Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 13:56
Static task
static1
Behavioral task
behavioral1
Sample
9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe
Resource
win10v2004-20241007-en
General
-
Target
9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe
-
Size
2.6MB
-
MD5
cbd5e96b9a7b33d1320493b1327e8110
-
SHA1
7eb7af8cf902e4cf765f289327d60c7cb1be55fe
-
SHA256
9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8
-
SHA512
cc3de625dc8be39db4c62b36ce4ea4d7fb16b841a13b1bc5fe378e54b5a1074b2106f4f85d1db4fe44455f0721540d16b6ef509a5899d7dfd53d9a07db8d34dc
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBGB/bSq:sxX7QnxrloE5dpUptbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe 9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe -
Executes dropped EXE 2 IoCs
Processes:
sysaopti.exexoptiec.exepid Process 2156 sysaopti.exe 2316 xoptiec.exe -
Loads dropped DLL 2 IoCs
Processes:
9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exepid Process 2524 9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe 2524 9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax39\\bodaec.exe" 9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocA0\\xoptiec.exe" 9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exesysaopti.exexoptiec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exesysaopti.exexoptiec.exepid Process 2524 9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe 2524 9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe 2156 sysaopti.exe 2316 xoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exedescription pid Process procid_target PID 2524 wrote to memory of 2156 2524 9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe 30 PID 2524 wrote to memory of 2156 2524 9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe 30 PID 2524 wrote to memory of 2156 2524 9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe 30 PID 2524 wrote to memory of 2156 2524 9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe 30 PID 2524 wrote to memory of 2316 2524 9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe 31 PID 2524 wrote to memory of 2316 2524 9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe 31 PID 2524 wrote to memory of 2316 2524 9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe 31 PID 2524 wrote to memory of 2316 2524 9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe"C:\Users\Admin\AppData\Local\Temp\9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2156
-
-
C:\IntelprocA0\xoptiec.exeC:\IntelprocA0\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2316
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD53819d1e68adb1e364e0293464ecc63fb
SHA11593fa658080cdbdbbdd30e4747e3e218ee89410
SHA256f1d2602b66e4ef00f2d3f4ff9cc6d29e6b59b6e92c467cc1807d93b5318ac621
SHA512d92767fa3bcdcce5a1b3cddbb5ad87dc8a059777bcfa3a82853755f426d98e6e7b29feb0b4a5a4f44cfc31830ddaa1e1843a8ea617f6c64316a624a25ef6e7a8
-
Filesize
2.6MB
MD5680222dcaf692802bc1aa0ae1bf5e7db
SHA101876aa75d4748d92b16f64acece7ae1dcd7e758
SHA256be0b46505250e30c63431d44460df8eb54734af7aacdbe3442b553463ed93997
SHA51257e8d4f6ebb6598a51d4d8be7723e12dcf2843cba39a78700a239a22313bc3fd76428c2148f26f57d173240b6bc1af8fcc6f54914c55fb36214b857fd072344d
-
Filesize
2.6MB
MD5dbfc8b6bc1d2ef5d9682c1298a6ddc5a
SHA1179ac341738826804bf49af8f39cb6d05e3e6521
SHA256c13e97829739171aae3332d841bb725aef88adf7df434f6706f26dcd433ac552
SHA512408bab3afd32fdddca2956da94a61f8671fce2afdfc60b3f28bcb67c49471898af2ef1a95fe4d2a7f7d12d795399caaf296d80aa8588333fd74b6a4f0d5070e5
-
Filesize
173B
MD5dc64137f77b2bf4d1514e4db35bb7119
SHA19a3ebff89528e3d96a5272a6b361b3866b859051
SHA2564cc862a8c0ef22c21a4693d0107b2bb7d40dbc2b4f77f6a4fe14922a0ba43d2d
SHA51227a36f3b8a4d96f6526c4f8c7f35b394f437ff5cf8ec95a281d1f95c010b5d7c98acbd3a0b7f5b03f8d60a1dbadc765727f5f15132399f96237e40ea0f11ba2c
-
Filesize
205B
MD520e83274b1cc4cf664af79cdce20c028
SHA10f22631c5eb6aeb25b20d18e55c6dc322fae2f0d
SHA256566fe8a824d15110563fe33bdb22b6d059abb55136911a95d802216f1ebca7f4
SHA512f9e0100a1c11fbbbb87dcc806eece16068b57130bcbb8705fc3d001b6e0651a2d39242dd8c3ddc564b32e49079ec85c35faa6370d15b4add209b153ca58f0326
-
Filesize
2.6MB
MD5b0373fca7645b2518b7f232fb0087941
SHA151b399d3ed0e443dba011357a4e4c2a3d2fd352f
SHA256872163631dd1691553d5b73e1cec1e24828b9471a78f3d7a6821ff992ce77405
SHA512f348e9e31a3752cc5b4d7b48882e410bb6368588c4b300a46581c96a84b866f3e37d341f6e762f33c5a1a7e8451cd996565818f1f873e9370423ce9feb9076dc