Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 19:44

General

  • Target

    790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe

  • Size

    2.6MB

  • MD5

    3176dab117ad04f9820930d2a4d73aa0

  • SHA1

    b0773f13a7ee3ef8a92b510db9fef872d993f0db

  • SHA256

    790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77c

  • SHA512

    7820a909f58c07a90d1adcfb0878e10bc7f3cf15d992cdcd8ac4d072c217bf0a0bb138cadc73dac83f7591d299d2a1903efad13114130655baff34a603e5e1d3

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bS:sxX7QnxrloE5dpUp1b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe
    "C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2608
    • C:\SysDrvNQ\devoptisys.exe
      C:\SysDrvNQ\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1356

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZIO\optialoc.exe

    Filesize

    2.6MB

    MD5

    95ec9e541711f094e40dde8e4a9d303a

    SHA1

    10e04f1166a36b638e71005f8e154155b02043c5

    SHA256

    8c8d832bddfb55e420ffd7ab803ac31250e575c76154e38e40da5559adb6b8d2

    SHA512

    61e599721f64774198b15582317b64339e0feafd8bafefbee29e854568808c2724a0b029268a3c89e5c1431bcc1bd9d75a82422c99c1ebac1ea7ba11496e39a5

  • C:\SysDrvNQ\devoptisys.exe

    Filesize

    2.6MB

    MD5

    f524c6a40f0682c4b938be53f7a20554

    SHA1

    6bdba2d6ae8b1094670ee639d596e6a21994cb05

    SHA256

    b550c5c9932254894e4de262927b10ca3888fdcc0da03e5bdfccbf949ff68a63

    SHA512

    5cc2d72bfdc1e14a73f3b863b0dca2b7b01f0235627c054f9771051db53cb68984f37d264f66f60570543007b2377e92612e93c74da3caababc40f9f7337d254

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    173B

    MD5

    b7cb8726c8ed3a0ea5e43d346a916e10

    SHA1

    fd701aa13074eeb7e734dab2f8fb1c9a2ef29644

    SHA256

    bb73e1d35454a6e74998bfbf50af49bd650f8b4b3aa66d9d1a27bb9226212ba6

    SHA512

    2f77e80214bcef1529bc25a5556473a8fadf00747830f82278bb362cddd783e17b06cbfeb59266aee856433699831f9f4602fa5936a5ce212d743bb69f16106f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    205B

    MD5

    d927ee6937f70dc8cd9e0df3d6b97be7

    SHA1

    abdccdfc7f1459625d8f9f76a07ca6d60e803202

    SHA256

    9ad5f4359b4c94a8c69ed6203eb6c3e29db3195d7c1caac99b599db7ee305ebd

    SHA512

    7bf92157e24b6399a6b675cf6d84fb2948245345791d5b9975178b8b35a222046ba7a9e56919e12e371b41e5ff56eb2b5c97f2267dff5e5a065952ccf47a3fec

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

    Filesize

    2.6MB

    MD5

    aeec5ebde2215ddd4b862121cf1799f9

    SHA1

    73a5946088a4d454164e6b2626de828a6e38baa5

    SHA256

    cf69ddd7d46476a69a8bd85561e5d8f92ca0c9c36ddbef13e67c79a5a6a83dfa

    SHA512

    aa5ac7e714d5608a9eb05bfd8672efac2e4a06ceae7e40baee0ea31d26213ec00ff2ce9dafbda48bdc59ca72a1d9f638004ed8c43e72af9d9e41602bc5f4d353