Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:20

General

  • Target

    12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe

  • Size

    2.6MB

  • MD5

    b4c9c128686a3fac8b814409e999a4c0

  • SHA1

    c04f59affa44c0a1f545ade6c6145b66f6797db7

  • SHA256

    12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988b

  • SHA512

    39ae727769be238737997b53e6dcbe94e9b79d25ab99ea120930954e9802649bd389522fc0aff82c44bb1314142d880fd8d105fa329ceb3d237e351cfa8a3581

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bS:sxX7QnxrloE5dpUpMb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe
    "C:\Users\Admin\AppData\Local\Temp\12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4236
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1860
    • C:\IntelprocU3\devbodloc.exe
      C:\IntelprocU3\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxHD\optixsys.exe

    Filesize

    2.6MB

    MD5

    222773639d25f952cdaa0fbb0364aa0b

    SHA1

    9b051ea518b4bb198922e2244143223f1d0b1343

    SHA256

    f0d1241b4a022d29132236b5ca618329659cb8be5e2f0a17980df28d55d06fe5

    SHA512

    4b45ced75c4bac6499501506e5111c2009064f9b3dccf78f8904a6deaba0e043955c2e3cde6e4d7ab10c0966121c64db451e9d76956047acd73911f7f3ba20b7

  • C:\GalaxHD\optixsys.exe

    Filesize

    541KB

    MD5

    eb0c63ab1da6660e272d7b24027edf8a

    SHA1

    ef879a9f53d98468ab200f4f4fdeba286d50c399

    SHA256

    6ea25695a9aad32904703c66f8beada7524903e101092b29b376f2f7cce84be5

    SHA512

    a767c6dd453ad3f06291187328b241bf19123f2bdd9df15ba19e2e2b491ad90fda38d99de7a011ea0aa3b6ec5be7b07d0c4a40379a11377d182a1c26a87785eb

  • C:\IntelprocU3\devbodloc.exe

    Filesize

    2.6MB

    MD5

    ad0973545ad7a819117a5b73197f293f

    SHA1

    cf2a5a414dae9a6b61a285a87ef47edbf846fa15

    SHA256

    3b2eab8e166336d56f6dfd703a4d0b2940eefb6cdc723ae9267a1694eeff00fd

    SHA512

    96347c1506c1f8ed024bc7f8aa99b90025299be9cda9fcecab86df08dceda26a2aeb6be916422acff25e4a511d5fe8201b4095884e144ae9613e64828f0a9add

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    209B

    MD5

    5f6ca4cc2b075e2b11e32a7ec71bc70e

    SHA1

    24951ab8f44063e25715bfd82118da5b7e4ec527

    SHA256

    aca13e89a56b65b3bc57ecddebbe305d3d50a80ffe4cecd58403a58202729d70

    SHA512

    efcc1cc37f1f4fea07c4de30d5a106a69b2e4a2d9a71e8ba105a5b8871add17943a48336d0ebbed661fc83ecfa65c7b0ba04060f40e0bd10e32ec7691ee35afd

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    177B

    MD5

    01d1e67194782b6c2ea5ed3e0e661cc3

    SHA1

    037bf6d4cbdd9eaf57ec40dbacefb71f5dbb60c3

    SHA256

    bf392157ec9eb269a6e0a429e046e4a2e49d7b7cdc73e5d1c9a7fbd66414eeb8

    SHA512

    4b63df07fe5a6b45379d1125fb4e79d5c2956688f8c023339655518fb88fe168dccaaf158b92f28c40bd903f860ab2f650731655663e3150859b118cc09a27d4

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

    Filesize

    2.6MB

    MD5

    6f2245941a8371be1ee4fcb96e5a2a7e

    SHA1

    1f919390c5ee7e77d688c72d803f6f0f55ece33e

    SHA256

    4046ef8c05f4af50ea5bb708f08b9cacf662195a2bb3771314651ce9007ac516

    SHA512

    75f536b1ef87151250f977f2955a34390634f35c64171113d9937baffb2a565a2b3b4c6c1fa5aad8e0155f5304a18d85280585af577d7608a463c311c7e1210e