Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 19:44

General

  • Target

    790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe

  • Size

    2.6MB

  • MD5

    3176dab117ad04f9820930d2a4d73aa0

  • SHA1

    b0773f13a7ee3ef8a92b510db9fef872d993f0db

  • SHA256

    790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77c

  • SHA512

    7820a909f58c07a90d1adcfb0878e10bc7f3cf15d992cdcd8ac4d072c217bf0a0bb138cadc73dac83f7591d299d2a1903efad13114130655baff34a603e5e1d3

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bS:sxX7QnxrloE5dpUp1b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe
    "C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3828
    • C:\FilesD6\devoptiloc.exe
      C:\FilesD6\devoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesD6\devoptiloc.exe

    Filesize

    2.6MB

    MD5

    ef732a9c8af24891e80458506d340bbf

    SHA1

    e62ff9da3bc4187fe971195241d05be8b0080f4f

    SHA256

    0b749aa1acbde88693b7e0aea1b210dbe8939e54101e3ed4192b12e315db213a

    SHA512

    3e8c3b4cd8ce0d355178c5b078de181bc1bef56f9cfd1d01675747d082abb342003899aa2f498fcfdfe91ad1edfb48b4e6b552570088a0ffac3cdf3fb74873c8

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    206B

    MD5

    b41e6da08f66284d1098ca9c9c297038

    SHA1

    a416f93894d6f477e8f69cba81d663c2c898717e

    SHA256

    947c5457d49d9105a5c68a2e6283bf891aa20a050d9fde0d5273a5c21e969b39

    SHA512

    716920eee56a40831ab0f986ff80333f0171809856c736547c515fcea5cf6bc1e784b89e64089ac455d9f65d1f7b6f9fbdccedbc8face0fd0cea72119b167cbb

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    174B

    MD5

    d04452ab047af7adeb76577228048847

    SHA1

    aa24307f7179d393a73fddb2f8e80723707a4329

    SHA256

    5c4202a1cbc5e5ee1363813c68140ab94f6f28ef3eb9cb9a0b603ffa49395fb6

    SHA512

    0f4b6811263a9ee79471969dde988019251135c241465f88653a20601c15e9d5141c8c74bfa616908a543065f91f944c8ef072a0c17adfab5ed0ced67cc99d38

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

    Filesize

    2.6MB

    MD5

    59e16ac7a32a2e1349f316122321c304

    SHA1

    1ac5fea011b358999456f1b3eff3cb76602c1c8d

    SHA256

    8498eea9026373609364ab12d2fad0d0bbd1d9c9ed3494bdaeb3824034916c9c

    SHA512

    99c169d3a18a49b6f8a452ed0bc6369bc3b8ac610eab5f5c2288c288eeeff3e861493fbc80f0b53bffad3886812f0f2b7ef167e06d8949dd272e7e845eb729ce

  • C:\Vid4V\optialoc.exe

    Filesize

    668KB

    MD5

    e9eabce3921c659d6084f90c86a99f8c

    SHA1

    8a82f67fd961308a6de6d34e516f213fc4900eda

    SHA256

    685d9f2748f4edeb4bef0d82e391185cfdaf7a037f38505fb372753a5f94c085

    SHA512

    21d938164436a199febdadb5f4f5a57a0626eb73c32cbfcf3d6014b6b830b34b2edd74c531c9979d74ed5c569585bce8b12d54a4f3fc7911185f402b33209a63

  • C:\Vid4V\optialoc.exe

    Filesize

    8KB

    MD5

    4f22d799849ad951d457b82eff37db75

    SHA1

    4e1063fe8d636bd72f9cd680c689c23c67188ea6

    SHA256

    6d731a85e1aa5373ae56b774f79879aaae0bf7acee2d491ffbe549dc72920948

    SHA512

    9906f7f210918aad8326adf8876fb1a50517812f1d6dc706f0ad6c14c9363ea1c2bdf15f1589563e9483925b76a4a315f4db9d27af6ab0674f200275d3b25f9a