Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 16:56

General

  • Target

    739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe

  • Size

    2.6MB

  • MD5

    035de7c08de365c74452708c8c4e8870

  • SHA1

    dafa05d73b2fa0a03da19772482ae4a85b738baa

  • SHA256

    739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32

  • SHA512

    e7ffb3d87e4addb180fd5881ec9a5e093a0b1a5d57307a77bd6c23fa92c48a6553dc95dc60cd2a3fbd80275cb8deefa93d2815f771e69551399bee91c3807e44

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bS:sxX7QnxrloE5dpUpeb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe
    "C:\Users\Admin\AppData\Local\Temp\739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:812
    • C:\UserDotR8\xoptisys.exe
      C:\UserDotR8\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2232

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVBGN\optidevloc.exe

          Filesize

          1.2MB

          MD5

          54561225560aad2546dadfcde1c1d94f

          SHA1

          5bf0caf64b258b0f18d53a9e45efd4506656c80f

          SHA256

          03a7f6a182fd85636ba9a0dafdf4552300ab6c1bd8a5eb86761a0fcaf4486289

          SHA512

          f2c2cd7963b31f9c0bff47af68751c46f6dc1cd07079086a3a68eb24db18a8cc98fbad8894055bbd1fc4c7fe2847e8cfb1a56c4c53c069d34c67234aebad1e5d

        • C:\KaVBGN\optidevloc.exe

          Filesize

          6KB

          MD5

          c8190a91500bb1d9caa61e3b11eaf128

          SHA1

          ab7eb6ce00d2fb8ec932dee7fe6f72551ada8684

          SHA256

          6396e1bd18ed0ea864d8f56b7885ef5813fe836854b68c3ebafb7d49b8580b1e

          SHA512

          bc143ae225ca8cceb9e90f7dc6f36a8608eafed2d7e67396657444f3a004832c0c51921fe8c0487de4ca21430686dbc62c6a304de00cbbfb8c0e8dc538f5492b

        • C:\UserDotR8\xoptisys.exe

          Filesize

          2.6MB

          MD5

          4df78a5601ba1b5b581eef69e34a77b8

          SHA1

          f17972609a2e6407a89829c71070154861c922d0

          SHA256

          3dceff21bca32885fa18924d13d8f91965ffcf1c2c0d7eac47546bb78ad65907

          SHA512

          ed0cbba4815e07e38805c6e97e35e60f19f2ecdc3502c678cfac2e54dfee55440b51e23a5676ef1b2036c06a924f404691799221af2841b211c7cd99ec580245

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          206B

          MD5

          261cfd1eea9e8c20161886b269915bc9

          SHA1

          401220c366c9df786ecc1cb683b87e0febbb058e

          SHA256

          5c9b98b8c0292d8bed3a3bd2605b6643273e4a357d11a8493cf37a0f67c17678

          SHA512

          0b49ceb86d2a9d983c857ea966d9e8338330ea578cdc3244c05e21a294fe63a19cda5090710ab86c187b314c8d758a6f8cf501c2f8b0e5a529acf49edc3c5f9e

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          174B

          MD5

          71fef6c5a7c141e4be15071cde472add

          SHA1

          4e99e1f43e5210251a07b7b29043b5633cdbcbf0

          SHA256

          8a29ea35142eeb2d8f70fb7d64bf54ab70f2ac798b213f6f3a0639a2b2cbae74

          SHA512

          9913a145f77ce0b32fdcb477a8a1568b00723d1f81d31621d86642d24355824c977f0baabdbdf4d23d2d574d8d3cdb659e1343adbd20dc87519e12a0206ec506

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

          Filesize

          2.6MB

          MD5

          b70dbeecfeaed875dcf47f675d67c37b

          SHA1

          597cf888220ca9328415d6aa01a5b72bab6a80cf

          SHA256

          abcebe18e2c52eb506383d0f65370bd12c3d6e1b0f4430419eebafdf9044d08f

          SHA512

          c57157ca89c756f507a47b4a0814ba864fb51df5ed9795213c2cd710daef77065ca6a08cb4fcf7835da40181b15d10dc710db1993e6b8009173906415ab28582