Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 20:12

General

  • Target

    1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe

  • Size

    2.6MB

  • MD5

    86136fac208ef5fbe52c2c0dc47f154e

  • SHA1

    c949bca829e4e76f44c759f102fe4bc82349ddb6

  • SHA256

    1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726

  • SHA512

    cc0b82fb598a230aefad1e09db71cf33e37a6626361ba7d107c276bdf3b575b195236dc868caf31c8f21084ee9a6c10e8d0959426b8e48551be54ad7208cbce2

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bS:sxX7QnxrloE5dpUphb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe
    "C:\Users\Admin\AppData\Local\Temp\1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2408
    • C:\AdobePP\xoptisys.exe
      C:\AdobePP\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3456

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobePP\xoptisys.exe

          Filesize

          2.6MB

          MD5

          ae2f3c238908537647c4ad6c943e0d8f

          SHA1

          f88ee9224614a19931bae0a64814d6900996c39d

          SHA256

          b7cc3a22bb3a7684d4a5104768a8c61ad026fab2746051a24f32b0ec809ef03d

          SHA512

          a0e0783705201c0e8136da4206581b9d93ee44a44fc6c0aacb1f0330d7af63238b661ed98310b97d820973b0c6f886e888d05f33d47d8f95313e236867459767

        • C:\Galax3W\optialoc.exe

          Filesize

          170KB

          MD5

          c1db393f218942df177f17095ceae84f

          SHA1

          a3bc28ab86d669b7c669cc8f576e2b8fc5cd9376

          SHA256

          97e832b5c5659402a71378977b6750da48d6bfdecaa8615333f5f7b23b4b65af

          SHA512

          0fc1927d64d33d21e70571f82497fcd4508f6f65c0c11d85a5d8d5344a7219dbe6c3e8e0b9d922ce479bf7b068e6b9a2dd3c771b0f9b595d83d4ac83dae83067

        • C:\Galax3W\optialoc.exe

          Filesize

          196KB

          MD5

          05d1aef499a939a45d386a8773bff2a5

          SHA1

          ad23ecd183b65f96f85a66aa60f835efe4dabb75

          SHA256

          197d6eea47694e002dcdf2f43e71cd5ab6c52a23efc75bdb466ed23c58bfdcb9

          SHA512

          c21f6eceb5aae3a9d484a2f2979edcd2093dc57bfebbd6befd62cdce27c8ff83f6c2e1b25aabbf1c7da1e55481cf5f5a48fa4d9e67ecbdc61827dec2d247e4c7

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          205B

          MD5

          0fdd8ccd8186e07cb06a5957d55fb3de

          SHA1

          7cf3ecf6a9befa5e0a133b5afff154d1e142b8f9

          SHA256

          26e527d67c04c7fd4164b9b934c1d1e6d1b3c608fb6fc9c90557740a016f03fc

          SHA512

          c8dbc603d10c6b7990fc4898a30585dd2a6556cd6cec2be61ac210f204390532afbbcbd7317aea8c2062e6d7c3ba638ea738d44db267106f54a6dd83886b0949

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          173B

          MD5

          0a22315311f558d805b725cf619e35c9

          SHA1

          f4b933d2be6036c8c6c894504229ae5a6be4dff9

          SHA256

          9c1331cc3dc4cda5577ee183b8a3acc0eb20027463fe021ca5732f13c5428fc5

          SHA512

          3cff51802ca19bc60cd7163743e2a557709dff950b5280a8c355b42337733282e170e847cbb3b37b601cb55803256660ef3e4bf8f3274ad035a5d080ecc3b2dd

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

          Filesize

          2.6MB

          MD5

          c46eb6abeea8fdee438a726526b1c81b

          SHA1

          2362db702e400fed2b484bcebb82524080b75c97

          SHA256

          6bb64d782998bb2a9fd2d7ffe4263c6651e7cf62ab6bc4fda0c9cd70d754866d

          SHA512

          edde68ce00dcb1a571c937be7c3a1128d743023663f9895cc67f2c635845b5a431fc867414c116b08af1df817946d1c05bcc3cd67d0c662b6b4d738945df1adf