Analysis

  • max time kernel
    119s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 13:29

General

  • Target

    acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe

  • Size

    2.6MB

  • MD5

    6c649a12d61a5f3889c77d89f4aa7976

  • SHA1

    7dff6159d926f37bd63ff8628c26e682bfef485f

  • SHA256

    acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699

  • SHA512

    2de6e0dd6219de9ddcdb94ec539519aac987298784f49ab958bc1119ed91f4cef3e23c49ba911335d3a794f44391ed382cbd14dc19148465a976a0236e31db40

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqt:sxX7QnxrloE5dpUpebVt

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe
    "C:\Users\Admin\AppData\Local\Temp\acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3892
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3332
    • C:\UserDot23\xoptisys.exe
      C:\UserDot23\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2924

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\UserDot23\xoptisys.exe

    Filesize

    2.6MB

    MD5

    9b788d88074071a373372ff5c4fd8285

    SHA1

    35b88b7248ca9dcdf8c23bc60ce8c816562b6219

    SHA256

    1c511c565eae19d9a8244345375baae20b530e088b6dcc0e8bdb875d7c37e131

    SHA512

    30393f29820a1954626a41540f15950a3fce4526ed758486bb949cfe4ee8cbef2a634f8e37f4973a3c6c8a45c429c03ada6511593b84dd4c988f8e0102fbfcd0

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    bbe8583f9e8773d0c675439989bdb09a

    SHA1

    e0269974096fe7555d89b6b359217730b6b1b90d

    SHA256

    bd8808b03f476f52ac53338c11ce9d75f92a5d829e20dc5bcc7783cc01865807

    SHA512

    31e0cd58dad137136a4843a85151efee8f34cde8c282e1606194cac807e2945c7c5edcae3241ff28e37b98020c492216cfef3b19748c868209a68c7b2f48ed19

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    f3ed21f118893b12486815d2656b758e

    SHA1

    d438044644371fdc7ead55a675971d60ba5b6a5e

    SHA256

    c5dff8a3f833cd2ed34392a0496541d2de72cb16a6536f90df3fde5826dc51c0

    SHA512

    ffa72064dac6dcf740fab2c3db12fd5462e1ee2224001deb80b6f5ddbeb180cb352d7e69f0467910d3f439d23a7ba400aaeb3e7d82332f5b4ff348a8c2a5e913

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

    Filesize

    2.6MB

    MD5

    d8ee8dc43910b478dd7d9d92fe0071e1

    SHA1

    c777932663e0f5f6eec327fdb2969f7caae01a33

    SHA256

    3e18f2bd334c8b66dd332e0817e091cebd125bba22c1e128fdcaa025a968def7

    SHA512

    855d29c3a9802993bc8a2614c50f22e655ca0c87728f51cb3fe2d3e7b0ed7af7df39c2819888117061d1f6808c9e6ffca97269824bcb21c1f7be37d51e337161

  • C:\VidVB\optixec.exe

    Filesize

    683KB

    MD5

    f454d81522ed7109ede29f80b0be07dd

    SHA1

    ffc6a0844a6f2028191300bdba3979c560b76f99

    SHA256

    a45c9ff8cc901b1702f139060c27d0c16d87861fe226b4182c816940f6ffc473

    SHA512

    70ddb58be6167e7370c3fe74ec422aa52e045756307959b826bacfb977820e85dbca354c04aebf39d41329c036c750e232ebdcef4bb1ea15a09d58e48780743f

  • C:\VidVB\optixec.exe

    Filesize

    339KB

    MD5

    cdaa677df0a72ca1249b443945efb7ea

    SHA1

    8394e1140fe426e2c3c2c0d8434ba1262d5177e3

    SHA256

    b16a5b08e31dc92faa667ba8f280a734ab16ba01da682c3eef5469414f1880cb

    SHA512

    d0fe457dc200f5f7bee1cfbb80d6a1d2e7b58a1a9956a6a4f2d84fc065fd661d5fe54bb2d628e498dd9f7536f479d058c784dfd3f7add299d3570f4d57dc68de