Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 20:12

General

  • Target

    f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe

  • Size

    2.6MB

  • MD5

    303375e6c1dc4ae37aebfc2e21aca00b

  • SHA1

    278d1dfdc0cddaa330497886071a47b6fda10393

  • SHA256

    f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5

  • SHA512

    55ef61511a4fedae753d0812e64ffb071f84c00663e290aebc5364dd3260d13d5ce9a5da243bebbbf6211524b6b20df53ba577ea7e107b79233112bae41bad36

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bSC:sxX7QnxrloE5dpUpfbF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe
    "C:\Users\Admin\AppData\Local\Temp\f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2156
    • C:\SysDrvIE\xdobsys.exe
      C:\SysDrvIE\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\KaVB4H\optidevsys.exe

    Filesize

    2.6MB

    MD5

    5229a911794802f5b3224f6297e859f2

    SHA1

    408b664f7a19a1a4b414d9fcd5cee33ceea44d88

    SHA256

    ea5adf6f963a1204f4230aeb4709036364c39e05988dfed934aeaca70580168a

    SHA512

    79546ef9c775affeb000484c4ec1377a7520407682cd12e3c963ca4a5249306ba77dc451d2548a045207bd140e99c177b17e74b7e82353973c5590f964fd3e35

  • C:\KaVB4H\optidevsys.exe

    Filesize

    2.6MB

    MD5

    866eb830de02190aea863a2d3b9f1b3d

    SHA1

    04d53ceef236e5adc1e8745d1e8d3d839fe5f12b

    SHA256

    f599bf3f3ea87c7a3256a107cb2b6553639fee002a1375f478404273bbd15f71

    SHA512

    726dfbd80917eba3099217e01f70d2c0787191f79a61e784d5340cdd734dad9603fc5e0b63419b810051a985c56647c4f9aad857b375b310168da5d8a2ff3c42

  • C:\SysDrvIE\xdobsys.exe

    Filesize

    7KB

    MD5

    20ec6effd447fb35f7db816f8c616148

    SHA1

    c8c9edd9f30b93dc161fc035c69b57e7af305dce

    SHA256

    43b6a06c6d792569dc3a4b802a1882bcef34d458cb6c626267bf303fc8dc3fa7

    SHA512

    6a01a317698e30eec8ab65c628488a1e6108d6eb9dd6bdef9a769d497807ace3b68a23452d40d010b95f19759903bb9bc1910e8d7e46fa618aaa3fbf6a80fecf

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    173B

    MD5

    c7bb447f15b5e99ea6e58dfd2cbbb0de

    SHA1

    6eede5977dcba1bc9836d8129977770a96544240

    SHA256

    83bf919010cfa84fe90206407e71d682a5735cd86eaf9ff9202ea28a2f30fdad

    SHA512

    47c33d1a6eba2b4fff2e00f7e47524a5946de54f98a094424e4efeed4890c94d618985adf0ade96735b1d5698cdd6f6520e23bf180b0dcddbbeafdce40be7c4b

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    205B

    MD5

    809ccf47b1d8466b08b8c682210db16f

    SHA1

    51dd1a370a73493938aefc3a7f11ddac6d4c50d2

    SHA256

    7b34046294ba1f4054ec42ca4f33bc5387760ef820dcc90bc5799dea487d102e

    SHA512

    e44ec54b73697ea4bdf0dee66ab6c7eed959476ff907ac1f464f5d22e7c8276790e20c74f6dbb9bfaa7448dd38d35b5b9dcb21628c842596f11073718445de37

  • \SysDrvIE\xdobsys.exe

    Filesize

    2.6MB

    MD5

    9f075bb7210d96f1baecef4dd5410b2d

    SHA1

    d3fee560085540ce4c7120c48ca886d9954ad606

    SHA256

    03076c81317e05fd6815878f086f754d6b0855610660e584c2866ca886206a22

    SHA512

    8da20e5dddc9ff7f9d8be77ca38e8d05b226a006ccea44e28e88dbaec000e9a07a8449c731ad390a2322ab412c8b9101ac8c0742ba742ba0fbf1955a2fc7000f

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

    Filesize

    2.6MB

    MD5

    64ef65325db8b46385924af1bef098bf

    SHA1

    fb4dc6511423502585a7e1420380272e61691173

    SHA256

    00a9ae0505eac77d67e0be555346cc357a88e74097ede3becb65bce0ba7cee66

    SHA512

    4cfaa25bd58f8cc83cfd586c8d89341adb493c35fe9fbabb2a14a8750388ee9e7e4225000edcb5d0ada2fcbeba0ce849d17b02045148c55a9d4409b90fa0ec7a