Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 20:14
Static task
static1
Behavioral task
behavioral1
Sample
1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe
Resource
win10v2004-20241007-en
General
-
Target
1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe
-
Size
2.6MB
-
MD5
3687d89eb5cf92fa06799e60e0b0de6d
-
SHA1
3d2bc532692db63efa83f0b1a298bee8b457d47f
-
SHA256
1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9
-
SHA512
0492deb447e001abb58eaedc40f5b0c1b23b01c8b8c68ed9bd46f3f74b36830e2e4e4eb66e55c32f3b5ef1b19ab9012aaca9197c01c02816754e029e028c9606
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSq:sxX7QnxrloE5dpUprbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe 1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe -
Executes dropped EXE 2 IoCs
Processes:
sysxopti.exedevbodsys.exepid Process 3140 sysxopti.exe 2620 devbodsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotGJ\\devbodsys.exe" 1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZIC\\optixec.exe" 1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exesysxopti.exedevbodsys.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exesysxopti.exedevbodsys.exepid Process 1832 1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe 1832 1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe 1832 1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe 1832 1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe 3140 sysxopti.exe 3140 sysxopti.exe 2620 devbodsys.exe 2620 devbodsys.exe 3140 sysxopti.exe 3140 sysxopti.exe 2620 devbodsys.exe 2620 devbodsys.exe 3140 sysxopti.exe 3140 sysxopti.exe 2620 devbodsys.exe 2620 devbodsys.exe 3140 sysxopti.exe 3140 sysxopti.exe 2620 devbodsys.exe 2620 devbodsys.exe 3140 sysxopti.exe 3140 sysxopti.exe 2620 devbodsys.exe 2620 devbodsys.exe 3140 sysxopti.exe 3140 sysxopti.exe 2620 devbodsys.exe 2620 devbodsys.exe 3140 sysxopti.exe 3140 sysxopti.exe 2620 devbodsys.exe 2620 devbodsys.exe 3140 sysxopti.exe 3140 sysxopti.exe 2620 devbodsys.exe 2620 devbodsys.exe 3140 sysxopti.exe 3140 sysxopti.exe 2620 devbodsys.exe 2620 devbodsys.exe 3140 sysxopti.exe 3140 sysxopti.exe 2620 devbodsys.exe 2620 devbodsys.exe 3140 sysxopti.exe 3140 sysxopti.exe 2620 devbodsys.exe 2620 devbodsys.exe 3140 sysxopti.exe 3140 sysxopti.exe 2620 devbodsys.exe 2620 devbodsys.exe 3140 sysxopti.exe 3140 sysxopti.exe 2620 devbodsys.exe 2620 devbodsys.exe 3140 sysxopti.exe 3140 sysxopti.exe 2620 devbodsys.exe 2620 devbodsys.exe 3140 sysxopti.exe 3140 sysxopti.exe 2620 devbodsys.exe 2620 devbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exedescription pid Process procid_target PID 1832 wrote to memory of 3140 1832 1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe 87 PID 1832 wrote to memory of 3140 1832 1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe 87 PID 1832 wrote to memory of 3140 1832 1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe 87 PID 1832 wrote to memory of 2620 1832 1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe 90 PID 1832 wrote to memory of 2620 1832 1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe 90 PID 1832 wrote to memory of 2620 1832 1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe"C:\Users\Admin\AppData\Local\Temp\1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3140
-
-
C:\UserDotGJ\devbodsys.exeC:\UserDotGJ\devbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2620
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
877KB
MD582f4a3df3b0023a10afc05a824e253e3
SHA1ac1f5ea0bb724e8454fc771803d7339fb311d5ce
SHA2567a48eb63ff6c42d8c25d40189980d2da6c1e983c4b1c3dada5322b54d52a0669
SHA512563c290fee630bda98e7a7d3768f378bdc0d08c6ff0ff58039d2f67db8597c8fa43a0c03192d4f92205f1f2b1af310bf23ef73322a10c43f96ca8b1984788ed9
-
Filesize
301KB
MD5b8e08065f0c3614033929164807a4705
SHA1dd151f161b4debfa7b88b58d1e323a342bdc6ded
SHA2567564caec69d94c20d4cf4ab6707de7eccfc86fa93a2df26fdea1bdf31314d2dc
SHA512fa36ae28c6e6473461a5a757b7636313a9bb67fee1053c1e60d607695fa06f8be7d1057d3cf85779aa97da4bf781b8e0b9d0100e3c7205f095afe5838486c308
-
Filesize
2.6MB
MD56eaa0b3e6df5fae1a4830f97554f7216
SHA1f803bb3f8edc4df48804f957d7bee5f292a70f05
SHA2561a4680bb649a0c6f4cc027f85764f4248bcebc6c2740a40e9bed87aebcb9b04c
SHA512086ebb230b7ad962417a5b5cf39461d7446b0e1a81d386edd481d5b9d781b135c391d21bb8dce696ba77c696428a5ef56a4938510447f32533eb00be9dd494cd
-
Filesize
205B
MD5f3ae5e4fa0cbdfe09ac923f774bae350
SHA1d5bdc0bbe063ad9158db37179a5a9e26f3252d02
SHA25643dee65e974e0297e409911debabf485fc08abb507ec60e387e2c8c7d7c1fc5e
SHA512809a9f0d8ef6a52b8930b50898a01ad2cc6b46da708bec4ecb572e8bd282fdbda426406ccae970fe44f8f1c8f366791a99515a863dec009c883750a46c4784d1
-
Filesize
173B
MD536ecb1482118ed347200afdd2c176c82
SHA1a258677f646952c46d7b290552dac1136d0b1946
SHA256f7a3b9d4173a63a7e3548bbada1f6e0d8ee0d3e854fee081dbe818eca918dbfc
SHA512b687d0a395a1574a29b59e8440c591cd16b77f002bdec4dc51314a854b9e6c701011cfae149f7203caaf2a6dbaa922cdf0949d549f3a7b6f492ff9bba72af249
-
Filesize
2.6MB
MD584ab2679b1da9553e934e211351ae3c9
SHA17d10d9d7dd582927b94a9acc12d9a80a5312930f
SHA2561200dd851566f46690619cccd65e9815fd78ccab207b314b274d5e6783dd6f0a
SHA512b3bb7d92b5d23baa5b35b742a8c3c86881c29bb7f0be2cb7d6a3ee0d9ad4b2f7a502c3c8e135323006a64d43c94c48205bc465ad426b15d21f1d96f65a1b3ebb