Analysis

  • max time kernel
    119s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 17:12

General

  • Target

    e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe

  • Size

    2.6MB

  • MD5

    463d1ea4a3d732f379b2bf231d270cd0

  • SHA1

    4a9e8a1be5638eca39edf12778de6f6f628f1cfd

  • SHA256

    e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677

  • SHA512

    2be4f1eedbd979d5af503623ab2256a4ba30895dac59e2efac457db303b411e89e7c9166c8a884841fb6543cdb155a460e28f24b899bb758c37d49ef843c3fb1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpOb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe
    "C:\Users\Admin\AppData\Local\Temp\e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1492
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3028
    • C:\IntelprocQA\xoptiec.exe
      C:\IntelprocQA\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2872

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocQA\xoptiec.exe

          Filesize

          2.6MB

          MD5

          d639aa89ec0f56679e34a7f6d07fc51c

          SHA1

          12af856da10e5f5d4a0c09e54c25a5aa98e8b6cd

          SHA256

          456012e7d59fecc378b29418053b110c5c487dfcce5793ae71d4e913d20e7ef3

          SHA512

          48043da85f3147e9f99a7b55db6e648f99ea453023502fe95aea24133a1299e0de293d5b7aec0f718b36387ecb48e664070438c0fc8b3aedbfb2fed4b4f10870

        • C:\KaVB5Z\optidevec.exe

          Filesize

          2.6MB

          MD5

          407ede9a7c997f7feaad996d809fe0fc

          SHA1

          8b48ce9dca80c90d0490becba5a8de794b1b913f

          SHA256

          c81d164ac4ec268e12fa2b56cadef3ff6a5dced1eccb978fe1f87e73385f8066

          SHA512

          e3015b30468f5027bfe214381c3167f82b325171fb348da2310d8eac89e8b5e7272095367412e03286e13052f291678a55317788f0e204e26b014a7bac68aab2

        • C:\KaVB5Z\optidevec.exe

          Filesize

          2.6MB

          MD5

          9d2123c08c52ba41c0ff50c147ebdb16

          SHA1

          1e3a052fc9fbed6f4d2d7d12c734528b6e0d1840

          SHA256

          08fb248e7a48022f47f0ccc33215c71d8bf6598d88597e55ed67f353410ec9cd

          SHA512

          7e689cac16844aa61e29c4244026443b639cc488b5ceef78059b5c3c214614f36e7bb888f4da8862456983a3587ca77b5132d399d380e5d529cb3c3594dba840

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          174B

          MD5

          1e923a70687e5bd59979586eeeb93b3b

          SHA1

          4a487fc050297479a79a06b4ae6b91e1d455c935

          SHA256

          7a4a2f90cfaa60a981191ab2cd7b2c678348fddd21a1e012d480b4226afd2f5c

          SHA512

          c288827f0eb3d1d22b209e352d78b952511ec067b7b0f6e4e892517979adecc640dcc4fbd75c4e75ab24e841e6dece75cd5f45fdcbda3254ba6d9abbf85736db

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          206B

          MD5

          84415b08cd4928576eecea4b73a0df42

          SHA1

          0c0b41dae27d70698593dc6931162e79eb464bfc

          SHA256

          8a3c4463ac33514b9b3cf4d07767f73f30651a02f254c1a6e6a4752001f8821d

          SHA512

          d0372248c204666f9e3d29abf63e982393d81a537f6e719b44d7183971c2f08549fc33e928ecb7f8ba1c01b870353524769075f8dcd3062f8776705a63070292

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

          Filesize

          2.6MB

          MD5

          4b56041271f539a394b272d548a2911c

          SHA1

          1a500414baecd6914a68fe6ef42ea71975b01abf

          SHA256

          3e60e11df5f2fbdedaaa661c5250334d46a4622ae7d3d6600d2096819506ec08

          SHA512

          2c22eb89bd4d82c29eef7a39e8272d2b243da1e5ed01e8d372075440cfef472c37422d34908d9e85888ff4bea944960878393e6b770fdc4ddcdd29c9f0e08056