Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:20
Static task
static1
Behavioral task
behavioral1
Sample
119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe
Resource
win10v2004-20241007-en
General
-
Target
119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe
-
Size
2.6MB
-
MD5
9c8e2668fabfeb142bb974b0d69a0a75
-
SHA1
cfb0173ceb3461fca2da5e7b7f6848b3d0c3be11
-
SHA256
119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30
-
SHA512
929884d5ae9b9124c95e79757cee62a4341bf55f2a9150ec5b99a383a0b47fa1f67d0b29503eb6b57c5ef7efb3a21b48acd1f6df0c04310aa93066b47901e6ee
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBSB/bSf:sxX7QnxrloE5dpUptbA
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe -
Executes dropped EXE 2 IoCs
pid Process 2332 sysxdob.exe 2480 devoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 264 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe 264 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotB5\\devoptiec.exe" 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidVE\\optiaec.exe" 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 264 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe 264 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe 2332 sysxdob.exe 2480 devoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 264 wrote to memory of 2332 264 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe 31 PID 264 wrote to memory of 2332 264 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe 31 PID 264 wrote to memory of 2332 264 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe 31 PID 264 wrote to memory of 2332 264 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe 31 PID 264 wrote to memory of 2480 264 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe 32 PID 264 wrote to memory of 2480 264 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe 32 PID 264 wrote to memory of 2480 264 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe 32 PID 264 wrote to memory of 2480 264 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe"C:\Users\Admin\AppData\Local\Temp\119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2332
-
-
C:\UserDotB5\devoptiec.exeC:\UserDotB5\devoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2480
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5e9ddcc5813df69dc264ab62e57d4f936
SHA1d33b8e7b66b8ba7503a44d082326767c2c9db6ba
SHA256cba2d92cb466f7ae664d4cc0c83fae01779bf07cefc28cc57a7d0c499bdbcf2c
SHA512cd4941b5c7235acb3c53723fd086f6282f87c87f18197a13354bc03f98301a790b443c4339bbe84d511d7b1dd4de0a0722495d26b369671c80d2eafd8a9507c4
-
Filesize
171B
MD50a16fe3fd13ecc4437b5dede3797d8c3
SHA1a5df731f1c9b4a2e7f4e9636f0a9134da72558bd
SHA25638625305bfd15ed5fd09bf4eeebe2b9a0a69e45d8e4d7521c0cc0164f6097da6
SHA512064068961fae587f81e845d1a15386c857d959db2dfbed793907cbe70a2aa12bf18a8ac3094e085d1934d572d23951733bc3338fda25a19ae8903c050f9cd3b1
-
Filesize
203B
MD56ca787a7ee591d2be6dbe58943d44417
SHA143c59cbcc70ceb6daaec5e5f13e55d3ecace438d
SHA25609060d3d355d3c7e1d1c990c1ddc9f9ec41ecc8d13134fe79dc9f912d7513577
SHA512953c5209a46386f54e0e46071449c009449aa4e297819f239546a93ed40d356809244884251bba55b1b92965de256835e5eebb9e772946eea8f5bfe8760d68ef
-
Filesize
12KB
MD50f1dd959d43971bf7f79671305e25a3e
SHA16d8e0a16be92cc3f8829972a8f7c88ea3b37ed55
SHA256e2062ac20c5890c0dbf890e43b316cea0da64e2c7e801a4c803faf7642f715ca
SHA51204077a2a74d996c32ac387c8b5e877f1dbc8c0222ec32d484cee13b8913e5651839cc5c68091c96037c6a765cc4488e9bf08f5316ab9256cdbcb3fa5c7307623
-
Filesize
9KB
MD5bceeb783568178019cfa9ce19da30a69
SHA13918c6d01f7a27b2a71133015ea935c5555085ff
SHA25641737594ceef89e9d4d0389deb11f042ea5d02e903e1359b3110a565e7c0b1bd
SHA5127f5f1ad508c1398430e588ab45f558d602b62af4ef7015ce011fe61ef27edee18de0252583558376c713ddc3fdba30604a1b0746cd79acd745c19075f7a1bbf0
-
Filesize
2.6MB
MD5a1960fdd4376a2e987022ce4e03514f5
SHA111d3688a4405a1c55fccfb8bc85d9fc8a98de6d7
SHA25632875b57abdbee32d60baedd12b14c37de2dd387d7ff6da6f5f6354d24cfd4bc
SHA512e50828a783dcffee3395eb8576ad89b740b877b37aa2048f1b45a63a410c9f3bb30904a41b244fd6ccb7eb63dc9f4f3a350bfa2fd66a5f46203befb3d08c07eb