Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 19:48

General

  • Target

    57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe

  • Size

    2.6MB

  • MD5

    e1555873a42a82d6f39b1081fb561cef

  • SHA1

    e993f5ef7cd73bc52cc4be8d25a012e06a552f17

  • SHA256

    57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8

  • SHA512

    71c0f07368d1a06f026c9ceb58c85a3cbe0f1743665041b0a58545486f85d72095df10d6e61c149d008edcb379fe0975391ab3d71eee1fdc24ad3762e986718b

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSqv:sxX7QnxrloE5dpUphbVv

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe
    "C:\Users\Admin\AppData\Local\Temp\57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3980
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4704
    • C:\SysDrvN1\xoptiloc.exe
      C:\SysDrvN1\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\SysDrvN1\xoptiloc.exe

    Filesize

    2.6MB

    MD5

    d893a45963361dac7e8fef93283d482e

    SHA1

    377a7512739775494e5a151f700c52c9b522e355

    SHA256

    96a0ad8fcadd070036672728bda15a75a9a9a8059652ea6252faeb6ec5dc4b8a

    SHA512

    34f62f271e5d9d1ad099fad041321c8ca5ce9fd8e9f81c27ada09c9be7fe1ee4cab1496d33f0a877178a520c14edbfa3dc79f1830cae727469f478b459785aa1

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    806ae4a7c416dd27301fa863fdca5c12

    SHA1

    28d5c04b85dc65fc30aa95688b55b7195ebd0e70

    SHA256

    cf86dbf9f69b9039d2cbfade05ff1d81883f7f2c933bdc364e7b7806191a1d7c

    SHA512

    53c478d877cd03e794a013cf5748ea7c74aedc90070227fdeabb7040d8311bf23efb737357cf9aecae7293e778dc0d88982b34cedbb116ecb7c8cc7fa328020a

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    f00715b6f0df7ad27d80ecb721719644

    SHA1

    94bf91019d66a5bbbf40347a5e4f5b6972c1d420

    SHA256

    ca7d0bd3e57d67f2c75c9f26ca1142eba0ea8e48a48bed112b0553bc5dea7591

    SHA512

    995f4c7e30383765984f585484cd8c30c1822a7148c74f225f7cf8d822e6b092adba5c6e11bf6140cb69ee3c9bc9c176d1a59fb7a57cba62b399cab3ec599733

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

    Filesize

    2.6MB

    MD5

    2ced12bb430acb0cc4dd2987f1f513bf

    SHA1

    3d9209087964b78439ed1da76893a9fd5e2d5bd8

    SHA256

    0881624965cf152791b1b45dd1db193032dd17ea64eb9f85df4ced6d566bcad5

    SHA512

    704cf5c29eb9ffcf7944c7beef01cc5ff64a3a3c7db8f9312d9f3fc4e217ee28cb50621fcfa7a7f9a62a370258f5183cdbf8e1e939ee0af5ab3edc7550bde280

  • C:\VidUW\dobdevec.exe

    Filesize

    208KB

    MD5

    96bea98d9c4749b6f69714269de0b740

    SHA1

    6c3ef7765c25859f371d01ea9f10523040ddd57a

    SHA256

    0ddb1ad5ff8054c1590cc3d56e76c72b5c4b946528f4d1b37e1051ea09f7c302

    SHA512

    535b31684379da1d804fcbc6abcc35fffe66d44223509732c8187690e362d50ae092ac4884ca80f104302c090ae4511a68998800074b3e5135e6c6d9c8fb33c5

  • C:\VidUW\dobdevec.exe

    Filesize

    2.6MB

    MD5

    44e6b6badf1656c3dcbb1ea4fee72975

    SHA1

    6c28682839322d159a51c9df7c4caec4a50e4cc6

    SHA256

    f083b618df15848e9db8f20483c51aaf5765aba4ba96c15acc8c39b1546f933f

    SHA512

    75dca18a081d0fabda337fbe0b34789c05f7a62615626ca5915e1b69d6c9b03a518acc031d270684f50fa8558d5b22b0818a9fe64fde9b02078ca3c7b049c57f