Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 22:21
Static task
static1
Behavioral task
behavioral1
Sample
1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe
Resource
win10v2004-20241007-en
General
-
Target
1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe
-
Size
2.6MB
-
MD5
86cb45f2cd0a7ccf91393b4954cce8d0
-
SHA1
14343d9d8807eb1e90f0da27fff66c1a8c5f5a68
-
SHA256
1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5
-
SHA512
c3a1d0becae18e7216135ab61dcaec9f7b98342fd566c2943f88f847e22f8d39ae1d0b88f0569044d97a942f6762e90958d804b592057bbdacc123dfb56097f1
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bS:sxX7QnxrloE5dpUpFb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe -
Executes dropped EXE 2 IoCs
pid Process 1032 sysdevbod.exe 432 xoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvIV\\xoptiec.exe" 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidUH\\optidevsys.exe" 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3316 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe 3316 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe 3316 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe 3316 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe 1032 sysdevbod.exe 1032 sysdevbod.exe 432 xoptiec.exe 432 xoptiec.exe 1032 sysdevbod.exe 1032 sysdevbod.exe 432 xoptiec.exe 432 xoptiec.exe 1032 sysdevbod.exe 1032 sysdevbod.exe 432 xoptiec.exe 432 xoptiec.exe 1032 sysdevbod.exe 1032 sysdevbod.exe 432 xoptiec.exe 432 xoptiec.exe 1032 sysdevbod.exe 1032 sysdevbod.exe 432 xoptiec.exe 432 xoptiec.exe 1032 sysdevbod.exe 1032 sysdevbod.exe 432 xoptiec.exe 432 xoptiec.exe 1032 sysdevbod.exe 1032 sysdevbod.exe 432 xoptiec.exe 432 xoptiec.exe 1032 sysdevbod.exe 1032 sysdevbod.exe 432 xoptiec.exe 432 xoptiec.exe 1032 sysdevbod.exe 1032 sysdevbod.exe 432 xoptiec.exe 432 xoptiec.exe 1032 sysdevbod.exe 1032 sysdevbod.exe 432 xoptiec.exe 432 xoptiec.exe 1032 sysdevbod.exe 1032 sysdevbod.exe 432 xoptiec.exe 432 xoptiec.exe 1032 sysdevbod.exe 1032 sysdevbod.exe 432 xoptiec.exe 432 xoptiec.exe 1032 sysdevbod.exe 1032 sysdevbod.exe 432 xoptiec.exe 432 xoptiec.exe 1032 sysdevbod.exe 1032 sysdevbod.exe 432 xoptiec.exe 432 xoptiec.exe 1032 sysdevbod.exe 1032 sysdevbod.exe 432 xoptiec.exe 432 xoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3316 wrote to memory of 1032 3316 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe 89 PID 3316 wrote to memory of 1032 3316 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe 89 PID 3316 wrote to memory of 1032 3316 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe 89 PID 3316 wrote to memory of 432 3316 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe 92 PID 3316 wrote to memory of 432 3316 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe 92 PID 3316 wrote to memory of 432 3316 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe"C:\Users\Admin\AppData\Local\Temp\1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1032
-
-
C:\SysDrvIV\xoptiec.exeC:\SysDrvIV\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:432
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD58762303ce8d2820a87f7806033f35e88
SHA1644b80d35355c5d5194350227af5c9dd7f58046e
SHA2564af80cff0f0a2ab002109cf5f9bb471b56005cc4bbe5711637393140c3110949
SHA512c95e68a906916b5a3c4e23fe051bb5f76df996331bf984bec6899b8ef0959768b39ad0dd1af3bea4a2ea86f7310fab48b37fafa94c677dad48499e87dde95437
-
Filesize
205B
MD5dec77a8640e8d3ac29660579bbd9ea95
SHA1576c433dabad22a9d487ef7b229e821e565cd37e
SHA2563d8fed3b7794c541a36980afe1f69077b4e18a94c1a61a420dafc9ffc28f34ff
SHA512d197d60054f498af0823730ee78a3cef0cc183ec22bcba8ba7d1d1669d7a028d4406dd5f89b8add3030ece28744d6cd6f9afc96bdb8ca2392af93ee4569d935e
-
Filesize
173B
MD578a755c61e0e4297fa96469957786ebd
SHA18232fe360fafac6d65c15dfd45d3dcd8ae73d61f
SHA2564ecbf53288e0030b561bd198a1ffd9792a78d98b3a7ebbc8735c886e0b160aa9
SHA512df12137cfc2d8598aa5b10e2682d74a58a343a6c11519e77401b1a52a5922f48362936a28e9cb499a57b6e87e2d3b8f90b8cfceb18390a1e215c46a4f656cd66
-
Filesize
2.6MB
MD5d8f350b6e1d0ddb925eae1f1cbdf2638
SHA10ccbc63f59985057148880fde6ae816e66783d2c
SHA25660d0d9feb2f8a67df553290ef4133b4f8fd59a50b7359da6d1f877d4cc74bf30
SHA5124fe1f1002b90cbd1d01d05fe5b861e8e9afecd354b965ec6a284c0bc00ee97ec7763edef7252530dc09b5292d6e4a2c468207468422f78ef5834375afeb750f4
-
Filesize
2.6MB
MD53a92eccd280e39fe567fa698d725ca02
SHA1d78dfac53b2f4bdef4d9551afa0353319f3bb32a
SHA2566b53e657128cc42afddcc37e46e8d1062111936879ea774e53d2977a5e33f2ee
SHA5122eaf2f371bfa9a37985ecb9860f73283001f3b142cd0f625c93b4b7f5c01349df76cbf05fe6e686af85a7aee5a378ea797e10d3857cc963f9893137b8c61aa1c
-
Filesize
2.4MB
MD5f51b22ac08b5ae3f57b0bcdc395bebcf
SHA14b2dff6447209122b41e5099aeece11ea4065c3a
SHA256c628fd2a4500bef7f3ded78694f21d81b56edc539c5ebd510ea712831ed003c4
SHA5128d772915de8772e4846382340460490d2dcdfd420adfef0402ba7ee40ea825702e9980418afb4905487c5d4e0c75be0ef78635cab967e8516eed24ec55df1500