Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 23:14

General

  • Target

    68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe

  • Size

    2.6MB

  • MD5

    51681a2932a495c3b9714864d135d83d

  • SHA1

    de0d2fd21ad60b3334fd41713cc0327d0421a255

  • SHA256

    68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1

  • SHA512

    80fe1478bf47a44ae86dcfb79941601d0156dea17d8a573f6b573e50c0987692c5de14e39d6b210152fb6859a9d44bd23e6614015df39e208ae1b2d078f125ea

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpAb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe
    "C:\Users\Admin\AppData\Local\Temp\68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2844
    • C:\SysDrvJD\devoptiec.exe
      C:\SysDrvJD\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2740

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\LabZYW\optidevsys.exe

          Filesize

          2.6MB

          MD5

          231b20d6efb7218932be184ba48833db

          SHA1

          6b622d5a5a7adc73b4f29a48257b40f9bacb702f

          SHA256

          778f9e00eb9b1818023e4757ac4a79685bbae9306b9f66d0023f9d09e0bc6c0d

          SHA512

          a2efd29edff1144d33cdfbc07f5dad712ed71cb35f1531546a67584b4ee7c6b2050770b20aa47cdcf42d0ca0f44492bac65ddb1f7ea92621baad8c7845a92461

        • C:\LabZYW\optidevsys.exe

          Filesize

          2.6MB

          MD5

          230117e6da79e7edd2de85eb787bb7a9

          SHA1

          0ee4ebf3d8bc60e1bd732209e6d7cccb6acade94

          SHA256

          14fe7495c54e230aaff0ed5cd4e7c2073edfd8bf06db01e4d6575be944cf3e5a

          SHA512

          1717b153cb31bb9f751eaf2e46dd245781339cdceb6e7d77432789181f96d6b8b7107c5a6ec5a2e62ead7115a1a0e278581c3632bb5531bc36cc0f757565313c

        • C:\SysDrvJD\devoptiec.exe

          Filesize

          2.6MB

          MD5

          7f89e0fc1e84c37efd302325c296db89

          SHA1

          091ed6de4019de3a15fae3159f8fe722780ddb9b

          SHA256

          510e901625bf5313d3f0c63105c92476b9025dadfd2e4fbcd2be7f474ec79620

          SHA512

          4ca075e2e8daf5a76fca3c7077ba0415478e1401b275170a59cb6a92d9652e9ac8693ebbe7433748b476e9fb08c1e6599b0428a2f6db3baf83c9f8a959b714dc

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          175B

          MD5

          d12265c102375248ac6b62191cbb0241

          SHA1

          f466121851b8793bfbbfa8c55bd333a3455205aa

          SHA256

          d935e96d1a8fcf9059cd048f6417bb4ac039bdf9c25a356f53b3df5f04924810

          SHA512

          c7b2a2628d69035ff452df48426309960ddeaef697d05be2a0fe4aaa394a9e7f81e9d5db607934f103c18b0c39ac575acdb97b856c7275babe779e31dec52856

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          207B

          MD5

          31d541541abdfa4a1aec637938c6ccaa

          SHA1

          e1e92db932721c8050588a147687f27853cf6de9

          SHA256

          5b1d91c6b3e00af54e50756f7cdf86ec6e7555e2187b908f463b86df1d1dde09

          SHA512

          048064be3b85d57b671c4e187838d063a16e2b86ac9cd36e6519d77a93a954424c690ebcb4d955c745380e54a11fb7696624c9268cb9c9a78d870259ae6205df

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

          Filesize

          2.6MB

          MD5

          fb3d65697a8d6cc5727db61216a68e0a

          SHA1

          33f08e9beb9bf649791ad3855cab3a8ec666f6c4

          SHA256

          2c1d13d4128a5a885bc56c0244dd5a35d7ac8fae5c989220479d9363b42020ac

          SHA512

          34ec32b39e38211968792a5fb1589bf4cf28f91fa74d4115bebabd50db912465b0f939e1306400862161a223c54f38b7c3f2eb41d05293cb3ab75c6088960b5f