Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 16:47
Static task
static1
Behavioral task
behavioral1
Sample
f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe
Resource
win10v2004-20241007-en
General
-
Target
f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe
-
Size
2.6MB
-
MD5
c20eb780ca20b75ce386c46ea78e38e0
-
SHA1
376d78028196c0485c3d223f7967e117c547d644
-
SHA256
f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849
-
SHA512
feb5c611271f8f662cb6fff376d9611b7fe4fc1e55446f42f2b205880d3a4eff57c7afdbb0138a23925682c3352591f11a14875a2990a409a46cc78e73694a57
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBoB/bS:sxX7QnxrloE5dpUpLb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe -
Executes dropped EXE 2 IoCs
pid Process 2456 sysaopti.exe 796 devoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 1720 f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe 1720 f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvJD\\devoptiec.exe" f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZYW\\optidevsys.exe" f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1720 f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe 1720 f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe 2456 sysaopti.exe 796 devoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1720 wrote to memory of 2456 1720 f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe 31 PID 1720 wrote to memory of 2456 1720 f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe 31 PID 1720 wrote to memory of 2456 1720 f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe 31 PID 1720 wrote to memory of 2456 1720 f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe 31 PID 1720 wrote to memory of 796 1720 f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe 32 PID 1720 wrote to memory of 796 1720 f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe 32 PID 1720 wrote to memory of 796 1720 f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe 32 PID 1720 wrote to memory of 796 1720 f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe"C:\Users\Admin\AppData\Local\Temp\f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2456
-
-
C:\SysDrvJD\devoptiec.exeC:\SysDrvJD\devoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:796
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5afa485fb86af065f28d15e908c65911b
SHA173c6f8bdd2100494955cb20320c23bd0f0a048e6
SHA256a11e79e8e1a689168629b29bd74c41486bf9567464fea088f10375baa2876d8b
SHA5121afaca24948cf322ae537aa83a0da414d583e0dd8f31ddc47aed0f819d6fb70ac27a573eaf73c9059a485cb3571248564885cd7a06a517a0b5d5472a922947e1
-
Filesize
2.6MB
MD5716ec118e0d538f609e54e3b4a95f4d8
SHA1084f317a641f27ba104d0c1b65914a03637f4ce0
SHA256c536105a15a6bbd6c6ae75fdd1d9d0c8c7183aacd0c9229bae5f1a14e3f7463b
SHA512090266549b1ca9f54b5b939e3bf037ebe417d49feeeecbbdeb462b5ad59caa41b24e65ef4f1117967603cd298057fc28d7812d9baa0977f44a24c4a33b65960f
-
Filesize
2.6MB
MD52448ab68a39982b67b9fcfb935c79474
SHA1b1e93f5d370947873de198347300fb792afe138a
SHA256155cc7d84511c05be1e4632784423010964197fa91ac362e2f5516a1eeef8aef
SHA5123a1163e36c546edba580b86077cd57cf7f659ffc4f49f3a8492d08a3324d0c48b5bb56c92058666ca5f3eeb8eb8e2b7b56fa1433bc698afe468ca8e9a7400cd8
-
Filesize
175B
MD5d12265c102375248ac6b62191cbb0241
SHA1f466121851b8793bfbbfa8c55bd333a3455205aa
SHA256d935e96d1a8fcf9059cd048f6417bb4ac039bdf9c25a356f53b3df5f04924810
SHA512c7b2a2628d69035ff452df48426309960ddeaef697d05be2a0fe4aaa394a9e7f81e9d5db607934f103c18b0c39ac575acdb97b856c7275babe779e31dec52856
-
Filesize
207B
MD531d541541abdfa4a1aec637938c6ccaa
SHA1e1e92db932721c8050588a147687f27853cf6de9
SHA2565b1d91c6b3e00af54e50756f7cdf86ec6e7555e2187b908f463b86df1d1dde09
SHA512048064be3b85d57b671c4e187838d063a16e2b86ac9cd36e6519d77a93a954424c690ebcb4d955c745380e54a11fb7696624c9268cb9c9a78d870259ae6205df
-
Filesize
2.6MB
MD5a90e470773db538a48d8a338f9693ac8
SHA1f2db74c05fbd5c95341a39e497898307a9c3a043
SHA256ecc8774c86a2c1ec5203a64e3f70b5cf6efb0e38545d89813bf0acc2d1b11b62
SHA5129ba1a8d7771f57b6a3f5c97a393a9c6dfa4df1b55dc57e20546da470e70f9fa64a3d3d713ad9c1fa607d4a2138f686a904888efea97c2b87e5c1619135d86936