Analysis
-
max time kernel
119s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 17:12
Static task
static1
Behavioral task
behavioral1
Sample
e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe
Resource
win10v2004-20241007-en
General
-
Target
e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe
-
Size
2.6MB
-
MD5
463d1ea4a3d732f379b2bf231d270cd0
-
SHA1
4a9e8a1be5638eca39edf12778de6f6f628f1cfd
-
SHA256
e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677
-
SHA512
2be4f1eedbd979d5af503623ab2256a4ba30895dac59e2efac457db303b411e89e7c9166c8a884841fb6543cdb155a460e28f24b899bb758c37d49ef843c3fb1
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpOb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe -
Executes dropped EXE 2 IoCs
pid Process 3028 sysxbod.exe 2872 xoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 1492 e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe 1492 e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocQA\\xoptiec.exe" e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB5Z\\optidevec.exe" e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxbod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1492 e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe 1492 e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe 3028 sysxbod.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe 2872 xoptiec.exe 3028 sysxbod.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1492 wrote to memory of 3028 1492 e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe 29 PID 1492 wrote to memory of 3028 1492 e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe 29 PID 1492 wrote to memory of 3028 1492 e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe 29 PID 1492 wrote to memory of 3028 1492 e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe 29 PID 1492 wrote to memory of 2872 1492 e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe 30 PID 1492 wrote to memory of 2872 1492 e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe 30 PID 1492 wrote to memory of 2872 1492 e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe 30 PID 1492 wrote to memory of 2872 1492 e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe"C:\Users\Admin\AppData\Local\Temp\e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3028
-
-
C:\IntelprocQA\xoptiec.exeC:\IntelprocQA\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2872
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5d639aa89ec0f56679e34a7f6d07fc51c
SHA112af856da10e5f5d4a0c09e54c25a5aa98e8b6cd
SHA256456012e7d59fecc378b29418053b110c5c487dfcce5793ae71d4e913d20e7ef3
SHA51248043da85f3147e9f99a7b55db6e648f99ea453023502fe95aea24133a1299e0de293d5b7aec0f718b36387ecb48e664070438c0fc8b3aedbfb2fed4b4f10870
-
Filesize
2.6MB
MD5407ede9a7c997f7feaad996d809fe0fc
SHA18b48ce9dca80c90d0490becba5a8de794b1b913f
SHA256c81d164ac4ec268e12fa2b56cadef3ff6a5dced1eccb978fe1f87e73385f8066
SHA512e3015b30468f5027bfe214381c3167f82b325171fb348da2310d8eac89e8b5e7272095367412e03286e13052f291678a55317788f0e204e26b014a7bac68aab2
-
Filesize
2.6MB
MD59d2123c08c52ba41c0ff50c147ebdb16
SHA11e3a052fc9fbed6f4d2d7d12c734528b6e0d1840
SHA25608fb248e7a48022f47f0ccc33215c71d8bf6598d88597e55ed67f353410ec9cd
SHA5127e689cac16844aa61e29c4244026443b639cc488b5ceef78059b5c3c214614f36e7bb888f4da8862456983a3587ca77b5132d399d380e5d529cb3c3594dba840
-
Filesize
174B
MD51e923a70687e5bd59979586eeeb93b3b
SHA14a487fc050297479a79a06b4ae6b91e1d455c935
SHA2567a4a2f90cfaa60a981191ab2cd7b2c678348fddd21a1e012d480b4226afd2f5c
SHA512c288827f0eb3d1d22b209e352d78b952511ec067b7b0f6e4e892517979adecc640dcc4fbd75c4e75ab24e841e6dece75cd5f45fdcbda3254ba6d9abbf85736db
-
Filesize
206B
MD584415b08cd4928576eecea4b73a0df42
SHA10c0b41dae27d70698593dc6931162e79eb464bfc
SHA2568a3c4463ac33514b9b3cf4d07767f73f30651a02f254c1a6e6a4752001f8821d
SHA512d0372248c204666f9e3d29abf63e982393d81a537f6e719b44d7183971c2f08549fc33e928ecb7f8ba1c01b870353524769075f8dcd3062f8776705a63070292
-
Filesize
2.6MB
MD54b56041271f539a394b272d548a2911c
SHA11a500414baecd6914a68fe6ef42ea71975b01abf
SHA2563e60e11df5f2fbdedaaa661c5250334d46a4622ae7d3d6600d2096819506ec08
SHA5122c22eb89bd4d82c29eef7a39e8272d2b243da1e5ed01e8d372075440cfef472c37422d34908d9e85888ff4bea944960878393e6b770fdc4ddcdd29c9f0e08056