Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 13:53

General

  • Target

    86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe

  • Size

    2.6MB

  • MD5

    381cbfd3729a00cd95acba28f39ce3d2

  • SHA1

    de0c2044f6eb1bed4b82d1eed9d0b81133ebb5d9

  • SHA256

    86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2

  • SHA512

    af776a9343b3c0a8cf8898a0916b5cdedf47d6e9b7f7ceec269427e6619ca12aee9784576c27078af2c0c89031b8d425e136b0f4d3b01e201e78c5484c76d5b3

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bSq3:sxX7QnxrloE5dpUp4bV3

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe
    "C:\Users\Admin\AppData\Local\Temp\86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1440
    • C:\SysDrvZX\devoptiloc.exe
      C:\SysDrvZX\devoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintLF\optialoc.exe

    Filesize

    2.6MB

    MD5

    fa3a3b35d029d18e3d23fa27357b88f7

    SHA1

    fba616205871016148bfb2bcc0ca6ad599b1df5a

    SHA256

    f41a5b6bae2c15fa7adf9770ddf89504b06b70409afb919023fb728667bd1b3f

    SHA512

    73f334f181c52459302759a8d166cff24c72ca450306432cbd73ba57f793544a8a76f9e3cec5e4734fc4c18ec2880711aa2f43a0765a758cb621a52c5dade6e9

  • C:\SysDrvZX\devoptiloc.exe

    Filesize

    2.6MB

    MD5

    63c8fc098a41c8cd154848bdf192b138

    SHA1

    9da89e97aa7df1f456b0f07a0f1992fac30d6c32

    SHA256

    e50e16f94cd8a8008df12a0d267b3138380c65ea09b82bb48c07738105ba8828

    SHA512

    1ac55c5a7ee8773577fa378adf2d02e13beafe579a87c31c14c615c068051c0e1e819828de73ae251f08859e0a042f26365007c207e99acb9fb6db55e8902f30

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    173B

    MD5

    278ee6f9bcda58cc2218f55904c4a3e9

    SHA1

    87871fe4f8e96876cda5543a14781e939e749c6c

    SHA256

    2eac99da5a3f72e26d34eceb2fff638dae7bd988a3b5a500890644f743f2028f

    SHA512

    13d1a39f2e41b2d187cf3820efab67926d8f6df678b374a2d32a292c22eb3431b9e911805bbf3c5d291904ab221b987ca3864f539fde7f71ed83d83072407531

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    205B

    MD5

    55b38c6aca9d9e298fa7176b75e1b559

    SHA1

    26c601fa0a19713967932f2b86166f4d46fa1718

    SHA256

    a6c0048a17b9f3a0c1214a44067fa9770eef53c946d5bd3bd2ef1599924568ce

    SHA512

    a066c27e26c6630b26c44f4ec21b1aaa76f2d1a8dbfb74d1a0fff3845ec248168da3805e32bb04155e1bc6675e41b0b1696f2c2b59ebb683b6408b7c14af14df

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

    Filesize

    2.6MB

    MD5

    de80a0e50860c7f5be8235410ede1cbe

    SHA1

    e7049a39b4e490bf31c61645ae38f9da07d1b184

    SHA256

    e03cabd85fb383860672103775dda1c5122fa8a0e17955539b7869ad2ddfe1b7

    SHA512

    693f330dea1a8cafadfeda2bfd013cd566b8dbbad0be41a61be9a7c84dadf810448cda17efec576b020135bb463bba7a0530028cdc4d74be84c3ff02ed529bfd