Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 16:47

General

  • Target

    f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe

  • Size

    2.6MB

  • MD5

    c20eb780ca20b75ce386c46ea78e38e0

  • SHA1

    376d78028196c0485c3d223f7967e117c547d644

  • SHA256

    f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849

  • SHA512

    feb5c611271f8f662cb6fff376d9611b7fe4fc1e55446f42f2b205880d3a4eff57c7afdbb0138a23925682c3352591f11a14875a2990a409a46cc78e73694a57

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBoB/bS:sxX7QnxrloE5dpUpLb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe
    "C:\Users\Admin\AppData\Local\Temp\f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2456
    • C:\SysDrvJD\devoptiec.exe
      C:\SysDrvJD\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:796

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\LabZYW\optidevsys.exe

          Filesize

          2.6MB

          MD5

          afa485fb86af065f28d15e908c65911b

          SHA1

          73c6f8bdd2100494955cb20320c23bd0f0a048e6

          SHA256

          a11e79e8e1a689168629b29bd74c41486bf9567464fea088f10375baa2876d8b

          SHA512

          1afaca24948cf322ae537aa83a0da414d583e0dd8f31ddc47aed0f819d6fb70ac27a573eaf73c9059a485cb3571248564885cd7a06a517a0b5d5472a922947e1

        • C:\LabZYW\optidevsys.exe

          Filesize

          2.6MB

          MD5

          716ec118e0d538f609e54e3b4a95f4d8

          SHA1

          084f317a641f27ba104d0c1b65914a03637f4ce0

          SHA256

          c536105a15a6bbd6c6ae75fdd1d9d0c8c7183aacd0c9229bae5f1a14e3f7463b

          SHA512

          090266549b1ca9f54b5b939e3bf037ebe417d49feeeecbbdeb462b5ad59caa41b24e65ef4f1117967603cd298057fc28d7812d9baa0977f44a24c4a33b65960f

        • C:\SysDrvJD\devoptiec.exe

          Filesize

          2.6MB

          MD5

          2448ab68a39982b67b9fcfb935c79474

          SHA1

          b1e93f5d370947873de198347300fb792afe138a

          SHA256

          155cc7d84511c05be1e4632784423010964197fa91ac362e2f5516a1eeef8aef

          SHA512

          3a1163e36c546edba580b86077cd57cf7f659ffc4f49f3a8492d08a3324d0c48b5bb56c92058666ca5f3eeb8eb8e2b7b56fa1433bc698afe468ca8e9a7400cd8

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          175B

          MD5

          d12265c102375248ac6b62191cbb0241

          SHA1

          f466121851b8793bfbbfa8c55bd333a3455205aa

          SHA256

          d935e96d1a8fcf9059cd048f6417bb4ac039bdf9c25a356f53b3df5f04924810

          SHA512

          c7b2a2628d69035ff452df48426309960ddeaef697d05be2a0fe4aaa394a9e7f81e9d5db607934f103c18b0c39ac575acdb97b856c7275babe779e31dec52856

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          207B

          MD5

          31d541541abdfa4a1aec637938c6ccaa

          SHA1

          e1e92db932721c8050588a147687f27853cf6de9

          SHA256

          5b1d91c6b3e00af54e50756f7cdf86ec6e7555e2187b908f463b86df1d1dde09

          SHA512

          048064be3b85d57b671c4e187838d063a16e2b86ac9cd36e6519d77a93a954424c690ebcb4d955c745380e54a11fb7696624c9268cb9c9a78d870259ae6205df

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

          Filesize

          2.6MB

          MD5

          a90e470773db538a48d8a338f9693ac8

          SHA1

          f2db74c05fbd5c95341a39e497898307a9c3a043

          SHA256

          ecc8774c86a2c1ec5203a64e3f70b5cf6efb0e38545d89813bf0acc2d1b11b62

          SHA512

          9ba1a8d7771f57b6a3f5c97a393a9c6dfa4df1b55dc57e20546da470e70f9fa64a3d3d713ad9c1fa607d4a2138f686a904888efea97c2b87e5c1619135d86936