Analysis

  • max time kernel
    120s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 16:51

General

  • Target

    42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe

  • Size

    2.6MB

  • MD5

    46f26c47f98deb501b7414fcfca26350

  • SHA1

    7481d679b4b396d1ab1cbae89425ca88e734f9f6

  • SHA256

    42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6

  • SHA512

    f853693f06d8bd30ef77308850b12b88e2387ab113c301aacea2f381fef1be6f9c9c1fe7a01dd14f732ad0bcacee7b912a73e2b07ea9010ded5ad2f7702cbd74

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUp7b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe
    "C:\Users\Admin\AppData\Local\Temp\42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4028
    • C:\UserDotQ3\devoptiloc.exe
      C:\UserDotQ3\devoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4720

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVBQN\optidevloc.exe

          Filesize

          766KB

          MD5

          fd7f26d739038b915a606dac5c73d829

          SHA1

          031ee1e3376a1042d11133faee359266008ff335

          SHA256

          901d06cfbcc104200d0d45f098d1bf3893645263f36300d9d14ec99c9fdf115c

          SHA512

          807f019e5381c343aef41dd36647b473bb512c6971a960bcf4e6559626df560ba354d86ca8fe2675574dbe6ea007e6a8791786df4bc89be8979fcf139c5ad6dd

        • C:\KaVBQN\optidevloc.exe

          Filesize

          893KB

          MD5

          cf0673f8aef9b856eb8dccfc22e770ea

          SHA1

          646f67e7e93e43d96e9c7d5145e66c803f72dd52

          SHA256

          adafd38ef4a0750dc00f9b377c6157179b770412aeb5d14125df0e32bf6d26e7

          SHA512

          8b9da512b3cb61fd6842c2f905ff510b501b3ed6198d34284d3e2dee0a0ba70d62cbdb459f8067844d50f7161ffe32c02cbc1d135be9682ca3df2eec2ca29ee5

        • C:\UserDotQ3\devoptiloc.exe

          Filesize

          2.6MB

          MD5

          65dc4240f77882b60ad491b6b46e3bfb

          SHA1

          3350ad419946bf6da355c6976b0da2bc8fe0713b

          SHA256

          4430f337c4bbb584c0b59fbb0012ea269e86f1498544d402becfaff5e03ba140

          SHA512

          011cb9e81308f0e829bd51f019a4e98808892d002b0988c11c0ea6e09aac1bd15919c48448b61eb710159dbbe8686706f3ec00960b138db68b1f9bd53f8d5183

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          209B

          MD5

          420306fd4ec57ee8ebe42d49c039f485

          SHA1

          44489caca684128edffe86f1e6f7ee3dca7e7cde

          SHA256

          cb3884854af1b05e627612be601009a626d172abba0d336b60b11b5dd49730d0

          SHA512

          1eedd263a8a6fa58d8d799ce5daf15524226cf85c9623c3ded2fc716b88bee5783a202792dd96a6762d99d2c3429513762570ba468e36c7aea258cc7a33dc3c2

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          177B

          MD5

          f180bebb3bb1ccc382140030c74f363f

          SHA1

          1382a406cebf869fad990d15674c737483fddfcd

          SHA256

          5909b577757d985e4e3f6691805d26725e6ecd06770ce27d82fcd93cccb2c004

          SHA512

          ce1e6ed0e14d3dffe12ec7fe1006e3712c3be438ca411fa5f7490d801e2be76b3ce2b92f631bbbe7dd5fe9079460fde0bc6ea8fc0926934664fee898d91fe853

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

          Filesize

          2.6MB

          MD5

          bbae29d793f1f61bef87885d564a2f11

          SHA1

          8a46b7748eb77deb3177d200ef105bc6edfa081e

          SHA256

          013abfecf3b6c280e98f4b73e53838bef14162783c468fe20814f7260ffe4de6

          SHA512

          52e6e16a5bbf911f7aea8e1bc9104861de4b2637d153b592d5f460f9b975daeb81f5fa5fb33a427db7cab82cc1cb2b6e47af8296542a6489c03115fb7d77597e