Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 19:47
Static task
static1
Behavioral task
behavioral1
Sample
e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe
Resource
win10v2004-20241007-en
General
-
Target
e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe
-
Size
2.6MB
-
MD5
095d375e30551efe363dee87431283e0
-
SHA1
ffd6bda3580ea75580b6d5f499b3b530228bf312
-
SHA256
e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3
-
SHA512
29b578038c227a9aea78e59d03865bf76a14fb6340a9c0cf87f56863f33e815e4d2b7509eacc4e1e29c17d05d726bf4e0d03ec0ee56688770972c3e5a8b939ec
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSm:sxX7QnxrloE5dpUpyb/
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe -
Executes dropped EXE 2 IoCs
Processes:
sysxopti.exedevoptiloc.exepid Process 2580 sysxopti.exe 848 devoptiloc.exe -
Loads dropped DLL 2 IoCs
Processes:
e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exepid Process 1984 e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe 1984 e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesF8\\devoptiloc.exe" e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidAW\\dobasys.exe" e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exesysxopti.exedevoptiloc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exesysxopti.exedevoptiloc.exepid Process 1984 e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe 1984 e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe 2580 sysxopti.exe 848 devoptiloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exedescription pid Process procid_target PID 1984 wrote to memory of 2580 1984 e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe 30 PID 1984 wrote to memory of 2580 1984 e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe 30 PID 1984 wrote to memory of 2580 1984 e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe 30 PID 1984 wrote to memory of 2580 1984 e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe 30 PID 1984 wrote to memory of 848 1984 e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe 31 PID 1984 wrote to memory of 848 1984 e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe 31 PID 1984 wrote to memory of 848 1984 e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe 31 PID 1984 wrote to memory of 848 1984 e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe"C:\Users\Admin\AppData\Local\Temp\e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2580
-
-
C:\FilesF8\devoptiloc.exeC:\FilesF8\devoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:848
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD501f6dc0fd9cfee905a32ec0e44bfe379
SHA12a33f473c66ee923ce130aba95e74f635016a872
SHA256f532cec752aeccfd65f117dd447738b6d5ca1b7b44088b27d31d96c3fcbac8a5
SHA5124810e2dee24a3229d45b398741546330551eb3bd7104f7b9dc0f9a76184d45b412225b42ac01f7d1dfe32cb7038c3cc30d6ba3dbb499b46152a36f27515ef90d
-
Filesize
171B
MD55149113981a84cccf739780fbc7ab915
SHA1992410c85c6bcc6eae5e2658add46c2bb3b23144
SHA25601c83c5fbd1b37839d43673a5716624c4ed3193388f99e994a3e19b22ce5f0e7
SHA512c13b7c130ef927988dec78352e6e9c881fcd68a6ce8528baeb45daa373572d0e02ff465c0ed33b1d6618a3f58fc90a35d118567309c3ec7d825fa6f7d86637da
-
Filesize
203B
MD5014be6684566d99f33abf37c21eda6ec
SHA173883dff98bba10219e219825ff3e54b0d501033
SHA256e7bbc710f1778907287e388c326a186eb03e0fe20fd85771c819f8a415d55f46
SHA5128cda271fce4d092e44e0e0a9f9601e0c5afffd6aaca7340082ac5eff51daa3b9696aa7ead7b5cc47df4646b1bf8f5408990c7b4b401daf97494fe9141d1b08e0
-
Filesize
2.6MB
MD558a803e8ee25d86137c60e71f80fbb53
SHA14365b5c522aa4b281e5611abe0d712985fde719d
SHA256368270304e32ca969a88d37bf2aa623813a2d0bdf8a0f119b5f68c7178c615b4
SHA51267548101cbdff9dd6201b1ccc46deb741aed61a2d5a0eba78b361d747750246d80cf47e5dc52afcbd95cc01e933953c3af0008776fc498affae3bc456bfb851b
-
Filesize
2.6MB
MD5a1178e5830ce897a1737c045adf6a5f2
SHA1824d26b4bda523a5c7970665896686f8c5e015a9
SHA256999e1089472ee5ace3170b8a97581b492244cf84c856c52ebcadf235dbc3e572
SHA51241e9aa4d80bf17d275aef747c5dec58b47fca8cc34915c8027c575049d4a9d0aa2e4ecb69cfd48f7420e77b303520083b2c6bf1e3b852793289a6b61c9a7cfdd
-
Filesize
2.6MB
MD5a0bd2b11ad5837f00336cc483da04ffd
SHA1840d7b01bc8add794ac0cad2ecd45718a9fd80e4
SHA2566e74992ac1d5189304c9f45c802d5aeb3b77390a14f85b0328953a052cbdedfa
SHA5122035d5feae8300a3ba3a095a6759205921a9a79bc1d0b9db24146eb1f6f3d459669d2dc140d7b00a9f62001e5c488e7294469119eae24ddf0e5c71634d13aa5f