Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 13:53
Static task
static1
Behavioral task
behavioral1
Sample
86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe
Resource
win10v2004-20241007-en
General
-
Target
86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe
-
Size
2.6MB
-
MD5
381cbfd3729a00cd95acba28f39ce3d2
-
SHA1
de0c2044f6eb1bed4b82d1eed9d0b81133ebb5d9
-
SHA256
86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2
-
SHA512
af776a9343b3c0a8cf8898a0916b5cdedf47d6e9b7f7ceec269427e6619ca12aee9784576c27078af2c0c89031b8d425e136b0f4d3b01e201e78c5484c76d5b3
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bSq3:sxX7QnxrloE5dpUp4bV3
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe 86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe -
Executes dropped EXE 2 IoCs
Processes:
sysadob.exedevoptiloc.exepid Process 1440 sysadob.exe 580 devoptiloc.exe -
Loads dropped DLL 2 IoCs
Processes:
86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exepid Process 2084 86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe 2084 86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZX\\devoptiloc.exe" 86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLF\\optialoc.exe" 86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
sysadob.exedevoptiloc.exe86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exesysadob.exedevoptiloc.exepid Process 2084 86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe 2084 86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe 1440 sysadob.exe 580 devoptiloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exedescription pid Process procid_target PID 2084 wrote to memory of 1440 2084 86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe 31 PID 2084 wrote to memory of 1440 2084 86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe 31 PID 2084 wrote to memory of 1440 2084 86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe 31 PID 2084 wrote to memory of 1440 2084 86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe 31 PID 2084 wrote to memory of 580 2084 86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe 32 PID 2084 wrote to memory of 580 2084 86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe 32 PID 2084 wrote to memory of 580 2084 86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe 32 PID 2084 wrote to memory of 580 2084 86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe"C:\Users\Admin\AppData\Local\Temp\86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1440
-
-
C:\SysDrvZX\devoptiloc.exeC:\SysDrvZX\devoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:580
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5fa3a3b35d029d18e3d23fa27357b88f7
SHA1fba616205871016148bfb2bcc0ca6ad599b1df5a
SHA256f41a5b6bae2c15fa7adf9770ddf89504b06b70409afb919023fb728667bd1b3f
SHA51273f334f181c52459302759a8d166cff24c72ca450306432cbd73ba57f793544a8a76f9e3cec5e4734fc4c18ec2880711aa2f43a0765a758cb621a52c5dade6e9
-
Filesize
2.6MB
MD563c8fc098a41c8cd154848bdf192b138
SHA19da89e97aa7df1f456b0f07a0f1992fac30d6c32
SHA256e50e16f94cd8a8008df12a0d267b3138380c65ea09b82bb48c07738105ba8828
SHA5121ac55c5a7ee8773577fa378adf2d02e13beafe579a87c31c14c615c068051c0e1e819828de73ae251f08859e0a042f26365007c207e99acb9fb6db55e8902f30
-
Filesize
173B
MD5278ee6f9bcda58cc2218f55904c4a3e9
SHA187871fe4f8e96876cda5543a14781e939e749c6c
SHA2562eac99da5a3f72e26d34eceb2fff638dae7bd988a3b5a500890644f743f2028f
SHA51213d1a39f2e41b2d187cf3820efab67926d8f6df678b374a2d32a292c22eb3431b9e911805bbf3c5d291904ab221b987ca3864f539fde7f71ed83d83072407531
-
Filesize
205B
MD555b38c6aca9d9e298fa7176b75e1b559
SHA126c601fa0a19713967932f2b86166f4d46fa1718
SHA256a6c0048a17b9f3a0c1214a44067fa9770eef53c946d5bd3bd2ef1599924568ce
SHA512a066c27e26c6630b26c44f4ec21b1aaa76f2d1a8dbfb74d1a0fff3845ec248168da3805e32bb04155e1bc6675e41b0b1696f2c2b59ebb683b6408b7c14af14df
-
Filesize
2.6MB
MD5de80a0e50860c7f5be8235410ede1cbe
SHA1e7049a39b4e490bf31c61645ae38f9da07d1b184
SHA256e03cabd85fb383860672103775dda1c5122fa8a0e17955539b7869ad2ddfe1b7
SHA512693f330dea1a8cafadfeda2bfd013cd566b8dbbad0be41a61be9a7c84dadf810448cda17efec576b020135bb463bba7a0530028cdc4d74be84c3ff02ed529bfd