Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 19:44
Static task
static1
Behavioral task
behavioral1
Sample
790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe
Resource
win10v2004-20241007-en
General
-
Target
790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe
-
Size
2.6MB
-
MD5
3176dab117ad04f9820930d2a4d73aa0
-
SHA1
b0773f13a7ee3ef8a92b510db9fef872d993f0db
-
SHA256
790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77c
-
SHA512
7820a909f58c07a90d1adcfb0878e10bc7f3cf15d992cdcd8ac4d072c217bf0a0bb138cadc73dac83f7591d299d2a1903efad13114130655baff34a603e5e1d3
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bS:sxX7QnxrloE5dpUp1b
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe 790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe -
Executes dropped EXE 2 IoCs
Processes:
sysxdob.exedevoptisys.exepid Process 2608 sysxdob.exe 1356 devoptisys.exe -
Loads dropped DLL 2 IoCs
Processes:
790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exepid Process 2292 790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe 2292 790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvNQ\\devoptisys.exe" 790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZIO\\optialoc.exe" 790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exesysxdob.exedevoptisys.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exesysxdob.exedevoptisys.exepid Process 2292 790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe 2292 790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe 2608 sysxdob.exe 1356 devoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exedescription pid Process procid_target PID 2292 wrote to memory of 2608 2292 790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe 31 PID 2292 wrote to memory of 2608 2292 790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe 31 PID 2292 wrote to memory of 2608 2292 790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe 31 PID 2292 wrote to memory of 2608 2292 790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe 31 PID 2292 wrote to memory of 1356 2292 790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe 32 PID 2292 wrote to memory of 1356 2292 790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe 32 PID 2292 wrote to memory of 1356 2292 790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe 32 PID 2292 wrote to memory of 1356 2292 790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe"C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2608
-
-
C:\SysDrvNQ\devoptisys.exeC:\SysDrvNQ\devoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1356
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD595ec9e541711f094e40dde8e4a9d303a
SHA110e04f1166a36b638e71005f8e154155b02043c5
SHA2568c8d832bddfb55e420ffd7ab803ac31250e575c76154e38e40da5559adb6b8d2
SHA51261e599721f64774198b15582317b64339e0feafd8bafefbee29e854568808c2724a0b029268a3c89e5c1431bcc1bd9d75a82422c99c1ebac1ea7ba11496e39a5
-
Filesize
2.6MB
MD5f524c6a40f0682c4b938be53f7a20554
SHA16bdba2d6ae8b1094670ee639d596e6a21994cb05
SHA256b550c5c9932254894e4de262927b10ca3888fdcc0da03e5bdfccbf949ff68a63
SHA5125cc2d72bfdc1e14a73f3b863b0dca2b7b01f0235627c054f9771051db53cb68984f37d264f66f60570543007b2377e92612e93c74da3caababc40f9f7337d254
-
Filesize
173B
MD5b7cb8726c8ed3a0ea5e43d346a916e10
SHA1fd701aa13074eeb7e734dab2f8fb1c9a2ef29644
SHA256bb73e1d35454a6e74998bfbf50af49bd650f8b4b3aa66d9d1a27bb9226212ba6
SHA5122f77e80214bcef1529bc25a5556473a8fadf00747830f82278bb362cddd783e17b06cbfeb59266aee856433699831f9f4602fa5936a5ce212d743bb69f16106f
-
Filesize
205B
MD5d927ee6937f70dc8cd9e0df3d6b97be7
SHA1abdccdfc7f1459625d8f9f76a07ca6d60e803202
SHA2569ad5f4359b4c94a8c69ed6203eb6c3e29db3195d7c1caac99b599db7ee305ebd
SHA5127bf92157e24b6399a6b675cf6d84fb2948245345791d5b9975178b8b35a222046ba7a9e56919e12e371b41e5ff56eb2b5c97f2267dff5e5a065952ccf47a3fec
-
Filesize
2.6MB
MD5aeec5ebde2215ddd4b862121cf1799f9
SHA173a5946088a4d454164e6b2626de828a6e38baa5
SHA256cf69ddd7d46476a69a8bd85561e5d8f92ca0c9c36ddbef13e67c79a5a6a83dfa
SHA512aa5ac7e714d5608a9eb05bfd8672efac2e4a06ceae7e40baee0ea31d26213ec00ff2ce9dafbda48bdc59ca72a1d9f638004ed8c43e72af9d9e41602bc5f4d353