Analysis

  • max time kernel
    119s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 20:17

General

  • Target

    9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe

  • Size

    2.6MB

  • MD5

    a46fff217cd67e6b4b2a8d002a4ebbae

  • SHA1

    24d021c8243f86ada13c4b0decbe48fd1eef2193

  • SHA256

    9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb

  • SHA512

    4584c397529138996ad1379d71496f28fd32d1fedf5b8c43eccca9d4dd81841a21f9c81754e4634e5ff41c69f2c3d7542eaf8631906f0bb7c92a23a978cab9d5

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSy:sxX7QnxrloE5dpUp6bV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe
    "C:\Users\Admin\AppData\Local\Temp\9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5080
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4336
    • C:\Adobe4D\xoptiec.exe
      C:\Adobe4D\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2408

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Adobe4D\xoptiec.exe

    Filesize

    287KB

    MD5

    242c8dad2306d53c6b1522ab817d23f9

    SHA1

    b28e46550e49ec5a46dbf72442ce63c219bd9107

    SHA256

    9b16b1e801685cf9e5336997661c79310d8a2ae94c51a7cd0569cb288d13e8ed

    SHA512

    cb5045ac76ccb50adca545529ad70b835f56f46c0a004ea5d82d138b0ed0bc6c048400a6c250c9574ef92f56b29d480a7259444fcf74d286faee4068f20b0847

  • C:\Adobe4D\xoptiec.exe

    Filesize

    2.6MB

    MD5

    df0af801915a1784bd2983b075525861

    SHA1

    660602660d30aed027d2127cf05fa4770ed9743a

    SHA256

    a85e8540fcd0aaa5fa9d25dae9688d4376c5b0f32b20ddc6f17468d3edd8de66

    SHA512

    2b88a72c0b1ebbcb8ef22ceafdc276048db608fa7b6d4f50e2b97318e19fb8848480a5a688c6b7fdde2faa5d0cd821b9e3a48b14b4a91ce3265cd51196999d9d

  • C:\KaVB77\optixsys.exe

    Filesize

    117KB

    MD5

    f86d6968f53f7fe034234b796d99f704

    SHA1

    79f99e8b77c247ebc4422bfc86b92a113f81a5fd

    SHA256

    c82e9ca90165f9f3b7f63270e14613676292fd9a9479cfd209feb7907dbe0523

    SHA512

    3bdc1a28dcc9611bf0bc1a780cdffb02c31a0e1a2aae2459605e72d57d84655f1d15fcb92cb3d38691dbe9518e61454c13f58413cffe5a91ec6044ba1fc69134

  • C:\KaVB77\optixsys.exe

    Filesize

    498KB

    MD5

    0af0e820773626260223358f2f455307

    SHA1

    a636ab00a1d19cbddf959c39ef69f5dc89b67a59

    SHA256

    027af904f0e6813bd344cfa688b4a5fada28abad596788a7f7a14b6a82c3a43b

    SHA512

    fe33bee623d80102fb3408aaf24239ce2214859de1f567a838c5eb28a1070dc07ab02a592d246b69f8c0bcedfbb2616d681791ec9b26bed9486f773ea6531ac0

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    e9d9fe5f6375b0a4e1283c182fac34bd

    SHA1

    6c93c2fe53c736c288fad644938c092e8b9d8fc6

    SHA256

    992cb1960f6a6098c49c129d3e22eb8b638b8f8172be1df6771182c657008132

    SHA512

    0bd2a3d3c5bad19571b180244961f19f1d33dbea20e7b943fd4f62c066d73d74f10b97d3eefcd28efae896b8cb9e4cb9c8eae67fcda924b61de1e9bb672bab4b

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    f1313b234f2682e17991eb2f33ba6a85

    SHA1

    af54a47211bdcbdf1d7e27ae7c49f8906ecc9f77

    SHA256

    ed86aa7a87388e97e47f333d86c319f8a4e2085f565c026a9a54dc713dd5a1e1

    SHA512

    8563e01b718187376dc0c96107149f5966e26c1d76cb70e67de6e69bc6c9936bada5bfa9e7ce71e2b786178f217c11b227d447112b428b962f78539720592027

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

    Filesize

    2.6MB

    MD5

    98eb220642e5a499c5f2b23051be2e77

    SHA1

    2266582c1cd6422d9a17a1d99a008422a58e75aa

    SHA256

    a5b23cff7e84baee95e355b0b5340fd61e32043cc8a7e4b6a19c4475418983eb

    SHA512

    ee7599e51357f340a1795febc45b7bedc2e66893192c7507d28ac450e38926e2935e8c5022301b0153bb6a323edd26753524504ca54f8f9dbd6434cbb0aaa98c