Analysis
-
max time kernel
120s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 22:21
Static task
static1
Behavioral task
behavioral1
Sample
1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe
Resource
win10v2004-20241007-en
General
-
Target
1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe
-
Size
2.6MB
-
MD5
86cb45f2cd0a7ccf91393b4954cce8d0
-
SHA1
14343d9d8807eb1e90f0da27fff66c1a8c5f5a68
-
SHA256
1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5
-
SHA512
c3a1d0becae18e7216135ab61dcaec9f7b98342fd566c2943f88f847e22f8d39ae1d0b88f0569044d97a942f6762e90958d804b592057bbdacc123dfb56097f1
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bS:sxX7QnxrloE5dpUpFb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe -
Executes dropped EXE 2 IoCs
pid Process 1284 sysxopti.exe 1800 xbodec.exe -
Loads dropped DLL 2 IoCs
pid Process 1832 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe 1832 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocQT\\xbodec.exe" 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidJR\\optiaec.exe" 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1832 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe 1832 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe 1284 sysxopti.exe 1800 xbodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1832 wrote to memory of 1284 1832 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe 30 PID 1832 wrote to memory of 1284 1832 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe 30 PID 1832 wrote to memory of 1284 1832 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe 30 PID 1832 wrote to memory of 1284 1832 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe 30 PID 1832 wrote to memory of 1800 1832 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe 31 PID 1832 wrote to memory of 1800 1832 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe 31 PID 1832 wrote to memory of 1800 1832 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe 31 PID 1832 wrote to memory of 1800 1832 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe"C:\Users\Admin\AppData\Local\Temp\1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1284
-
-
C:\IntelprocQT\xbodec.exeC:\IntelprocQT\xbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1800
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5787fd77929ecd6aee5e511846f7d25e2
SHA1d5c8feb39388d2138a4fbfae8db9f7296af04718
SHA256d88cf49b4f07e0f6fdbf7a2ea28e0465d66d2dbdf8fab2aa0e55d8c7a81b33e9
SHA512db55ae5cf272bd300990d1420c841b13ae0f674a46f9977d05500f8146a81a8efd1084d8b37f74e8708bf93cbf84e03b150cc462a0a0fd25e0164d037cc52656
-
Filesize
171B
MD58fbc6c1597d0f5cd920052140d645828
SHA1f4cfeb8e0efb4b6f8fdfcf1cb6c4970e07913957
SHA25614d020e619e584d1bab6e60bcf5919db042aac10d5d0ddf6a236ce7c567c417c
SHA512234b8542c36753b4ec0df7767645aa26293af5e7d5cec912a809a5813363a731c0825df7d6d6c8b3e36e302ddac8cc9e3c5f13a97ddfe690082dcef117920f6b
-
Filesize
203B
MD5342f11c5c94508550d9b98d5c30b37df
SHA1e1fb75c54a2e1618abbef165862227c4ff725076
SHA2569b5a489dafca978ffa66d406583a5b0fd1f959355ddef72c32b14391192ce452
SHA51209cd1f9fcf9667efb3cdde652a3210865229728a0a87e8a7ba191bac40850c110cc6dee48b4603f8f0263648ce0c21c5710099de299ace71940c24f0ab1ab474
-
Filesize
740KB
MD5b62d361dafd2772de46f9d0918904452
SHA1ac268597381c72e77122f73bbc3cf852b211bfcd
SHA256615b87f540423956654a181f2a16946f148ed616d550fcf2cc0f910f8436ba82
SHA512b17d0efd10a734d87fba0e54545e718cd8e00fb21017d4329402a173c1a364d99afe49320b7efc090a6d6e6ef1c544702b4c100640a6ac0ad5ca8f2be03c137a
-
Filesize
543KB
MD5e45450e5e0153e5edc922afa35f0fcba
SHA1eeff9d1a952a05d474bf11ef1b84d1efd3427659
SHA2564c27fc84455fead86203700483076323925e4bebd813507a00c95ec87a8ad161
SHA5125bdb6c1f23bbb932d4d4b12aeef800a3d37e68467188446dd9cb096b4150430686c59081dc7122264b6cc34510b1efb1d3e8597c46d7f10aef9ad3a9a766a476
-
Filesize
2.6MB
MD5e2216571e4d8a5f3ea67ff6b8a036500
SHA1b0dfd209a5ff195604c1128a8d347db03df0bc38
SHA2566d19b44043f2090a5807d54b85933526627f69f9f484e643cd61b4e1fe6e7db0
SHA51238c98c9c88eae0f3503dbeac4b76cffb8b545e682d832d7d9852aa17fa5409c90dd1ccea672396039312bca2d4817752b68f2ccb9ca5be02a4791763bbd02654