Analysis

  • max time kernel
    119s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 19:54

General

  • Target

    2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe

  • Size

    2.6MB

  • MD5

    de42ddd0cfaaf5429e5c4f361a97aefe

  • SHA1

    87a201560bb2688b45f89ef1563899d7e97649bc

  • SHA256

    2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a

  • SHA512

    4e3d21c7b2fbc49dfae38f3f72a770faa265c73468b10a00b8732fb937287fbd101a0b5b0cce7a19ed64e7205693538b66ff14a6f57c2e0565b266b019d5789d

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bSG:sxX7QnxrloE5dpUpzbH

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe
    "C:\Users\Admin\AppData\Local\Temp\2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1184
    • C:\SysDrvR0\aoptiloc.exe
      C:\SysDrvR0\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZUC\optiaec.exe

    Filesize

    2.6MB

    MD5

    ba8d652673efefb2772947175c02ecfb

    SHA1

    280235c6483bc25a4bcea7f95f563ba689a5b6ef

    SHA256

    edee520cd53161b96e1d06d22fd1958fbddcb42cd5f3c867fb34a55e2b9afc1c

    SHA512

    19cf3e8771b967670d69fb425bdba24f78bf3688d567af5d77b7e9f102e267cf723d2fd97f17bfb7181175c01489500937caf3f6d6a8c3d855b0c36eef9946fa

  • C:\LabZUC\optiaec.exe

    Filesize

    2.6MB

    MD5

    2c5dbbfd8027436f1c2b0edb423575ef

    SHA1

    14a53006f64982c97ceccd79954752e9cb20efa6

    SHA256

    7912213c3308f0ad7b710eccfcf4eb92b066110a272507268584ba8ab124a43a

    SHA512

    10a8a473f1032f28bfbc2a3aef752b51ad0274fca9dbc7247875a20d60565af9359815b8a0a8c83e70f329f418b94f3761997a8c1f1b2d2af4047204da431848

  • C:\SysDrvR0\aoptiloc.exe

    Filesize

    2.6MB

    MD5

    b82cf5ef1a9bb77cd939e5252c8a3927

    SHA1

    f6b9c2ef5f4b86c2e375b29e617b8e0491714409

    SHA256

    ff5f8b65cbf5f778c46297c1266c73bb54f7fc285a617f3e97c0454b095f5683

    SHA512

    84f120453a349c75a46c77f78325820b23fa9cb54664d2f50da27279b6dea254e224701fe7cc0a3ee44af2bd9cff3df1d7622f91fe76bb3e52ab93d4b36f40ec

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    173B

    MD5

    0fd92370e8cab9a507021b5e37a021cf

    SHA1

    67f90597dae96199e296c323898352656d832d5b

    SHA256

    5eee7510d599d1720bbfd6b4e14584a0506953135d671bbfcad005e727b0e8d3

    SHA512

    b326993f773a73c1f72bf54dce3f81cf5cda7795031cfc4d56959a454ad31e25f02c4a9fa37eb34f54143edaf3f5ad7e77bc8cc81c9e643b8325792b553251d3

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    205B

    MD5

    ad2a637b5cc24f5d8a60e20bf11c50a6

    SHA1

    2a26bd3d15c102b366d1ac46a8f659ed66ff0e54

    SHA256

    b3783c7003ae429cbb3d7689f1ab0f37e07b492b06b571120716d9eceec1f40b

    SHA512

    4a06a5b897796e75a554b8e17304d18c66010f2a53a80217a38d869172cf0ac842ad8f73375d66dcd643eb7a74d28cb34333c90d9ffa1fabf7b9f738f48da477

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

    Filesize

    2.6MB

    MD5

    7bfec6ffb4e828c6d6569c5aebe8e051

    SHA1

    42da3e10761bb302f8b37c5fce2a0ca3e020894f

    SHA256

    fd3d3a0c246e0621cbd3e386a21ebb63c527f4d6bae12a8ff591f05f6af71250

    SHA512

    6d49cff24e3be9f62d1c4f5b5f4ca5e2667aa05e605b911f5c9f76e4a8e43be38dc5f9003166204fab8717689dd21ef75995e8d737ccd96499f21f477ea62870