Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 17:23
Static task
static1
Behavioral task
behavioral1
Sample
6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe
Resource
win10v2004-20241007-en
General
-
Target
6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe
-
Size
2.6MB
-
MD5
68f5422c68bc653dcb3fefafff35e6f0
-
SHA1
4832c9ee6f9a496ca1f276cb8ad2d43859b29590
-
SHA256
6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08
-
SHA512
2c716aa216ad59dc720523fb2cb3476be208e9dc2a6f0be523084d929c0e39517470089236e6be060b500404cc091a8aa8c5efd0e72d2cc5ebba2af579fd95ab
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSq:sxX7QnxrloE5dpUppbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe -
Executes dropped EXE 2 IoCs
pid Process 2588 sysadob.exe 2816 devoptiloc.exe -
Loads dropped DLL 2 IoCs
pid Process 956 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe 956 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZX\\devoptiloc.exe" 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLF\\optialoc.exe" 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 956 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe 956 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe 2588 sysadob.exe 2816 devoptiloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 956 wrote to memory of 2588 956 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe 31 PID 956 wrote to memory of 2588 956 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe 31 PID 956 wrote to memory of 2588 956 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe 31 PID 956 wrote to memory of 2588 956 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe 31 PID 956 wrote to memory of 2816 956 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe 32 PID 956 wrote to memory of 2816 956 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe 32 PID 956 wrote to memory of 2816 956 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe 32 PID 956 wrote to memory of 2816 956 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe"C:\Users\Admin\AppData\Local\Temp\6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2588
-
-
C:\SysDrvZX\devoptiloc.exeC:\SysDrvZX\devoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2816
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5d2cc5d9440b000c786335062ff447c9d
SHA181d58c45276a75c480e7103a3a349e8f3add6203
SHA256def49d86cead7ec5c2d6c3dc92109956d0ab9d28d7b52b047f204059f8747510
SHA512da0ea6ced2bcb7a9e6649d431b58e0eb8e9ca22db008696dc480147b40ec1a0aadb318422eb0284233eac865cf7009f5505e49d0a4246acf848cf70881c9882d
-
Filesize
66KB
MD525a27647d3870d56c20f82aba7a36e9f
SHA152c6035f13accff1ddb4e06e0fb71f86dabc25f5
SHA25666a4a5a90cdac91c093c1fc624aab5a426d62aee13578a3775d36bfb165dcb14
SHA512826856681439e70a392a0b4d06445a1475d98bae4437c38df216dc68ad0361f6fa6edeaf5d9e61797e4d9b35b2e6caf00a2d3d190a148f02adee08597796ad17
-
Filesize
2.6MB
MD597d906ffa788f2ba8509d934294e4d52
SHA1f1e5b7dfd1a4f319d5ece83bf52bdafb23ee4b5c
SHA256c4fb901c3a274deed1a2132a019edd66b9dda7bcfa072f7fe6eaacf47d4a086d
SHA512254cb4d453bbba5e87b2d091e8209ac5740023cc7d7d5678d2a976af5ed731df23cdeae4bc073fcd05591303d3940725357c0c844d7a212d0182c4e3c0b97ea0
-
Filesize
173B
MD5278ee6f9bcda58cc2218f55904c4a3e9
SHA187871fe4f8e96876cda5543a14781e939e749c6c
SHA2562eac99da5a3f72e26d34eceb2fff638dae7bd988a3b5a500890644f743f2028f
SHA51213d1a39f2e41b2d187cf3820efab67926d8f6df678b374a2d32a292c22eb3431b9e911805bbf3c5d291904ab221b987ca3864f539fde7f71ed83d83072407531
-
Filesize
205B
MD555b38c6aca9d9e298fa7176b75e1b559
SHA126c601fa0a19713967932f2b86166f4d46fa1718
SHA256a6c0048a17b9f3a0c1214a44067fa9770eef53c946d5bd3bd2ef1599924568ce
SHA512a066c27e26c6630b26c44f4ec21b1aaa76f2d1a8dbfb74d1a0fff3845ec248168da3805e32bb04155e1bc6675e41b0b1696f2c2b59ebb683b6408b7c14af14df
-
Filesize
2.6MB
MD5a585877f139c420ea57bbb243df44aa4
SHA19cbf167fcccf876df8385ce9d06a9044f87d56c2
SHA25697fdf5dca5bb154d3944fb0260b51904112e8fec66c0ff189931c739dc1697d2
SHA51220ca61d26620dc8418586d360aaeb7110bd1e07c53b6cf10aa8d2b4243cdce0918c6278f242f1c019fdae1b31cf6936a0e7de923c2266539a498a1f646edcb05