Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 19:47

General

  • Target

    e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe

  • Size

    2.6MB

  • MD5

    095d375e30551efe363dee87431283e0

  • SHA1

    ffd6bda3580ea75580b6d5f499b3b530228bf312

  • SHA256

    e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3

  • SHA512

    29b578038c227a9aea78e59d03865bf76a14fb6340a9c0cf87f56863f33e815e4d2b7509eacc4e1e29c17d05d726bf4e0d03ec0ee56688770972c3e5a8b939ec

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSm:sxX7QnxrloE5dpUpyb/

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe
    "C:\Users\Admin\AppData\Local\Temp\e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2580
    • C:\FilesF8\devoptiloc.exe
      C:\FilesF8\devoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesF8\devoptiloc.exe

    Filesize

    2.6MB

    MD5

    01f6dc0fd9cfee905a32ec0e44bfe379

    SHA1

    2a33f473c66ee923ce130aba95e74f635016a872

    SHA256

    f532cec752aeccfd65f117dd447738b6d5ca1b7b44088b27d31d96c3fcbac8a5

    SHA512

    4810e2dee24a3229d45b398741546330551eb3bd7104f7b9dc0f9a76184d45b412225b42ac01f7d1dfe32cb7038c3cc30d6ba3dbb499b46152a36f27515ef90d

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    5149113981a84cccf739780fbc7ab915

    SHA1

    992410c85c6bcc6eae5e2658add46c2bb3b23144

    SHA256

    01c83c5fbd1b37839d43673a5716624c4ed3193388f99e994a3e19b22ce5f0e7

    SHA512

    c13b7c130ef927988dec78352e6e9c881fcd68a6ce8528baeb45daa373572d0e02ff465c0ed33b1d6618a3f58fc90a35d118567309c3ec7d825fa6f7d86637da

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    014be6684566d99f33abf37c21eda6ec

    SHA1

    73883dff98bba10219e219825ff3e54b0d501033

    SHA256

    e7bbc710f1778907287e388c326a186eb03e0fe20fd85771c819f8a415d55f46

    SHA512

    8cda271fce4d092e44e0e0a9f9601e0c5afffd6aaca7340082ac5eff51daa3b9696aa7ead7b5cc47df4646b1bf8f5408990c7b4b401daf97494fe9141d1b08e0

  • C:\VidAW\dobasys.exe

    Filesize

    2.6MB

    MD5

    58a803e8ee25d86137c60e71f80fbb53

    SHA1

    4365b5c522aa4b281e5611abe0d712985fde719d

    SHA256

    368270304e32ca969a88d37bf2aa623813a2d0bdf8a0f119b5f68c7178c615b4

    SHA512

    67548101cbdff9dd6201b1ccc46deb741aed61a2d5a0eba78b361d747750246d80cf47e5dc52afcbd95cc01e933953c3af0008776fc498affae3bc456bfb851b

  • C:\VidAW\dobasys.exe

    Filesize

    2.6MB

    MD5

    a1178e5830ce897a1737c045adf6a5f2

    SHA1

    824d26b4bda523a5c7970665896686f8c5e015a9

    SHA256

    999e1089472ee5ace3170b8a97581b492244cf84c856c52ebcadf235dbc3e572

    SHA512

    41e9aa4d80bf17d275aef747c5dec58b47fca8cc34915c8027c575049d4a9d0aa2e4ecb69cfd48f7420e77b303520083b2c6bf1e3b852793289a6b61c9a7cfdd

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

    Filesize

    2.6MB

    MD5

    a0bd2b11ad5837f00336cc483da04ffd

    SHA1

    840d7b01bc8add794ac0cad2ecd45718a9fd80e4

    SHA256

    6e74992ac1d5189304c9f45c802d5aeb3b77390a14f85b0328953a052cbdedfa

    SHA512

    2035d5feae8300a3ba3a095a6759205921a9a79bc1d0b9db24146eb1f6f3d459669d2dc140d7b00a9f62001e5c488e7294469119eae24ddf0e5c71634d13aa5f