Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 21:57

General

  • Target

    76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe

  • Size

    2.6MB

  • MD5

    660de9f89377146f2f21666c17297fe0

  • SHA1

    cf87b3f5cc616c2a52bd03eb7428b89305590fc2

  • SHA256

    76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159

  • SHA512

    0508fd373c7ed3992a1d133c703b7b8ad2e14a936aff7cd8a9035ed4cbb935d5cc657176d332f20b1ad24f40b3d7c9cf84ef181fa5a75ad8354f7a0c53a531f9

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSq:sxX7QnxrloE5dpUp8bV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe
    "C:\Users\Admin\AppData\Local\Temp\76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4440
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3096
    • C:\FilesR5\xoptiloc.exe
      C:\FilesR5\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesR5\xoptiloc.exe

    Filesize

    5KB

    MD5

    35d5f2180b8da2eaecad0679e66dc251

    SHA1

    3e782e20becd6567750bacb04faafd148aadac06

    SHA256

    2060beef29432b8908a388df4a1a966c34d69e51cbf1f836ab07935d52f94700

    SHA512

    15f574e8e815c44b4444d3eb87af7e00b262eebc14f1ab886d4912aae01cf910dc7d4f769f884a3659bce05e28faa5a23be0190cf13a203cff0f3afdb951c493

  • C:\FilesR5\xoptiloc.exe

    Filesize

    2.6MB

    MD5

    9c5127b80ffc4681af6cd52ae3cfea70

    SHA1

    13369406941748676ecb6c233acc08c4084e66d4

    SHA256

    4cb301ba46f70b8cd859bf9118e6eb2c4a3f5fe4d0657ac8f738b76a33b8914f

    SHA512

    9bdd45774942199736271c51d9fb7c68e23f97e04a5756a078d9b693a9d21d3077ef2c2d0cbbb64e9bb0d06b1a8bfde54f27679209605172cd535a76c467c0bd

  • C:\KaVB72\optixsys.exe

    Filesize

    256KB

    MD5

    d85e65be840f3c8b6782a17b4a1233da

    SHA1

    cac7a76612ae2f117fb223bb0d4d4bc884c8ff70

    SHA256

    f91074aa73055d937131cd82e9dcddc2d73edad10dc7fb411a052796170da15a

    SHA512

    7fe63753bb9159beb5ce68af253fc79ada6086f200bc9aa2e581f6e1be1cf525a63c1b58631179db8150c412dd9e0b9795c91f0e6e403ffa0f43377de4c2f733

  • C:\KaVB72\optixsys.exe

    Filesize

    2.6MB

    MD5

    cce4659630c5abb080d96d051fd284b3

    SHA1

    28c85aecdb8d1822556887ea00a6761320181794

    SHA256

    9dfc89de9c0bdcd29229e3e138a8213cbeb32ee34cfe05bc19233bf7ac5e390c

    SHA512

    ee1364d821ef33c819b252e66755715f2e936ed9a8234a9cd478fc235f607408732d45f57efd2bc077a30725fd913c1211e3080ae49c416036c4fa55386bef8a

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    a3ec83e7a86458c2b8286ad73d6ba320

    SHA1

    1151412658c4343aa03f28f0993ae1f5bab39ed5

    SHA256

    a57ea10a954a8ae26e03d2a56994dfdfa6916f28ef497aa128719492cbe7ac10

    SHA512

    8bbb92afc0e9439ddc62b18a52f69f65448447786807a43575b4b4b73701714022263fee625e6991a07ec0e6eb9927108f19883550f3e1c1f21be5e5bc8d2350

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    8fcf61887f95317f5f385e6548416914

    SHA1

    4086faca05a98f36a823ad96cc99609a12e16b39

    SHA256

    336736246a09aae14323890ba2f735cb0d3b5223c0c91c158962c0213e767d39

    SHA512

    9a04a21df070ce135c84f95d0c3c9acaf238bc2fb674a697f085aac486ea63921a4f6ffa1ed72852d8ed84ce89c2b98b3fa5ddf8842acb996ab2d5f82bf86f51

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

    Filesize

    2.6MB

    MD5

    85d56ca0b5a2fc951904c75bb6420928

    SHA1

    3998bc026c97be2a6f2830509f22eb98b0870bb6

    SHA256

    eb7d793ea8f4ebfd519b42695fb46c0b87da082096826ffea985c7a6ebeb5231

    SHA512

    b78268ac49e3370c55e303023a852a68c01f86fe82a3f0490841f9c3292daa7e0a1688a514df1c93ff36373a7a779a062bebb3532355f4eecd1096a2b7578d67