Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 20:14

General

  • Target

    1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe

  • Size

    2.6MB

  • MD5

    3687d89eb5cf92fa06799e60e0b0de6d

  • SHA1

    3d2bc532692db63efa83f0b1a298bee8b457d47f

  • SHA256

    1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9

  • SHA512

    0492deb447e001abb58eaedc40f5b0c1b23b01c8b8c68ed9bd46f3f74b36830e2e4e4eb66e55c32f3b5ef1b19ab9012aaca9197c01c02816754e029e028c9606

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSq:sxX7QnxrloE5dpUprbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe
    "C:\Users\Admin\AppData\Local\Temp\1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3140
    • C:\UserDotGJ\devbodsys.exe
      C:\UserDotGJ\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZIC\optixec.exe

    Filesize

    877KB

    MD5

    82f4a3df3b0023a10afc05a824e253e3

    SHA1

    ac1f5ea0bb724e8454fc771803d7339fb311d5ce

    SHA256

    7a48eb63ff6c42d8c25d40189980d2da6c1e983c4b1c3dada5322b54d52a0669

    SHA512

    563c290fee630bda98e7a7d3768f378bdc0d08c6ff0ff58039d2f67db8597c8fa43a0c03192d4f92205f1f2b1af310bf23ef73322a10c43f96ca8b1984788ed9

  • C:\LabZIC\optixec.exe

    Filesize

    301KB

    MD5

    b8e08065f0c3614033929164807a4705

    SHA1

    dd151f161b4debfa7b88b58d1e323a342bdc6ded

    SHA256

    7564caec69d94c20d4cf4ab6707de7eccfc86fa93a2df26fdea1bdf31314d2dc

    SHA512

    fa36ae28c6e6473461a5a757b7636313a9bb67fee1053c1e60d607695fa06f8be7d1057d3cf85779aa97da4bf781b8e0b9d0100e3c7205f095afe5838486c308

  • C:\UserDotGJ\devbodsys.exe

    Filesize

    2.6MB

    MD5

    6eaa0b3e6df5fae1a4830f97554f7216

    SHA1

    f803bb3f8edc4df48804f957d7bee5f292a70f05

    SHA256

    1a4680bb649a0c6f4cc027f85764f4248bcebc6c2740a40e9bed87aebcb9b04c

    SHA512

    086ebb230b7ad962417a5b5cf39461d7446b0e1a81d386edd481d5b9d781b135c391d21bb8dce696ba77c696428a5ef56a4938510447f32533eb00be9dd494cd

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    f3ae5e4fa0cbdfe09ac923f774bae350

    SHA1

    d5bdc0bbe063ad9158db37179a5a9e26f3252d02

    SHA256

    43dee65e974e0297e409911debabf485fc08abb507ec60e387e2c8c7d7c1fc5e

    SHA512

    809a9f0d8ef6a52b8930b50898a01ad2cc6b46da708bec4ecb572e8bd282fdbda426406ccae970fe44f8f1c8f366791a99515a863dec009c883750a46c4784d1

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    36ecb1482118ed347200afdd2c176c82

    SHA1

    a258677f646952c46d7b290552dac1136d0b1946

    SHA256

    f7a3b9d4173a63a7e3548bbada1f6e0d8ee0d3e854fee081dbe818eca918dbfc

    SHA512

    b687d0a395a1574a29b59e8440c591cd16b77f002bdec4dc51314a854b9e6c701011cfae149f7203caaf2a6dbaa922cdf0949d549f3a7b6f492ff9bba72af249

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

    Filesize

    2.6MB

    MD5

    84ab2679b1da9553e934e211351ae3c9

    SHA1

    7d10d9d7dd582927b94a9acc12d9a80a5312930f

    SHA256

    1200dd851566f46690619cccd65e9815fd78ccab207b314b274d5e6783dd6f0a

    SHA512

    b3bb7d92b5d23baa5b35b742a8c3c86881c29bb7f0be2cb7d6a3ee0d9ad4b2f7a502c3c8e135323006a64d43c94c48205bc465ad426b15d21f1d96f65a1b3ebb