Analysis

  • max time kernel
    120s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 22:21

General

  • Target

    1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe

  • Size

    2.6MB

  • MD5

    86cb45f2cd0a7ccf91393b4954cce8d0

  • SHA1

    14343d9d8807eb1e90f0da27fff66c1a8c5f5a68

  • SHA256

    1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5

  • SHA512

    c3a1d0becae18e7216135ab61dcaec9f7b98342fd566c2943f88f847e22f8d39ae1d0b88f0569044d97a942f6762e90958d804b592057bbdacc123dfb56097f1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bS:sxX7QnxrloE5dpUpFb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe
    "C:\Users\Admin\AppData\Local\Temp\1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3316
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1032
    • C:\SysDrvIV\xoptiec.exe
      C:\SysDrvIV\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\SysDrvIV\xoptiec.exe

    Filesize

    2.6MB

    MD5

    8762303ce8d2820a87f7806033f35e88

    SHA1

    644b80d35355c5d5194350227af5c9dd7f58046e

    SHA256

    4af80cff0f0a2ab002109cf5f9bb471b56005cc4bbe5711637393140c3110949

    SHA512

    c95e68a906916b5a3c4e23fe051bb5f76df996331bf984bec6899b8ef0959768b39ad0dd1af3bea4a2ea86f7310fab48b37fafa94c677dad48499e87dde95437

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    dec77a8640e8d3ac29660579bbd9ea95

    SHA1

    576c433dabad22a9d487ef7b229e821e565cd37e

    SHA256

    3d8fed3b7794c541a36980afe1f69077b4e18a94c1a61a420dafc9ffc28f34ff

    SHA512

    d197d60054f498af0823730ee78a3cef0cc183ec22bcba8ba7d1d1669d7a028d4406dd5f89b8add3030ece28744d6cd6f9afc96bdb8ca2392af93ee4569d935e

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    78a755c61e0e4297fa96469957786ebd

    SHA1

    8232fe360fafac6d65c15dfd45d3dcd8ae73d61f

    SHA256

    4ecbf53288e0030b561bd198a1ffd9792a78d98b3a7ebbc8735c886e0b160aa9

    SHA512

    df12137cfc2d8598aa5b10e2682d74a58a343a6c11519e77401b1a52a5922f48362936a28e9cb499a57b6e87e2d3b8f90b8cfceb18390a1e215c46a4f656cd66

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

    Filesize

    2.6MB

    MD5

    d8f350b6e1d0ddb925eae1f1cbdf2638

    SHA1

    0ccbc63f59985057148880fde6ae816e66783d2c

    SHA256

    60d0d9feb2f8a67df553290ef4133b4f8fd59a50b7359da6d1f877d4cc74bf30

    SHA512

    4fe1f1002b90cbd1d01d05fe5b861e8e9afecd354b965ec6a284c0bc00ee97ec7763edef7252530dc09b5292d6e4a2c468207468422f78ef5834375afeb750f4

  • C:\VidUH\optidevsys.exe

    Filesize

    2.6MB

    MD5

    3a92eccd280e39fe567fa698d725ca02

    SHA1

    d78dfac53b2f4bdef4d9551afa0353319f3bb32a

    SHA256

    6b53e657128cc42afddcc37e46e8d1062111936879ea774e53d2977a5e33f2ee

    SHA512

    2eaf2f371bfa9a37985ecb9860f73283001f3b142cd0f625c93b4b7f5c01349df76cbf05fe6e686af85a7aee5a378ea797e10d3857cc963f9893137b8c61aa1c

  • C:\VidUH\optidevsys.exe

    Filesize

    2.4MB

    MD5

    f51b22ac08b5ae3f57b0bcdc395bebcf

    SHA1

    4b2dff6447209122b41e5099aeece11ea4065c3a

    SHA256

    c628fd2a4500bef7f3ded78694f21d81b56edc539c5ebd510ea712831ed003c4

    SHA512

    8d772915de8772e4846382340460490d2dcdfd420adfef0402ba7ee40ea825702e9980418afb4905487c5d4e0c75be0ef78635cab967e8516eed24ec55df1500