Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:20
Static task
static1
Behavioral task
behavioral1
Sample
12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe
Resource
win10v2004-20241007-en
General
-
Target
12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe
-
Size
2.6MB
-
MD5
b4c9c128686a3fac8b814409e999a4c0
-
SHA1
c04f59affa44c0a1f545ade6c6145b66f6797db7
-
SHA256
12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988b
-
SHA512
39ae727769be238737997b53e6dcbe94e9b79d25ab99ea120930954e9802649bd389522fc0aff82c44bb1314142d880fd8d105fa329ceb3d237e351cfa8a3581
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bS:sxX7QnxrloE5dpUpMb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe -
Executes dropped EXE 2 IoCs
Processes:
sysaopti.exedevbodloc.exepid Process 1860 sysaopti.exe 1752 devbodloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocU3\\devbodloc.exe" 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxHD\\optixsys.exe" 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exesysaopti.exedevbodloc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exesysaopti.exedevbodloc.exepid Process 4236 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe 4236 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe 4236 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe 4236 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe 1860 sysaopti.exe 1860 sysaopti.exe 1752 devbodloc.exe 1752 devbodloc.exe 1860 sysaopti.exe 1860 sysaopti.exe 1752 devbodloc.exe 1752 devbodloc.exe 1860 sysaopti.exe 1860 sysaopti.exe 1752 devbodloc.exe 1752 devbodloc.exe 1860 sysaopti.exe 1860 sysaopti.exe 1752 devbodloc.exe 1752 devbodloc.exe 1860 sysaopti.exe 1860 sysaopti.exe 1752 devbodloc.exe 1752 devbodloc.exe 1860 sysaopti.exe 1860 sysaopti.exe 1752 devbodloc.exe 1752 devbodloc.exe 1860 sysaopti.exe 1860 sysaopti.exe 1752 devbodloc.exe 1752 devbodloc.exe 1860 sysaopti.exe 1860 sysaopti.exe 1752 devbodloc.exe 1752 devbodloc.exe 1860 sysaopti.exe 1860 sysaopti.exe 1752 devbodloc.exe 1752 devbodloc.exe 1860 sysaopti.exe 1860 sysaopti.exe 1752 devbodloc.exe 1752 devbodloc.exe 1860 sysaopti.exe 1860 sysaopti.exe 1752 devbodloc.exe 1752 devbodloc.exe 1860 sysaopti.exe 1860 sysaopti.exe 1752 devbodloc.exe 1752 devbodloc.exe 1860 sysaopti.exe 1860 sysaopti.exe 1752 devbodloc.exe 1752 devbodloc.exe 1860 sysaopti.exe 1860 sysaopti.exe 1752 devbodloc.exe 1752 devbodloc.exe 1860 sysaopti.exe 1860 sysaopti.exe 1752 devbodloc.exe 1752 devbodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exedescription pid Process procid_target PID 4236 wrote to memory of 1860 4236 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe 86 PID 4236 wrote to memory of 1860 4236 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe 86 PID 4236 wrote to memory of 1860 4236 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe 86 PID 4236 wrote to memory of 1752 4236 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe 89 PID 4236 wrote to memory of 1752 4236 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe 89 PID 4236 wrote to memory of 1752 4236 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe"C:\Users\Admin\AppData\Local\Temp\12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1860
-
-
C:\IntelprocU3\devbodloc.exeC:\IntelprocU3\devbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5222773639d25f952cdaa0fbb0364aa0b
SHA19b051ea518b4bb198922e2244143223f1d0b1343
SHA256f0d1241b4a022d29132236b5ca618329659cb8be5e2f0a17980df28d55d06fe5
SHA5124b45ced75c4bac6499501506e5111c2009064f9b3dccf78f8904a6deaba0e043955c2e3cde6e4d7ab10c0966121c64db451e9d76956047acd73911f7f3ba20b7
-
Filesize
541KB
MD5eb0c63ab1da6660e272d7b24027edf8a
SHA1ef879a9f53d98468ab200f4f4fdeba286d50c399
SHA2566ea25695a9aad32904703c66f8beada7524903e101092b29b376f2f7cce84be5
SHA512a767c6dd453ad3f06291187328b241bf19123f2bdd9df15ba19e2e2b491ad90fda38d99de7a011ea0aa3b6ec5be7b07d0c4a40379a11377d182a1c26a87785eb
-
Filesize
2.6MB
MD5ad0973545ad7a819117a5b73197f293f
SHA1cf2a5a414dae9a6b61a285a87ef47edbf846fa15
SHA2563b2eab8e166336d56f6dfd703a4d0b2940eefb6cdc723ae9267a1694eeff00fd
SHA51296347c1506c1f8ed024bc7f8aa99b90025299be9cda9fcecab86df08dceda26a2aeb6be916422acff25e4a511d5fe8201b4095884e144ae9613e64828f0a9add
-
Filesize
209B
MD55f6ca4cc2b075e2b11e32a7ec71bc70e
SHA124951ab8f44063e25715bfd82118da5b7e4ec527
SHA256aca13e89a56b65b3bc57ecddebbe305d3d50a80ffe4cecd58403a58202729d70
SHA512efcc1cc37f1f4fea07c4de30d5a106a69b2e4a2d9a71e8ba105a5b8871add17943a48336d0ebbed661fc83ecfa65c7b0ba04060f40e0bd10e32ec7691ee35afd
-
Filesize
177B
MD501d1e67194782b6c2ea5ed3e0e661cc3
SHA1037bf6d4cbdd9eaf57ec40dbacefb71f5dbb60c3
SHA256bf392157ec9eb269a6e0a429e046e4a2e49d7b7cdc73e5d1c9a7fbd66414eeb8
SHA5124b63df07fe5a6b45379d1125fb4e79d5c2956688f8c023339655518fb88fe168dccaaf158b92f28c40bd903f860ab2f650731655663e3150859b118cc09a27d4
-
Filesize
2.6MB
MD56f2245941a8371be1ee4fcb96e5a2a7e
SHA11f919390c5ee7e77d688c72d803f6f0f55ece33e
SHA2564046ef8c05f4af50ea5bb708f08b9cacf662195a2bb3771314651ce9007ac516
SHA51275f536b1ef87151250f977f2955a34390634f35c64171113d9937baffb2a565a2b3b4c6c1fa5aad8e0155f5304a18d85280585af577d7608a463c311c7e1210e