Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 17:16
Static task
static1
Behavioral task
behavioral1
Sample
cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe
Resource
win10v2004-20241007-en
General
-
Target
cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe
-
Size
2.6MB
-
MD5
1cc9f4da809ff5ede1c260a2d8bf1ab0
-
SHA1
2da2e9db9ee914d0a323c218a890a8e9b52c7d0f
-
SHA256
cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01
-
SHA512
5946e6509a71957fb7764745f7a5fed2d60e652ff3dbe3eb8709c833705c66e8c2cac5e037d5c248950e4bf4e265d813a4aab3092501d63d1899cde722d13399
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSq:sxX7QnxrloE5dpUpfbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe -
Executes dropped EXE 2 IoCs
pid Process 2796 sysaopti.exe 2584 xoptiloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2160 cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe 2160 cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeZE\\xoptiloc.exe" cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax2S\\optidevsys.exe" cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2160 cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe 2160 cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe 2796 sysaopti.exe 2584 xoptiloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2796 2160 cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe 30 PID 2160 wrote to memory of 2796 2160 cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe 30 PID 2160 wrote to memory of 2796 2160 cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe 30 PID 2160 wrote to memory of 2796 2160 cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe 30 PID 2160 wrote to memory of 2584 2160 cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe 31 PID 2160 wrote to memory of 2584 2160 cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe 31 PID 2160 wrote to memory of 2584 2160 cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe 31 PID 2160 wrote to memory of 2584 2160 cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe"C:\Users\Admin\AppData\Local\Temp\cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2796
-
-
C:\AdobeZE\xoptiloc.exeC:\AdobeZE\xoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2584
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5a7ac2f2d035cd80576e7ae6d2a0b898d
SHA151bf56b59b4ccbd88d34ca06da1ac8b4f9f89380
SHA2567a5a8f7e397024be2197457caca0c01b34d24764e3b46fa273e30a3fe61f00d9
SHA512f43d6c6d91c8bfc934b9742796c0d2f2f526c407ddf65e1ccabf6174c7cc32eb6b70452a634cd1f5aeeb8c67174ab8f0f7df063ac3bee421a8867f3ee8fe4000
-
Filesize
2.6MB
MD588f8a074b18cb51ce30f218045ef6743
SHA11a4e85e2d749b83978c946dd5b6110367ee14d77
SHA256b3eb1ad5ee95a3db5a895b0885c142199fba2aff19d5b3acb195298f5969be53
SHA512f7b08e44fa30781a42136e9b7b1399c8cf262bd5fcf4bca269c1f7453cf0abbfaac22c3ec4d2747a155c4c01c8be49b868844066e53b4f8d344010b0a8d8ce3d
-
Filesize
2.6MB
MD59f8c69e041464bc84c1351cb6fa62307
SHA15dc6b185580a842747b0b093b44a7fe6529ef957
SHA25604c3468dca5d1444b55cafaf61adc20fbde14e1a85be06b2ddcdf63dfb10a544
SHA5122811b80abbd4f99a8ef520e4d53b8041b682bfd4fe50dcb7f1b539fea84959d530c311b45697310292bf6be796274e378c5a931fe40c6a2188f2820191a9bdca
-
Filesize
174B
MD5dcac5d7d2d6a59fd76c5062b964102d0
SHA16f8d821a7093bed08f2f9cce14dafb8776fc8bf2
SHA256aa3389f15a84137d53d7396ef90360143202e2b61c4bc126024b19aac94ba5af
SHA512f37a0ae6adba081ed82326e554119c680ebd2ea0f9587834b32a7420b525eb44d63e0034a6bef842b1d292955f42b6204dd4e1c3383b43bc20ba940fa0eb64b1
-
Filesize
206B
MD560d3d44dd1b39d5b6b656c42de023ccb
SHA1686be8e032d3aa2250c8a176ba20c616aac6a5c2
SHA25615237d376fe39348e103096c078aaeb08907c17f6200d6a132415ca2dffa07f6
SHA512222af408f1cc155e72fdc468dca9eb1c688008898818dad8dd28b15903e993bc3b0a9d21bad5a107e716caa4f3a93cf1e88d6888a0e37636d8aade3945e4aab1
-
Filesize
2.6MB
MD55ef57d5de891f8270b341e6201a01530
SHA144346c8946c4cd3a3069a2fd1cb2a40da70896f8
SHA2567f1c74f06504d73fc85c5d814bd560d80dbf7a21f45b32f245372aa59662408e
SHA5120e968aaeb23d7b6943fc3a1bc5db90ec98179e838188eace4e2bc7deaf3236f53cebbbb7e536223feb0045901c47d735d77045193e7d6b18d8b184f957339e8e