Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:57
Static task
static1
Behavioral task
behavioral1
Sample
76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe
Resource
win10v2004-20241007-en
General
-
Target
76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe
-
Size
2.6MB
-
MD5
660de9f89377146f2f21666c17297fe0
-
SHA1
cf87b3f5cc616c2a52bd03eb7428b89305590fc2
-
SHA256
76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159
-
SHA512
0508fd373c7ed3992a1d133c703b7b8ad2e14a936aff7cd8a9035ed4cbb935d5cc657176d332f20b1ad24f40b3d7c9cf84ef181fa5a75ad8354f7a0c53a531f9
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSq:sxX7QnxrloE5dpUp8bV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe -
Executes dropped EXE 2 IoCs
pid Process 3096 sysdevopti.exe 4732 xoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesR5\\xoptiloc.exe" 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB72\\optixsys.exe" 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4440 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe 4440 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe 4440 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe 4440 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe 3096 sysdevopti.exe 3096 sysdevopti.exe 4732 xoptiloc.exe 4732 xoptiloc.exe 3096 sysdevopti.exe 3096 sysdevopti.exe 4732 xoptiloc.exe 4732 xoptiloc.exe 3096 sysdevopti.exe 3096 sysdevopti.exe 4732 xoptiloc.exe 4732 xoptiloc.exe 3096 sysdevopti.exe 3096 sysdevopti.exe 4732 xoptiloc.exe 4732 xoptiloc.exe 3096 sysdevopti.exe 3096 sysdevopti.exe 4732 xoptiloc.exe 4732 xoptiloc.exe 3096 sysdevopti.exe 3096 sysdevopti.exe 4732 xoptiloc.exe 4732 xoptiloc.exe 3096 sysdevopti.exe 3096 sysdevopti.exe 4732 xoptiloc.exe 4732 xoptiloc.exe 3096 sysdevopti.exe 3096 sysdevopti.exe 4732 xoptiloc.exe 4732 xoptiloc.exe 3096 sysdevopti.exe 3096 sysdevopti.exe 4732 xoptiloc.exe 4732 xoptiloc.exe 3096 sysdevopti.exe 3096 sysdevopti.exe 4732 xoptiloc.exe 4732 xoptiloc.exe 3096 sysdevopti.exe 3096 sysdevopti.exe 4732 xoptiloc.exe 4732 xoptiloc.exe 3096 sysdevopti.exe 3096 sysdevopti.exe 4732 xoptiloc.exe 4732 xoptiloc.exe 3096 sysdevopti.exe 3096 sysdevopti.exe 4732 xoptiloc.exe 4732 xoptiloc.exe 3096 sysdevopti.exe 3096 sysdevopti.exe 4732 xoptiloc.exe 4732 xoptiloc.exe 3096 sysdevopti.exe 3096 sysdevopti.exe 4732 xoptiloc.exe 4732 xoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4440 wrote to memory of 3096 4440 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe 88 PID 4440 wrote to memory of 3096 4440 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe 88 PID 4440 wrote to memory of 3096 4440 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe 88 PID 4440 wrote to memory of 4732 4440 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe 90 PID 4440 wrote to memory of 4732 4440 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe 90 PID 4440 wrote to memory of 4732 4440 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe"C:\Users\Admin\AppData\Local\Temp\76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3096
-
-
C:\FilesR5\xoptiloc.exeC:\FilesR5\xoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD535d5f2180b8da2eaecad0679e66dc251
SHA13e782e20becd6567750bacb04faafd148aadac06
SHA2562060beef29432b8908a388df4a1a966c34d69e51cbf1f836ab07935d52f94700
SHA51215f574e8e815c44b4444d3eb87af7e00b262eebc14f1ab886d4912aae01cf910dc7d4f769f884a3659bce05e28faa5a23be0190cf13a203cff0f3afdb951c493
-
Filesize
2.6MB
MD59c5127b80ffc4681af6cd52ae3cfea70
SHA113369406941748676ecb6c233acc08c4084e66d4
SHA2564cb301ba46f70b8cd859bf9118e6eb2c4a3f5fe4d0657ac8f738b76a33b8914f
SHA5129bdd45774942199736271c51d9fb7c68e23f97e04a5756a078d9b693a9d21d3077ef2c2d0cbbb64e9bb0d06b1a8bfde54f27679209605172cd535a76c467c0bd
-
Filesize
256KB
MD5d85e65be840f3c8b6782a17b4a1233da
SHA1cac7a76612ae2f117fb223bb0d4d4bc884c8ff70
SHA256f91074aa73055d937131cd82e9dcddc2d73edad10dc7fb411a052796170da15a
SHA5127fe63753bb9159beb5ce68af253fc79ada6086f200bc9aa2e581f6e1be1cf525a63c1b58631179db8150c412dd9e0b9795c91f0e6e403ffa0f43377de4c2f733
-
Filesize
2.6MB
MD5cce4659630c5abb080d96d051fd284b3
SHA128c85aecdb8d1822556887ea00a6761320181794
SHA2569dfc89de9c0bdcd29229e3e138a8213cbeb32ee34cfe05bc19233bf7ac5e390c
SHA512ee1364d821ef33c819b252e66755715f2e936ed9a8234a9cd478fc235f607408732d45f57efd2bc077a30725fd913c1211e3080ae49c416036c4fa55386bef8a
-
Filesize
205B
MD5a3ec83e7a86458c2b8286ad73d6ba320
SHA11151412658c4343aa03f28f0993ae1f5bab39ed5
SHA256a57ea10a954a8ae26e03d2a56994dfdfa6916f28ef497aa128719492cbe7ac10
SHA5128bbb92afc0e9439ddc62b18a52f69f65448447786807a43575b4b4b73701714022263fee625e6991a07ec0e6eb9927108f19883550f3e1c1f21be5e5bc8d2350
-
Filesize
173B
MD58fcf61887f95317f5f385e6548416914
SHA14086faca05a98f36a823ad96cc99609a12e16b39
SHA256336736246a09aae14323890ba2f735cb0d3b5223c0c91c158962c0213e767d39
SHA5129a04a21df070ce135c84f95d0c3c9acaf238bc2fb674a697f085aac486ea63921a4f6ffa1ed72852d8ed84ce89c2b98b3fa5ddf8842acb996ab2d5f82bf86f51
-
Filesize
2.6MB
MD585d56ca0b5a2fc951904c75bb6420928
SHA13998bc026c97be2a6f2830509f22eb98b0870bb6
SHA256eb7d793ea8f4ebfd519b42695fb46c0b87da082096826ffea985c7a6ebeb5231
SHA512b78268ac49e3370c55e303023a852a68c01f86fe82a3f0490841f9c3292daa7e0a1688a514df1c93ff36373a7a779a062bebb3532355f4eecd1096a2b7578d67