Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 13:41

General

  • Target

    a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe

  • Size

    2.6MB

  • MD5

    25fcd43dd13be01b88d95f3006bf36a0

  • SHA1

    3c04d3af5a3fac3da76780e3d5e86e235987e2a8

  • SHA256

    a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14dd

  • SHA512

    8407df9422abc63a2f5ec47208593a27be276a3ba6cea634dbb2312544164ece7f6d78735bbf37ec27feea6e951814d9df15dc4f5f36c413d08086cb3704e7e0

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpWb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe
    "C:\Users\Admin\AppData\Local\Temp\a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2948
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1576
    • C:\Files3X\devbodsys.exe
      C:\Files3X\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Files3X\devbodsys.exe

    Filesize

    87KB

    MD5

    af48ca2c61e0fd1391631f72977d5f22

    SHA1

    5a069efa238e8af1beaf6bf300ec197273f50bfe

    SHA256

    67e11321d3511a75faedef813b792f1598531262b54e549353e444a1f356ace7

    SHA512

    649c6c2497748df61e4cb48ccdaf89fcac780ea30db667d836839258e29655252eed7c8ef535636c69049b16113fe2ff44b7dcbab942e8a0528a5caaec50df8d

  • C:\Files3X\devbodsys.exe

    Filesize

    2.6MB

    MD5

    e1fd3e00e8c724a6bc7d22dba26f4cd2

    SHA1

    9895aed0837024758229e83965913983626af0d6

    SHA256

    c689d9d3de99bbb0c86adef071952b6c3f719707857d3c7561de7e9543ceb0b2

    SHA512

    556c17a93ac38dd59443640320046cc91bc7a03e162a93a0fa1f7f351b7ce1565a07c87e1a1fc2116a58ec1adaf9b994496b26f86ea6fc439021486111c90d34

  • C:\Mint24\optixec.exe

    Filesize

    399KB

    MD5

    0338a4cf0378d68995be7fa3967d963f

    SHA1

    33f7e6c185fd6a86d05ab285a56c3cb7ee2bf006

    SHA256

    85064c05efaef64c5a8fc08cc059e815bfbc409f1b9560537f98df71dc7e4aba

    SHA512

    cd53d5ed0a62a83fcb2ed49436abb263e71faab6836517aed4ca775ab305c18173810da334fe60e9e9e049fa4a367532ac73aad467155e3148c6f9fe2dcd0a21

  • C:\Mint24\optixec.exe

    Filesize

    2.6MB

    MD5

    2ff3b564693946493f10ffe7bb943e15

    SHA1

    16aada0c1829f111494e7fbcad4768c7cde22290

    SHA256

    4b6ace786cdfa5d0331a775c2e516904e2cb229717a42bf5b40e1d6dc336caec

    SHA512

    f6dabd3dbad932481e6214e6d95d810c8bfe65aa68befabfe98e7522c7c566fdc7f52716f6316d8bc4a47dab2caeb56f1f1d16e888c3a06b51fd62909b476fc2

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    5009f6c79203061adec0bc3e435a0201

    SHA1

    2269e4c35414e2756be4ac53d5710a7792ef0005

    SHA256

    816fe5a408877f1beaa6d2ca4d2d89d67c88994c1930dd1d4c09368845878ad9

    SHA512

    9ddf43d2648ddc09538137a7dd925e3e59eaab98bba3295b95efe0afdf2872c19f117687e3a8a6679e6bb8a7847e7f590ba55c1ff9273467c4079e8b836e4f0b

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    8c5b3679a6129fa5859c383b8d763e8e

    SHA1

    9b97b3a6a0b810228b681a9db79e2463d3c35cd6

    SHA256

    c6ec3f14e2bdd1ae8eca426f68410dc0e6127bcc743c4904030b27cbf9ec6a3f

    SHA512

    a0d8a204b9eb2d65ab5f5bfff714fd6b223f4559c598aa632874de09c8914d780c6d6de3434ff3cab5ad802a7cea384e5c84fb4c25ad8f00ae8f4b4465e4c678

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

    Filesize

    2.6MB

    MD5

    2af1e6cff6bd83ea0cc520674d99018e

    SHA1

    9889f5fe58ab872e8719a75e85e2d6bdb72b3ba2

    SHA256

    9962e7436db60f1f862595ec8db5cd6fe26f6dd2cb991275f28bb53d7e127127

    SHA512

    1c68986d5b979ac0579adac8ee6d7845f0a997df00d0dddcfc1394a995163f4aa06320233bc3d493bb7f5257dc7db5466e7b55f2fdd59fa667456c0f456899f1