Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 19:48
Static task
static1
Behavioral task
behavioral1
Sample
57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe
Resource
win10v2004-20241007-en
General
-
Target
57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe
-
Size
2.6MB
-
MD5
e1555873a42a82d6f39b1081fb561cef
-
SHA1
e993f5ef7cd73bc52cc4be8d25a012e06a552f17
-
SHA256
57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8
-
SHA512
71c0f07368d1a06f026c9ceb58c85a3cbe0f1743665041b0a58545486f85d72095df10d6e61c149d008edcb379fe0975391ab3d71eee1fdc24ad3762e986718b
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSqv:sxX7QnxrloE5dpUphbVv
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe -
Executes dropped EXE 2 IoCs
Processes:
sysxopti.exexoptiloc.exepid Process 4704 sysxopti.exe 4700 xoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvN1\\xoptiloc.exe" 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidUW\\dobdevec.exe" 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exesysxopti.exexoptiloc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exesysxopti.exexoptiloc.exepid Process 3980 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe 3980 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe 3980 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe 3980 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe 4704 sysxopti.exe 4704 sysxopti.exe 4700 xoptiloc.exe 4700 xoptiloc.exe 4704 sysxopti.exe 4704 sysxopti.exe 4700 xoptiloc.exe 4700 xoptiloc.exe 4704 sysxopti.exe 4704 sysxopti.exe 4700 xoptiloc.exe 4700 xoptiloc.exe 4704 sysxopti.exe 4704 sysxopti.exe 4700 xoptiloc.exe 4700 xoptiloc.exe 4704 sysxopti.exe 4704 sysxopti.exe 4700 xoptiloc.exe 4700 xoptiloc.exe 4704 sysxopti.exe 4704 sysxopti.exe 4700 xoptiloc.exe 4700 xoptiloc.exe 4704 sysxopti.exe 4704 sysxopti.exe 4700 xoptiloc.exe 4700 xoptiloc.exe 4704 sysxopti.exe 4704 sysxopti.exe 4700 xoptiloc.exe 4700 xoptiloc.exe 4704 sysxopti.exe 4704 sysxopti.exe 4700 xoptiloc.exe 4700 xoptiloc.exe 4704 sysxopti.exe 4704 sysxopti.exe 4700 xoptiloc.exe 4700 xoptiloc.exe 4704 sysxopti.exe 4704 sysxopti.exe 4700 xoptiloc.exe 4700 xoptiloc.exe 4704 sysxopti.exe 4704 sysxopti.exe 4700 xoptiloc.exe 4700 xoptiloc.exe 4704 sysxopti.exe 4704 sysxopti.exe 4700 xoptiloc.exe 4700 xoptiloc.exe 4704 sysxopti.exe 4704 sysxopti.exe 4700 xoptiloc.exe 4700 xoptiloc.exe 4704 sysxopti.exe 4704 sysxopti.exe 4700 xoptiloc.exe 4700 xoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exedescription pid Process procid_target PID 3980 wrote to memory of 4704 3980 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe 89 PID 3980 wrote to memory of 4704 3980 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe 89 PID 3980 wrote to memory of 4704 3980 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe 89 PID 3980 wrote to memory of 4700 3980 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe 91 PID 3980 wrote to memory of 4700 3980 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe 91 PID 3980 wrote to memory of 4700 3980 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe"C:\Users\Admin\AppData\Local\Temp\57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4704
-
-
C:\SysDrvN1\xoptiloc.exeC:\SysDrvN1\xoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5d893a45963361dac7e8fef93283d482e
SHA1377a7512739775494e5a151f700c52c9b522e355
SHA25696a0ad8fcadd070036672728bda15a75a9a9a8059652ea6252faeb6ec5dc4b8a
SHA51234f62f271e5d9d1ad099fad041321c8ca5ce9fd8e9f81c27ada09c9be7fe1ee4cab1496d33f0a877178a520c14edbfa3dc79f1830cae727469f478b459785aa1
-
Filesize
203B
MD5806ae4a7c416dd27301fa863fdca5c12
SHA128d5c04b85dc65fc30aa95688b55b7195ebd0e70
SHA256cf86dbf9f69b9039d2cbfade05ff1d81883f7f2c933bdc364e7b7806191a1d7c
SHA51253c478d877cd03e794a013cf5748ea7c74aedc90070227fdeabb7040d8311bf23efb737357cf9aecae7293e778dc0d88982b34cedbb116ecb7c8cc7fa328020a
-
Filesize
171B
MD5f00715b6f0df7ad27d80ecb721719644
SHA194bf91019d66a5bbbf40347a5e4f5b6972c1d420
SHA256ca7d0bd3e57d67f2c75c9f26ca1142eba0ea8e48a48bed112b0553bc5dea7591
SHA512995f4c7e30383765984f585484cd8c30c1822a7148c74f225f7cf8d822e6b092adba5c6e11bf6140cb69ee3c9bc9c176d1a59fb7a57cba62b399cab3ec599733
-
Filesize
2.6MB
MD52ced12bb430acb0cc4dd2987f1f513bf
SHA13d9209087964b78439ed1da76893a9fd5e2d5bd8
SHA2560881624965cf152791b1b45dd1db193032dd17ea64eb9f85df4ced6d566bcad5
SHA512704cf5c29eb9ffcf7944c7beef01cc5ff64a3a3c7db8f9312d9f3fc4e217ee28cb50621fcfa7a7f9a62a370258f5183cdbf8e1e939ee0af5ab3edc7550bde280
-
Filesize
208KB
MD596bea98d9c4749b6f69714269de0b740
SHA16c3ef7765c25859f371d01ea9f10523040ddd57a
SHA2560ddb1ad5ff8054c1590cc3d56e76c72b5c4b946528f4d1b37e1051ea09f7c302
SHA512535b31684379da1d804fcbc6abcc35fffe66d44223509732c8187690e362d50ae092ac4884ca80f104302c090ae4511a68998800074b3e5135e6c6d9c8fb33c5
-
Filesize
2.6MB
MD544e6b6badf1656c3dcbb1ea4fee72975
SHA16c28682839322d159a51c9df7c4caec4a50e4cc6
SHA256f083b618df15848e9db8f20483c51aaf5765aba4ba96c15acc8c39b1546f933f
SHA51275dca18a081d0fabda337fbe0b34789c05f7a62615626ca5915e1b69d6c9b03a518acc031d270684f50fa8558d5b22b0818a9fe64fde9b02078ca3c7b049c57f