Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 17:16

General

  • Target

    cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe

  • Size

    2.6MB

  • MD5

    1cc9f4da809ff5ede1c260a2d8bf1ab0

  • SHA1

    2da2e9db9ee914d0a323c218a890a8e9b52c7d0f

  • SHA256

    cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01

  • SHA512

    5946e6509a71957fb7764745f7a5fed2d60e652ff3dbe3eb8709c833705c66e8c2cac5e037d5c248950e4bf4e265d813a4aab3092501d63d1899cde722d13399

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSq:sxX7QnxrloE5dpUpfbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe
    "C:\Users\Admin\AppData\Local\Temp\cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2796
    • C:\AdobeZE\xoptiloc.exe
      C:\AdobeZE\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2584

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeZE\xoptiloc.exe

          Filesize

          2.6MB

          MD5

          a7ac2f2d035cd80576e7ae6d2a0b898d

          SHA1

          51bf56b59b4ccbd88d34ca06da1ac8b4f9f89380

          SHA256

          7a5a8f7e397024be2197457caca0c01b34d24764e3b46fa273e30a3fe61f00d9

          SHA512

          f43d6c6d91c8bfc934b9742796c0d2f2f526c407ddf65e1ccabf6174c7cc32eb6b70452a634cd1f5aeeb8c67174ab8f0f7df063ac3bee421a8867f3ee8fe4000

        • C:\Galax2S\optidevsys.exe

          Filesize

          2.6MB

          MD5

          88f8a074b18cb51ce30f218045ef6743

          SHA1

          1a4e85e2d749b83978c946dd5b6110367ee14d77

          SHA256

          b3eb1ad5ee95a3db5a895b0885c142199fba2aff19d5b3acb195298f5969be53

          SHA512

          f7b08e44fa30781a42136e9b7b1399c8cf262bd5fcf4bca269c1f7453cf0abbfaac22c3ec4d2747a155c4c01c8be49b868844066e53b4f8d344010b0a8d8ce3d

        • C:\Galax2S\optidevsys.exe

          Filesize

          2.6MB

          MD5

          9f8c69e041464bc84c1351cb6fa62307

          SHA1

          5dc6b185580a842747b0b093b44a7fe6529ef957

          SHA256

          04c3468dca5d1444b55cafaf61adc20fbde14e1a85be06b2ddcdf63dfb10a544

          SHA512

          2811b80abbd4f99a8ef520e4d53b8041b682bfd4fe50dcb7f1b539fea84959d530c311b45697310292bf6be796274e378c5a931fe40c6a2188f2820191a9bdca

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          174B

          MD5

          dcac5d7d2d6a59fd76c5062b964102d0

          SHA1

          6f8d821a7093bed08f2f9cce14dafb8776fc8bf2

          SHA256

          aa3389f15a84137d53d7396ef90360143202e2b61c4bc126024b19aac94ba5af

          SHA512

          f37a0ae6adba081ed82326e554119c680ebd2ea0f9587834b32a7420b525eb44d63e0034a6bef842b1d292955f42b6204dd4e1c3383b43bc20ba940fa0eb64b1

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          206B

          MD5

          60d3d44dd1b39d5b6b656c42de023ccb

          SHA1

          686be8e032d3aa2250c8a176ba20c616aac6a5c2

          SHA256

          15237d376fe39348e103096c078aaeb08907c17f6200d6a132415ca2dffa07f6

          SHA512

          222af408f1cc155e72fdc468dca9eb1c688008898818dad8dd28b15903e993bc3b0a9d21bad5a107e716caa4f3a93cf1e88d6888a0e37636d8aade3945e4aab1

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

          Filesize

          2.6MB

          MD5

          5ef57d5de891f8270b341e6201a01530

          SHA1

          44346c8946c4cd3a3069a2fd1cb2a40da70896f8

          SHA256

          7f1c74f06504d73fc85c5d814bd560d80dbf7a21f45b32f245372aa59662408e

          SHA512

          0e968aaeb23d7b6943fc3a1bc5db90ec98179e838188eace4e2bc7deaf3236f53cebbbb7e536223feb0045901c47d735d77045193e7d6b18d8b184f957339e8e