Analysis

  • max time kernel
    119s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 14:02

General

  • Target

    61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe

  • Size

    2.6MB

  • MD5

    aac09bdd2392a2bd5b0f983971740f48

  • SHA1

    7cff1a49e05e3f288540556e3def7d836973b3dd

  • SHA256

    61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721

  • SHA512

    d4007105435f1d06de9ef1f5f3333f8375a73f88dbd2ee60582a296786334916b85aa9d31cc7ef0a5be571ca4f3b75ef3b1c9229cd9f56ba22ab95aa5cf79fc4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bSy:sxX7QnxrloE5dpUpsb1

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe
    "C:\Users\Admin\AppData\Local\Temp\61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2204
    • C:\SysDrv6F\aoptisys.exe
      C:\SysDrv6F\aoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Galax6Y\dobaec.exe

    Filesize

    29KB

    MD5

    8dc4d9694c17621720c320e82829dbd9

    SHA1

    a9ac9ea870162fc6dc14d43c98824d48c29ec74c

    SHA256

    73310f0dab90499fcda3b7fc967815f59418fd9a16eb2c5fdae380da74753d78

    SHA512

    bc76ddbcf70495f591f732f5a318f0de053184a7f9a94a2200be2db198ca084994c595437e721fa7d00df285a550501c22df2af8f77fd72840210ccca0fc8b3b

  • C:\Galax6Y\dobaec.exe

    Filesize

    2.6MB

    MD5

    18aadfae444dfd5c06ddf87ff8524e92

    SHA1

    c51834056811b84108abe7b4d62d7f1184fb279e

    SHA256

    2181c1e41c97425acba5ce7cc8bb6c54044c4e5ef900685820a49fc7a6961e2d

    SHA512

    3270ec1249191240eeb2d0c69ecf7805cc0209250ac525c491da6e8145eac9b73149aa4a3a3d82b73300a480c0c6e040483140322dc3fcd6bdf6abce87fa1cfe

  • C:\SysDrv6F\aoptisys.exe

    Filesize

    2.6MB

    MD5

    0b71cf4b9d78b382d463c2fbdd3cc1ba

    SHA1

    92d244137b7adec22c1c7d079bee3cfa8550d3f4

    SHA256

    e29f00415a75724d417446e9c69214c97ff82f70fb6f813c875eb075b2ee47db

    SHA512

    4a0c2ada2312f29f964ab156810c0bc5da8f4214da221b659b02e11d9c7c4b27519865602b28f73b4754f1986c1c4ca1ebcb2478b49490cb81caae7aeb05941d

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    4751437b84f5c3003133f481656cb405

    SHA1

    99374676fa38090d8d42662f61d516211be4c8f4

    SHA256

    88669376afe4c44eac15379408465806484b1d86dfacb7aa940c31229a8dd35f

    SHA512

    9ab60e5dcf32b2d3a1659a2bf4cfc7867db581c039ce00d78616a72b0723ba0a18a69f14e08c28c987a792fef9a4e44e8f829617a9735df06b1c18fd449514bc

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    80ed7815bbde47c76c6cf6cb013adce3

    SHA1

    5206f29b028a8001a622c4abdcb6e313c115425f

    SHA256

    7b66ae35cd2e4b373cecfc063a6055d1b98f386f9c571203411b1f4b2eecd00b

    SHA512

    980709684886098809b84915817b472d599f6ccd0182af85b44e688c7dd337de1ab973db4e1fe69fc5d375befb449a0b7c7473a26f6f107d6c879c23fe4e1366

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

    Filesize

    2.6MB

    MD5

    d2c1db91d215a7a271a1a058dfbd21e8

    SHA1

    8e649273c5af08c4f68e241109df6428533a380a

    SHA256

    b125b61f68ac92ecc719e933353d4cfc53bff826dc10a13c87a92f1801946dd7

    SHA512

    4a13f6d636b2898e41dce7f3918563bfb3ad96cc8d946e515ba836e8f25da9b4a12d6b130a513c1b3bf447d622582523648054d85977a76fd2bd274bc143e7b2