Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 19:51

General

  • Target

    bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe

  • Size

    2.6MB

  • MD5

    e2434796bed4d1cd649c6afb0fc47096

  • SHA1

    42f630e492619fe20283d7227a7f65f9a4e9e361

  • SHA256

    bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2

  • SHA512

    48af8958a4cb5664f84919eb22ab5a69c409146065dd99ea7d4d4f21a116265aa582dfc47b1853424f52ad9126bdc8b9a7328210de842585f7a1a87afcf0aff4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bST:sxX7QnxrloE5dpUptbc

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe
    "C:\Users\Admin\AppData\Local\Temp\bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3804
    • C:\Adobe4D\xoptiec.exe
      C:\Adobe4D\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Adobe4D\xoptiec.exe

    Filesize

    681KB

    MD5

    9fc1849177510a0591329ff5244f28af

    SHA1

    3d31bd7052d59387665bf1ddfeaa27dcd7e546ae

    SHA256

    f4befeb1326145a5a70064232b41af41054f658f44bdbd745a80e1de35c2963e

    SHA512

    c8c2687b4ee9f632e75db9588b2949431004d29bc25c654a35ed37c667499eed41c405dddcf9e07790601642bad9b553dac78492dc38b8688a1c41b2a17ce91d

  • C:\Adobe4D\xoptiec.exe

    Filesize

    2.6MB

    MD5

    1afbf8ead4087abb4a4ce90ecdea8108

    SHA1

    b110c78a2ec380d905e48c48d542477935b73381

    SHA256

    92baacbd494e79dae788ed8265e6bfc4982b62c874edea02fe0faa6162e28813

    SHA512

    914570b8db3f461dcb52b2736834c55ad9810991d449b74c3cc02e61a60df2c9847148db9fc8a67bb7fcdce5775ece3296edff89a78492e1ae929320a172e9e1

  • C:\KaVB77\optixsys.exe

    Filesize

    2.6MB

    MD5

    0d544b383b5ae7742cd903f8a186af77

    SHA1

    400e568e99c7b961c614fc309f028ed4e011476d

    SHA256

    586567d2ebfb6479284d01e773d8c7807b93875339d4305dde32f24900572a53

    SHA512

    9acc3f242bb34e4ed1addcee46df81731e7e551c9f2ce0be679ed4bb1f02be9dbaccdf61570b64fce6b51b7a5ec266893ce022b94c8f93e8ea7059fe0f27c310

  • C:\KaVB77\optixsys.exe

    Filesize

    2.6MB

    MD5

    70ea0b8329bc3f76f03ebb2493989dc0

    SHA1

    3b1f9b3a09984a127314b0d2baad71d31499aa7b

    SHA256

    a52afbe9d9ac74f84238acdd505e9770f5d4752dde01f43d12bbc8f68e6634c5

    SHA512

    7a005d752a8579256f7bec2647e7c01d63b79a6491acc3cdfe72c32a7b8370c2b96682822e055bf05e23cc55febe4d9b1ce90800caa67f5a9f5c4265d5ca3a8f

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    e9d9fe5f6375b0a4e1283c182fac34bd

    SHA1

    6c93c2fe53c736c288fad644938c092e8b9d8fc6

    SHA256

    992cb1960f6a6098c49c129d3e22eb8b638b8f8172be1df6771182c657008132

    SHA512

    0bd2a3d3c5bad19571b180244961f19f1d33dbea20e7b943fd4f62c066d73d74f10b97d3eefcd28efae896b8cb9e4cb9c8eae67fcda924b61de1e9bb672bab4b

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    f1313b234f2682e17991eb2f33ba6a85

    SHA1

    af54a47211bdcbdf1d7e27ae7c49f8906ecc9f77

    SHA256

    ed86aa7a87388e97e47f333d86c319f8a4e2085f565c026a9a54dc713dd5a1e1

    SHA512

    8563e01b718187376dc0c96107149f5966e26c1d76cb70e67de6e69bc6c9936bada5bfa9e7ce71e2b786178f217c11b227d447112b428b962f78539720592027

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

    Filesize

    2.6MB

    MD5

    361bd2e45b7d1f765207a50696e449ee

    SHA1

    fa7d84ed2af90a1f331685905a8ded9d8234ab37

    SHA256

    7d69f374594ae8ee3c0f242d25d29a6899f2a62a5203bd3093cbddf972e7ac40

    SHA512

    d3380b0b1f4ae238c379a5812190cef45e8f73f97e6ec9ed704b89770e43e7a75f8ad03d91e15170da544c7e3acdd8bedc622e3082c18e0b7bf71f2f73d85c89