Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:14
Static task
static1
Behavioral task
behavioral1
Sample
68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe
Resource
win10v2004-20241007-en
General
-
Target
68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe
-
Size
2.6MB
-
MD5
51681a2932a495c3b9714864d135d83d
-
SHA1
de0d2fd21ad60b3334fd41713cc0327d0421a255
-
SHA256
68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1
-
SHA512
80fe1478bf47a44ae86dcfb79941601d0156dea17d8a573f6b573e50c0987692c5de14e39d6b210152fb6859a9d44bd23e6614015df39e208ae1b2d078f125ea
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpAb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe -
Executes dropped EXE 2 IoCs
pid Process 2844 sysaopti.exe 2740 devoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 2224 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe 2224 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvJD\\devoptiec.exe" 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZYW\\optidevsys.exe" 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2224 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe 2224 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe 2844 sysaopti.exe 2740 devoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2224 wrote to memory of 2844 2224 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe 31 PID 2224 wrote to memory of 2844 2224 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe 31 PID 2224 wrote to memory of 2844 2224 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe 31 PID 2224 wrote to memory of 2844 2224 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe 31 PID 2224 wrote to memory of 2740 2224 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe 32 PID 2224 wrote to memory of 2740 2224 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe 32 PID 2224 wrote to memory of 2740 2224 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe 32 PID 2224 wrote to memory of 2740 2224 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe"C:\Users\Admin\AppData\Local\Temp\68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2844
-
-
C:\SysDrvJD\devoptiec.exeC:\SysDrvJD\devoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5231b20d6efb7218932be184ba48833db
SHA16b622d5a5a7adc73b4f29a48257b40f9bacb702f
SHA256778f9e00eb9b1818023e4757ac4a79685bbae9306b9f66d0023f9d09e0bc6c0d
SHA512a2efd29edff1144d33cdfbc07f5dad712ed71cb35f1531546a67584b4ee7c6b2050770b20aa47cdcf42d0ca0f44492bac65ddb1f7ea92621baad8c7845a92461
-
Filesize
2.6MB
MD5230117e6da79e7edd2de85eb787bb7a9
SHA10ee4ebf3d8bc60e1bd732209e6d7cccb6acade94
SHA25614fe7495c54e230aaff0ed5cd4e7c2073edfd8bf06db01e4d6575be944cf3e5a
SHA5121717b153cb31bb9f751eaf2e46dd245781339cdceb6e7d77432789181f96d6b8b7107c5a6ec5a2e62ead7115a1a0e278581c3632bb5531bc36cc0f757565313c
-
Filesize
2.6MB
MD57f89e0fc1e84c37efd302325c296db89
SHA1091ed6de4019de3a15fae3159f8fe722780ddb9b
SHA256510e901625bf5313d3f0c63105c92476b9025dadfd2e4fbcd2be7f474ec79620
SHA5124ca075e2e8daf5a76fca3c7077ba0415478e1401b275170a59cb6a92d9652e9ac8693ebbe7433748b476e9fb08c1e6599b0428a2f6db3baf83c9f8a959b714dc
-
Filesize
175B
MD5d12265c102375248ac6b62191cbb0241
SHA1f466121851b8793bfbbfa8c55bd333a3455205aa
SHA256d935e96d1a8fcf9059cd048f6417bb4ac039bdf9c25a356f53b3df5f04924810
SHA512c7b2a2628d69035ff452df48426309960ddeaef697d05be2a0fe4aaa394a9e7f81e9d5db607934f103c18b0c39ac575acdb97b856c7275babe779e31dec52856
-
Filesize
207B
MD531d541541abdfa4a1aec637938c6ccaa
SHA1e1e92db932721c8050588a147687f27853cf6de9
SHA2565b1d91c6b3e00af54e50756f7cdf86ec6e7555e2187b908f463b86df1d1dde09
SHA512048064be3b85d57b671c4e187838d063a16e2b86ac9cd36e6519d77a93a954424c690ebcb4d955c745380e54a11fb7696624c9268cb9c9a78d870259ae6205df
-
Filesize
2.6MB
MD5fb3d65697a8d6cc5727db61216a68e0a
SHA133f08e9beb9bf649791ad3855cab3a8ec666f6c4
SHA2562c1d13d4128a5a885bc56c0244dd5a35d7ac8fae5c989220479d9363b42020ac
SHA51234ec32b39e38211968792a5fb1589bf4cf28f91fa74d4115bebabd50db912465b0f939e1306400862161a223c54f38b7c3f2eb41d05293cb3ab75c6088960b5f