Analysis

  • max time kernel
    119s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 23:32

General

  • Target

    3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe

  • Size

    2.6MB

  • MD5

    595bcd0a806be82959f06afb72d6a4c0

  • SHA1

    b1e3af0a5df5e4ec1910c2be73a3f3e36422d6f8

  • SHA256

    3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517

  • SHA512

    b92379ef39290027d3509b91cceee0abc4b0ec73a6246c088d4232c641e11be6b493f3992e5e3a4287352aaae61cda95a7f89f9da9cc949afd092bc288ecc3c1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bS:sxX7QnxrloE5dpUpRb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe
    "C:\Users\Admin\AppData\Local\Temp\3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3668
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1960
    • C:\Adobe27\xdobsys.exe
      C:\Adobe27\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:992

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Adobe27\xdobsys.exe

          Filesize

          2.6MB

          MD5

          e1dcebc2290766a1c8e947140b876183

          SHA1

          4c6db1cb0999ea0123a8add18f7343b78b8b9cad

          SHA256

          8bf008185a9c70e90e8d0656e0c51c8841c3c8747d6a510e346cb6a180158f09

          SHA512

          7ce86bdffcafe3b9fe3a8c44cc471d600942f3103e010342125ba9ccba3e46a572da64b12e712820d03c0c59ddcceaa89d72bd91b0e36527697c9170fbbc951e

        • C:\GalaxKJ\optidevsys.exe

          Filesize

          2.6MB

          MD5

          27a0d70052ebcd0267e5878748ed0d7a

          SHA1

          1a47c73bbe6246b372d05b9102183f3e7c5c71df

          SHA256

          6455960942b87b99cc771199fb0f661b6c219bdd24a8738ce57df205b009f63b

          SHA512

          0f9b6daaade91bf9489b279c4e325dad639e8f207ce2327304ccac36f0722f00d6f1d421b295ab7bfac72b8e24a08f3c2219e8d733de5aaddd6d8f3a7d992784

        • C:\GalaxKJ\optidevsys.exe

          Filesize

          2.6MB

          MD5

          fca093ff6eb73c5b0b9834f5ac203ebc

          SHA1

          68fda4fd327e5bdfd2caae85b38f4d68a69320a6

          SHA256

          5124f37d1e685de65bae71f9061fced73ce057ffb3875e959d3577a85dc3f552

          SHA512

          6d44dde9e7130f41929f62cb9172324e3ffb4586c0c22ac913e6c52be2d13188fbd5fd69364243f74e09f4da9e19a0ed0c77ad2acac5e2a1beb6b0e07a912ca9

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          205B

          MD5

          25c91cecff43e10811bfcec772145c87

          SHA1

          7110188f290742ebef687395674e5a35e080059d

          SHA256

          445efe35b889125767330c0ec20b200688a9663737e9c67b3a264456ddef53b1

          SHA512

          8b813063d1c91cc15e30fcb35971a83d4e56f0281aa089c2e691dbca6b377ecd773e3e31105d87cb2e93742f3d9103e1e5a99bf850a257c1bd95d0fa52bcc50a

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          173B

          MD5

          a1135c6e0308c2db0588dc361480ff23

          SHA1

          07ee01348b9916af4c2f41103ea6926aa63c334d

          SHA256

          ac01b57888acbaa66b17994b6ba1628d9ef2b10c4ef83cd0bb22d1468b158d21

          SHA512

          656f78e8d757e8cc99fe08e969eb4ed17105a5a7147eb53a333b8162063a32704b9161b93e55c25657600cec58f6cfb8284690d583296a62f13f25e1f7ad309b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

          Filesize

          2.6MB

          MD5

          c088e24b0bcb9804bc1788931dc18ecb

          SHA1

          86c24e63055c1b74d833e8907a2fb08e1ec9ca2c

          SHA256

          e3ea10859b68429fc2b9655e4f2e346bbfe195ec4192d77083e3d0007e889902

          SHA512

          dcbecddc2149615ca626dd60b966a080d7a795cf9fd38170574d7dda86489bcdb9b8c6562455e52221cbc2989000db2ede7aec673e6446960c2c57f0715c9fd7