Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 13:41
Static task
static1
Behavioral task
behavioral1
Sample
a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe
Resource
win10v2004-20241007-en
General
-
Target
a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe
-
Size
2.6MB
-
MD5
25fcd43dd13be01b88d95f3006bf36a0
-
SHA1
3c04d3af5a3fac3da76780e3d5e86e235987e2a8
-
SHA256
a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14dd
-
SHA512
8407df9422abc63a2f5ec47208593a27be276a3ba6cea634dbb2312544164ece7f6d78735bbf37ec27feea6e951814d9df15dc4f5f36c413d08086cb3704e7e0
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpWb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe -
Executes dropped EXE 2 IoCs
Processes:
sysaopti.exedevbodsys.exepid Process 1576 sysaopti.exe 3684 devbodsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files3X\\devbodsys.exe" a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint24\\optixec.exe" a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exesysaopti.exedevbodsys.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exesysaopti.exedevbodsys.exepid Process 2948 a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe 2948 a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe 2948 a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe 2948 a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe 1576 sysaopti.exe 1576 sysaopti.exe 3684 devbodsys.exe 3684 devbodsys.exe 1576 sysaopti.exe 1576 sysaopti.exe 3684 devbodsys.exe 3684 devbodsys.exe 1576 sysaopti.exe 1576 sysaopti.exe 3684 devbodsys.exe 3684 devbodsys.exe 1576 sysaopti.exe 1576 sysaopti.exe 3684 devbodsys.exe 3684 devbodsys.exe 1576 sysaopti.exe 1576 sysaopti.exe 3684 devbodsys.exe 3684 devbodsys.exe 1576 sysaopti.exe 1576 sysaopti.exe 3684 devbodsys.exe 3684 devbodsys.exe 1576 sysaopti.exe 1576 sysaopti.exe 3684 devbodsys.exe 3684 devbodsys.exe 1576 sysaopti.exe 1576 sysaopti.exe 3684 devbodsys.exe 3684 devbodsys.exe 1576 sysaopti.exe 1576 sysaopti.exe 3684 devbodsys.exe 3684 devbodsys.exe 1576 sysaopti.exe 1576 sysaopti.exe 3684 devbodsys.exe 3684 devbodsys.exe 1576 sysaopti.exe 1576 sysaopti.exe 3684 devbodsys.exe 3684 devbodsys.exe 1576 sysaopti.exe 1576 sysaopti.exe 3684 devbodsys.exe 3684 devbodsys.exe 1576 sysaopti.exe 1576 sysaopti.exe 3684 devbodsys.exe 3684 devbodsys.exe 1576 sysaopti.exe 1576 sysaopti.exe 3684 devbodsys.exe 3684 devbodsys.exe 1576 sysaopti.exe 1576 sysaopti.exe 3684 devbodsys.exe 3684 devbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exedescription pid Process procid_target PID 2948 wrote to memory of 1576 2948 a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe 87 PID 2948 wrote to memory of 1576 2948 a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe 87 PID 2948 wrote to memory of 1576 2948 a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe 87 PID 2948 wrote to memory of 3684 2948 a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe 90 PID 2948 wrote to memory of 3684 2948 a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe 90 PID 2948 wrote to memory of 3684 2948 a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe"C:\Users\Admin\AppData\Local\Temp\a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1576
-
-
C:\Files3X\devbodsys.exeC:\Files3X\devbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3684
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD5af48ca2c61e0fd1391631f72977d5f22
SHA15a069efa238e8af1beaf6bf300ec197273f50bfe
SHA25667e11321d3511a75faedef813b792f1598531262b54e549353e444a1f356ace7
SHA512649c6c2497748df61e4cb48ccdaf89fcac780ea30db667d836839258e29655252eed7c8ef535636c69049b16113fe2ff44b7dcbab942e8a0528a5caaec50df8d
-
Filesize
2.6MB
MD5e1fd3e00e8c724a6bc7d22dba26f4cd2
SHA19895aed0837024758229e83965913983626af0d6
SHA256c689d9d3de99bbb0c86adef071952b6c3f719707857d3c7561de7e9543ceb0b2
SHA512556c17a93ac38dd59443640320046cc91bc7a03e162a93a0fa1f7f351b7ce1565a07c87e1a1fc2116a58ec1adaf9b994496b26f86ea6fc439021486111c90d34
-
Filesize
399KB
MD50338a4cf0378d68995be7fa3967d963f
SHA133f7e6c185fd6a86d05ab285a56c3cb7ee2bf006
SHA25685064c05efaef64c5a8fc08cc059e815bfbc409f1b9560537f98df71dc7e4aba
SHA512cd53d5ed0a62a83fcb2ed49436abb263e71faab6836517aed4ca775ab305c18173810da334fe60e9e9e049fa4a367532ac73aad467155e3148c6f9fe2dcd0a21
-
Filesize
2.6MB
MD52ff3b564693946493f10ffe7bb943e15
SHA116aada0c1829f111494e7fbcad4768c7cde22290
SHA2564b6ace786cdfa5d0331a775c2e516904e2cb229717a42bf5b40e1d6dc336caec
SHA512f6dabd3dbad932481e6214e6d95d810c8bfe65aa68befabfe98e7522c7c566fdc7f52716f6316d8bc4a47dab2caeb56f1f1d16e888c3a06b51fd62909b476fc2
-
Filesize
203B
MD55009f6c79203061adec0bc3e435a0201
SHA12269e4c35414e2756be4ac53d5710a7792ef0005
SHA256816fe5a408877f1beaa6d2ca4d2d89d67c88994c1930dd1d4c09368845878ad9
SHA5129ddf43d2648ddc09538137a7dd925e3e59eaab98bba3295b95efe0afdf2872c19f117687e3a8a6679e6bb8a7847e7f590ba55c1ff9273467c4079e8b836e4f0b
-
Filesize
171B
MD58c5b3679a6129fa5859c383b8d763e8e
SHA19b97b3a6a0b810228b681a9db79e2463d3c35cd6
SHA256c6ec3f14e2bdd1ae8eca426f68410dc0e6127bcc743c4904030b27cbf9ec6a3f
SHA512a0d8a204b9eb2d65ab5f5bfff714fd6b223f4559c598aa632874de09c8914d780c6d6de3434ff3cab5ad802a7cea384e5c84fb4c25ad8f00ae8f4b4465e4c678
-
Filesize
2.6MB
MD52af1e6cff6bd83ea0cc520674d99018e
SHA19889f5fe58ab872e8719a75e85e2d6bdb72b3ba2
SHA2569962e7436db60f1f862595ec8db5cd6fe26f6dd2cb991275f28bb53d7e127127
SHA5121c68986d5b979ac0579adac8ee6d7845f0a997df00d0dddcfc1394a995163f4aa06320233bc3d493bb7f5257dc7db5466e7b55f2fdd59fa667456c0f456899f1