Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 22:58
Static task
static1
Behavioral task
behavioral1
Sample
8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe
Resource
win10v2004-20241007-en
General
-
Target
8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe
-
Size
2.6MB
-
MD5
a8c23cf01ddca118253b54c8bd9c7c40
-
SHA1
46d3a880fde7512b73bc768ebcfcc0e37b023fa6
-
SHA256
8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823f
-
SHA512
c1bace1db34362cc10b193f659bf57e9227cf0cc43b7da676c00af05ad94653ea527acdc6bc99c7282f61ef6c1d53c43b71a16bf72a1a1100e9ff8e92fd4c5d4
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bS:sxX7QnxrloE5dpUpzb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe -
Executes dropped EXE 2 IoCs
pid Process 2100 sysaopti.exe 796 xoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 2280 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe 2280 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocW9\\xoptiec.exe" 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxKX\\bodxec.exe" 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2280 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe 2280 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe 2100 sysaopti.exe 796 xoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2100 2280 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe 31 PID 2280 wrote to memory of 2100 2280 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe 31 PID 2280 wrote to memory of 2100 2280 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe 31 PID 2280 wrote to memory of 2100 2280 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe 31 PID 2280 wrote to memory of 796 2280 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe 32 PID 2280 wrote to memory of 796 2280 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe 32 PID 2280 wrote to memory of 796 2280 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe 32 PID 2280 wrote to memory of 796 2280 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe"C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2100
-
-
C:\IntelprocW9\xoptiec.exeC:\IntelprocW9\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:796
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD59fb4fcfed5df47333511f6ff321a1e3a
SHA16abd3fa3fb17770f0e2df3a500569857217d70ab
SHA256b7fb271cc53f9789bd54ade05ecdf4525e7f677a9c2b0280d1890bf34e86db5a
SHA5123bed07fb3b06f4af64d65f5cb9fa7d3211de5a4149cb109227d95649b32c20df1adc181894c569343ed51724e7afecf85363ca972e6c9d825bbafa352dc3744d
-
Filesize
27KB
MD59066f9da2f6e14f558228b695e72cbf2
SHA191038a2a5cdbee686253b1163db1462b67afdc3e
SHA256afcec9da3d6ab02251f8cfb55fdbb99d8a48092388bebeb354a5ecbedcca04c4
SHA51241a27889d2f9e9fe12ceb02ebb86a9a7b9be8a9c8b34ddf510ffdc5876880d78e33cc31be4832bd57fa4af876e75459907f209f89f94d42328c4aa001f56117d
-
Filesize
2.6MB
MD5e533b20f19695e5552170bdd69b85771
SHA1298d8975b6ebe39846c49d79f054deb502abbda8
SHA256e9f7f7dab03d46466b898c8dc68d2bac0ebf7d871ffa560cc000a6329eb593ad
SHA512ee6af73bb7490c22205ea5080344ca90a6c07eec537cdda98e6516d8fe9fbef9908fda9c9728741a38443bffd61c41b6334d24c51b97a4f08ccebed5099fea1c
-
Filesize
173B
MD56d5f30b803628c2a1a971408fa78378f
SHA1f6035e1680d6bf09b2f17967c78b003db73ebfe0
SHA2567c95a2217ea8488351cf7d52d151bd6fad167fef47da0d6a4e218ae5a889def0
SHA51268e0bd54a762946964a647539a216690d32ce2b7dca0f1ed4770070550640cc4221461009293fedff9183e3a947ce0bb896cf097ea4de586ac59928432df4432
-
Filesize
205B
MD5f0322d49211dd3301cb67b88029594fc
SHA1cba9599d99f4bfcd3b63f6d3387169e0fac98a80
SHA256e4dac26e2504ccd837088e187f5e18f7ec1a0b680bcec3819468972d840bc7fe
SHA5122218f84c617ed3558e1eac673419dc399d14268dc67b26b2b87c0d50e78ffd186e639919c67af6c21d77b4ae783bc0d5cf6e7c01f9190a786e6b3e73cb728ad5
-
Filesize
2.6MB
MD5a91dd70e068653a5bca35736775ddd97
SHA1d8c3cfc54fcb6979133a4a56e88741cfd701b2ae
SHA2568d79855e91f051a6dc0dc2ca4474f6c3b0d42061a9d892d626e2a112adc8b4fb
SHA5129cadeeb7619c80eb5686b910c94e229ba16507eb4052749c3b172c0f717355e6f09a9387ca68dcebdb8038e4f551ca0c2f39ed6599d33d4ec13f794608f55208