Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 16:51
Static task
static1
Behavioral task
behavioral1
Sample
42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe
Resource
win10v2004-20241007-en
General
-
Target
42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe
-
Size
2.6MB
-
MD5
46f26c47f98deb501b7414fcfca26350
-
SHA1
7481d679b4b396d1ab1cbae89425ca88e734f9f6
-
SHA256
42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6
-
SHA512
f853693f06d8bd30ef77308850b12b88e2387ab113c301aacea2f381fef1be6f9c9c1fe7a01dd14f732ad0bcacee7b912a73e2b07ea9010ded5ad2f7702cbd74
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUp7b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe -
Executes dropped EXE 2 IoCs
pid Process 4028 sysxopti.exe 4720 devoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBQN\\optidevloc.exe" 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotQ3\\devoptiloc.exe" 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxopti.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2976 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe 2976 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe 2976 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe 2976 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe 4028 sysxopti.exe 4028 sysxopti.exe 4720 devoptiloc.exe 4720 devoptiloc.exe 4028 sysxopti.exe 4028 sysxopti.exe 4720 devoptiloc.exe 4720 devoptiloc.exe 4028 sysxopti.exe 4028 sysxopti.exe 4720 devoptiloc.exe 4720 devoptiloc.exe 4028 sysxopti.exe 4028 sysxopti.exe 4720 devoptiloc.exe 4720 devoptiloc.exe 4028 sysxopti.exe 4028 sysxopti.exe 4720 devoptiloc.exe 4720 devoptiloc.exe 4028 sysxopti.exe 4028 sysxopti.exe 4720 devoptiloc.exe 4720 devoptiloc.exe 4028 sysxopti.exe 4028 sysxopti.exe 4720 devoptiloc.exe 4720 devoptiloc.exe 4028 sysxopti.exe 4028 sysxopti.exe 4720 devoptiloc.exe 4720 devoptiloc.exe 4028 sysxopti.exe 4028 sysxopti.exe 4720 devoptiloc.exe 4720 devoptiloc.exe 4028 sysxopti.exe 4028 sysxopti.exe 4720 devoptiloc.exe 4720 devoptiloc.exe 4028 sysxopti.exe 4028 sysxopti.exe 4720 devoptiloc.exe 4720 devoptiloc.exe 4028 sysxopti.exe 4028 sysxopti.exe 4720 devoptiloc.exe 4720 devoptiloc.exe 4028 sysxopti.exe 4028 sysxopti.exe 4720 devoptiloc.exe 4720 devoptiloc.exe 4028 sysxopti.exe 4028 sysxopti.exe 4720 devoptiloc.exe 4720 devoptiloc.exe 4028 sysxopti.exe 4028 sysxopti.exe 4720 devoptiloc.exe 4720 devoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2976 wrote to memory of 4028 2976 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe 87 PID 2976 wrote to memory of 4028 2976 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe 87 PID 2976 wrote to memory of 4028 2976 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe 87 PID 2976 wrote to memory of 4720 2976 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe 90 PID 2976 wrote to memory of 4720 2976 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe 90 PID 2976 wrote to memory of 4720 2976 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe"C:\Users\Admin\AppData\Local\Temp\42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4028
-
-
C:\UserDotQ3\devoptiloc.exeC:\UserDotQ3\devoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
766KB
MD5fd7f26d739038b915a606dac5c73d829
SHA1031ee1e3376a1042d11133faee359266008ff335
SHA256901d06cfbcc104200d0d45f098d1bf3893645263f36300d9d14ec99c9fdf115c
SHA512807f019e5381c343aef41dd36647b473bb512c6971a960bcf4e6559626df560ba354d86ca8fe2675574dbe6ea007e6a8791786df4bc89be8979fcf139c5ad6dd
-
Filesize
893KB
MD5cf0673f8aef9b856eb8dccfc22e770ea
SHA1646f67e7e93e43d96e9c7d5145e66c803f72dd52
SHA256adafd38ef4a0750dc00f9b377c6157179b770412aeb5d14125df0e32bf6d26e7
SHA5128b9da512b3cb61fd6842c2f905ff510b501b3ed6198d34284d3e2dee0a0ba70d62cbdb459f8067844d50f7161ffe32c02cbc1d135be9682ca3df2eec2ca29ee5
-
Filesize
2.6MB
MD565dc4240f77882b60ad491b6b46e3bfb
SHA13350ad419946bf6da355c6976b0da2bc8fe0713b
SHA2564430f337c4bbb584c0b59fbb0012ea269e86f1498544d402becfaff5e03ba140
SHA512011cb9e81308f0e829bd51f019a4e98808892d002b0988c11c0ea6e09aac1bd15919c48448b61eb710159dbbe8686706f3ec00960b138db68b1f9bd53f8d5183
-
Filesize
209B
MD5420306fd4ec57ee8ebe42d49c039f485
SHA144489caca684128edffe86f1e6f7ee3dca7e7cde
SHA256cb3884854af1b05e627612be601009a626d172abba0d336b60b11b5dd49730d0
SHA5121eedd263a8a6fa58d8d799ce5daf15524226cf85c9623c3ded2fc716b88bee5783a202792dd96a6762d99d2c3429513762570ba468e36c7aea258cc7a33dc3c2
-
Filesize
177B
MD5f180bebb3bb1ccc382140030c74f363f
SHA11382a406cebf869fad990d15674c737483fddfcd
SHA2565909b577757d985e4e3f6691805d26725e6ecd06770ce27d82fcd93cccb2c004
SHA512ce1e6ed0e14d3dffe12ec7fe1006e3712c3be438ca411fa5f7490d801e2be76b3ce2b92f631bbbe7dd5fe9079460fde0bc6ea8fc0926934664fee898d91fe853
-
Filesize
2.6MB
MD5bbae29d793f1f61bef87885d564a2f11
SHA18a46b7748eb77deb3177d200ef105bc6edfa081e
SHA256013abfecf3b6c280e98f4b73e53838bef14162783c468fe20814f7260ffe4de6
SHA51252e6e16a5bbf911f7aea8e1bc9104861de4b2637d153b592d5f460f9b975daeb81f5fa5fb33a427db7cab82cc1cb2b6e47af8296542a6489c03115fb7d77597e