81a8efd1084d8b37f74e8708bf93cbf84e03b150cc462a0a0fd25e0164d037cc52656

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    8fbc6c1597d0f5cd920052140d645828

    SHA1

    f4cfeb8e0efb4b6f8fdfcf1cb6c4970e07913957

    SHA256

    14d020e619e584d1bab6e60bcf5919db042aac10d5d0ddf6a236ce7c567c417c

    SHA512

    234b8542c36753b4ec0df7767645aa26293af5e7d5cec912a809a5813363a731c0825df7d6d6c8b3e36e302ddac8cc9e3c5f13a97ddfe690082dcef117920f6b

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    342f11c5c94508550d9b98d5c30b37df

    SHA1

    e1fb75c54a2e1618abbef165862227c4ff725076

    SHA256

    9b5a489dafca978ffa66d406583a5b0fd1f959355ddef72c32b14391192ce452

    SHA512

    09cd1f9fcf9667efb3cdde652a3210865229728a0a87e8a7ba191bac40850c110cc6dee48b4603f8f0263648ce0c21c5710099de299ace71940c24f0ab1ab474

  • C:\VidJR\optiaec.exe

    Filesize

    740KB

    MD5

    b62d361dafd2772de46f9d0918904452

    SHA1

    ac268597381c72e77122f73bbc3cf852b211bfcd

    SHA256

    615b87f540423956654a181f2a16946f148ed616d550fcf2cc0f910f8436ba82

    SHA512

    b17d0efd10a734d87fba0e54545e718cd8e00fb21017d4329402a173c1a364d99afe49320b7efc090a6d6e6ef1c544702b4c100640a6ac0ad5ca8f2be03c137a

  • C:\VidJR\optiaec.exe

    Filesize

    543KB

    MD5

    e45450e5e0153e5edc922afa35f0fcba

    SHA1

    eeff9d1a952a05d474bf11ef1b84d1efd3427659

    SHA256

    4c27fc84455fead86203700483076323925e4bebd813507a00c95ec87a8ad161

    SHA512

    5bdb6c1f23bbb932d4d4b12aeef800a3d37e68467188446dd9cb096b4150430686c59081dc7122264b6cc34510b1efb1d3e8597c46d7f10aef9ad3a9a766a476

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

    Filesize

    2.6MB

    MD5

    e2216571e4d8a5f3ea67ff6b8a036500

    SHA1

    b0dfd209a5ff195604c1128a8d347db03df0bc38

    SHA256

    6d19b44043f2090a5807d54b85933526627f69f9f484e643cd61b4e1fe6e7db0

    SHA512

    38c98c9c88eae0f3503dbeac4b76cffb8b545e682d832d7d9852aa17fa5409c90dd1ccea672396039312bca2d4817752b68f2ccb9ca5be02a4791763bbd02654