Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 17:13
Static task
static1
Behavioral task
behavioral1
Sample
18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe
Resource
win10v2004-20241007-en
General
-
Target
18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe
-
Size
2.6MB
-
MD5
0dfb70f35e3fa52b28c1b0902dff5080
-
SHA1
c789c44af04c1c3d92336ad22863074c61ba4e8c
-
SHA256
18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106
-
SHA512
fec0fcf56b2d290d9d39d91b5d426c48d5244dc61696b2ffd316c5c426d66ce7e4f19eddcfd9bf51d0a3799bc6b15d8837e54e7d693c984eb4d4aa7e41c3d1d1
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSq:sxX7QnxrloE5dpUpxbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe -
Executes dropped EXE 2 IoCs
pid Process 2480 sysxopti.exe 1708 devdobec.exe -
Loads dropped DLL 2 IoCs
pid Process 2024 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe 2024 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeQ4\\devdobec.exe" 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintRI\\optidevsys.exe" 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2024 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe 2024 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe 2480 sysxopti.exe 1708 devdobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2024 wrote to memory of 2480 2024 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe 31 PID 2024 wrote to memory of 2480 2024 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe 31 PID 2024 wrote to memory of 2480 2024 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe 31 PID 2024 wrote to memory of 2480 2024 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe 31 PID 2024 wrote to memory of 1708 2024 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe 32 PID 2024 wrote to memory of 1708 2024 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe 32 PID 2024 wrote to memory of 1708 2024 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe 32 PID 2024 wrote to memory of 1708 2024 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe"C:\Users\Admin\AppData\Local\Temp\18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2480
-
-
C:\AdobeQ4\devdobec.exeC:\AdobeQ4\devdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD566c0ed644a55d994059cbf48f92a3f47
SHA144dc23e6332eed8c75cae981e2f02dff13593b0c
SHA25616ad0804d9e21f5db6c5c317993c48e5eb17c7b14bdc5702b19abebfe2a5bddc
SHA5125b19d6fe28722f5cbcfdd686c4b2f72becb262d8479b1254fec9d7495d7a391cb0d45c643fde4e6bc4ea15d09cd4b86490d0fc31ce63c6dc3c8fb28f921d6358
-
Filesize
2.6MB
MD58dfaf75dcd0ba59db3edef18c654e50d
SHA10445a56622df7b9d751b85a4ba68951375f3b472
SHA2567efe70f2053ecbf2dc0071cbbbc4b99fcad6624637a2d099b177f3c453fb0664
SHA512637f1c68ed3800de07d4fbebdbb6606e42f1f07825ba9b95ed117cceb4882f52b8664ec4ed93d93f1f98cdc8fb0c47137497110431bb58931325495107cf8b25
-
Filesize
2.6MB
MD510ceb884458040bf9e1a4dc80a849258
SHA10473339233b4dbea8a98d50bd5d7f63df6b96b56
SHA256e1edbf1ff01e6593f949997f868664afc006dbc245cf0a159984a249d782411d
SHA51208467962765e680e4abdc31dd6ce85db171a5dddf9249c1323261637ccaf185106530980c3783950c79e38303872f7764f0669ef29c42bc15aaba62aa7371ac4
-
Filesize
173B
MD5192ed5335773d412a8837cd719bba0a9
SHA17106ba468c4f368ffb60f3eb4b96d1723fd851e0
SHA256b9eb210503d0ca32637e2a7611f39e78092e8efaaefd956452645cf66c682599
SHA512414821fa21f928cb684ccd221f48a77d60b795d4462ef84e12e1057258f7273aa41b22bb7b8f6df9947b4d5b9631dfd06c8adba4e38ec653e39d09211ac86d65
-
Filesize
205B
MD5e1204374d74db41a7bf97da4e17c2a24
SHA138f428bb5c56bfda0f01184e29d657962e3e1564
SHA2567f6a206013fcd34f645c921a0f474d1b57e55bfdf87581c43415248b43df517c
SHA51262b4a5c8d17cc8d508ef50eed92b13b302c5f98ef1f496dd2da6b1e872a89eb26fd80216fe417d81777148f0f7bba6b8ec34e41d172ba1a55dbc643ffd9f255b
-
Filesize
2.6MB
MD52acb505bd9897411f9aed3a398cf0af0
SHA15ab8748db930a16dd32f081c7099a2b0f1f0cf9b
SHA25651f72bdbacb62f9e02a1455019031b9b93b6f93338410cd4ab15afb30f6ba6fa
SHA512ee12bd4210538903066a5b857bbc3301314d7ad8153875ae018264c456e6d2d2e5c3c713cb9c9cfe516d75a39ea82a00e6fc28b6397d0df0712edf5bd4cccbe7