Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 20:17

General

  • Target

    1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe

  • Size

    2.6MB

  • MD5

    2ff31c5997c4d85234886775fe0ab0fa

  • SHA1

    a12aefc6335e6604faba3e6de26bbe5050daeb52

  • SHA256

    1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d

  • SHA512

    16fe90c2ecb0f4efe32900e1d28a892c3637c7b833d782a88bb706023abb35fe27c39a9d871a18b791b23e14fa93739916a1df6468c31ee90ad41edf3421c02d

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUpTb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe
    "C:\Users\Admin\AppData\Local\Temp\1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2768
    • C:\IntelprocEN\xoptisys.exe
      C:\IntelprocEN\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Galax8K\optiasys.exe

    Filesize

    2.6MB

    MD5

    f5cb686eb195ddb2282ffd14effb878e

    SHA1

    2d6a7f811f036d3fda786578740bcdef3a386a5f

    SHA256

    5a15063b97c68386a46629afa79ce5bb1011f01bdab231bd57322fc7c3e39b1a

    SHA512

    bafe99f28f35b4c1006ec2b438f15f5f1a3054470912a37cb8c152f4d0188cec30c9c0419341b7e63207f8aec80ebb41db7723fe497ea62a9a24fb8bab559569

  • C:\Galax8K\optiasys.exe

    Filesize

    2.6MB

    MD5

    5ad888056f3ee6159a823db579c762cd

    SHA1

    426a43e45686ee1dfdae8c46594cb61deda45515

    SHA256

    44e8a212c1c3a3355a7bf40b9fe7ccd0e40cced292f8f240a966573595a8792e

    SHA512

    b45f5d0bd5eb852dc7d197cd622d60554720559e1a823292f629956e814c539a7bb12cc2cb8f9c1ce0356cbc36c21bb51f1122ea384c4f0efadcc060a01ab70e

  • C:\IntelprocEN\xoptisys.exe

    Filesize

    9KB

    MD5

    61b773990ee27e9e908970e63b267f79

    SHA1

    522f4b8bd8207fe759634142fdb72607b71380f4

    SHA256

    8680f82d44553da0b976a373a4c22a7847b75edeed53a8fcb3bab73b13c72c0d

    SHA512

    6a34405c32b1ed6c0070d4c054d00db08edd60f126246e30755b99cdc98b0de4394c89b066d72ca1b9f4c4ef554bf4713874e94aae71615254c3d79bc546c29e

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    175B

    MD5

    bbfdd0f1bee35ca488c6f83bfade777e

    SHA1

    2e1c4d36d1a94cfb170269e90380cfffeb2feb05

    SHA256

    d721a797fc0919f466be0730953224994e6d54aad95bcb0e0bd21f390457a13f

    SHA512

    2ab1bc4e0e81ce32bd309b836a284f64cc886cfce3b487f83a9fb21a1b80fd3baa34e2ff813f6dd82a8c1cbe8f655ce03abd68574a7d16c49a4d8d1c0272c794

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    207B

    MD5

    638833737d69d54adcb5d18a01dc8746

    SHA1

    09c5968f55e40886a7cb19a09d6dd03eb9198e8e

    SHA256

    6427d03502532f90b1974758adfec935dafd921873b0c06b96ec4c76bd9eae29

    SHA512

    de4829f371e243d843e1fc9a583e1bb309e578b49d8e69d6425cf6f9f5a6f3a3c5a08ca490dc4a3b71f6488ac9520b356765770f5885956f86d56008c171dcb0

  • \IntelprocEN\xoptisys.exe

    Filesize

    2.6MB

    MD5

    5855b73c05354d6eac6685706d88fcf3

    SHA1

    6c58017e4df15f898ac573d26d60575fbfe1a7d1

    SHA256

    a2ed01a37853781061e435791341918c517642c2f02961cd148ad038bb334bb8

    SHA512

    214c39c4d6fadee3999b0727a2524e5280d48fa17a815adafbe6f62078c17f2126f274e2cea51528ac8155d0326a302cc9980a397f7e7e0e8d313ec6cec0a768

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

    Filesize

    2.6MB

    MD5

    9fe05eb649cb3fefeae46b3de12bf33a

    SHA1

    5611aeec3ab614eb0d1c0196c5ad37ddb3f8d735

    SHA256

    966efc8639d9aed8f4ad72ad0de053627af9ca79b6f88d2f6bcbb476efb441c7

    SHA512

    36b0b18356f5b7f5e2f563affb3abfaca08229e266e2da1e1b7f962485a0928435bafc68ad38c0be1113e7fd7fb894b02c0612927675cd92969644f061663d96