Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2024, 22:36

General

  • Target

    5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe

  • Size

    4.1MB

  • MD5

    a26b0c1f30402f8b97054ea100d4dd51

  • SHA1

    1af814ab4eb518cf8916dcf819a680f93390fa8b

  • SHA256

    5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094

  • SHA512

    99fa76ca41d4f33999416b6256c6b839f71b4bbacb826d423f1dbe2b06f6adf1ee761970e13bba6b3de051e045bfa926ba01123d02160d26028924722b2ac8de

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBGB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUplbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe
    "C:\Users\Admin\AppData\Local\Temp\5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3736
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3488
    • C:\UserDotZ0\devbodec.exe
      C:\UserDotZ0\devbodec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2180

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxEN\dobxloc.exe

    Filesize

    2.1MB

    MD5

    6394c9ab66c0cffe9ee975d1b8d98b41

    SHA1

    efd0ab424aa8b7834ae23fe345955795264d9716

    SHA256

    ec6dab1b08d49b2d062367c83f6505e371c8299f3283590ae79aecbabc73985e

    SHA512

    ff2e67a715918bc9fcc0875b36d4a14dae3ba92e022a28f26795745cc65acab9b8fd24a9f10f457af499019f51e6cbef6fcf3890fac2fad7e88683029795af02

  • C:\GalaxEN\dobxloc.exe

    Filesize

    4.1MB

    MD5

    6b6406ed9e6d5843d2725a1d8d50a949

    SHA1

    41b550084effc9acb36cc583cdf7823222f6ef8c

    SHA256

    dce14bf474eaaf5661c3f7f4fc256a8c5f96c9b7f4ee289e4041fc6ec16e7baa

    SHA512

    15e5e1d4583f0cf8db3ad08ec4bb668d362f2237dabf5bb38586456e41aed4ada9e3164a109f8b422910481b39a421b40a544bcfd894e86b7a2099b47f2d9d94

  • C:\UserDotZ0\devbodec.exe

    Filesize

    4.1MB

    MD5

    95ddb5bd4a3174adb3714e3c4d68dc95

    SHA1

    5aab918f906f7ce458760be087d607d5cdbe3ce3

    SHA256

    cd71a2f26bf7f24ebb5b35175b909b1c17e72ec9f8e1fdfcf99932b3df8cc917

    SHA512

    c83b54b8d1781826907af26ec48bc9ca82663b9180c3cfe1368ec46c1ff8e0eea1ca86670cb170493de736966672d10b1a54325a860520286a8882fd8be81cc0

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    f4bb72a5ca054a52314cc09a45984ca0

    SHA1

    4a460107d1394a2725ab5d0c930f362e3ac4a5ea

    SHA256

    2e02b2917d4d834f12c8daf6b6d4c6cb5bf2596775ade1c4e2132398957c9be8

    SHA512

    69f82a4ea9f7cd0d57742a871b6401c0cea3f6f827dc3089c44e343c6cb67c57dc2e5138a292e0531aed9f22b2518b5a813de9e6c13321044dafc918be1b1b6d

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    e5f89182f806c25ab3c4c1d647a0fa13

    SHA1

    b59f279802046401e86c1d7a827a23c8212b3ea7

    SHA256

    c5f53c200e5fc19ef4b070476ae57c6f657e6f9287ea9a0aed75fc905d0cf70f

    SHA512

    d5d4e479dd93ae4196c3168e195b2db175fdc5276d1b7056b11397e4624d6c188e2fc26b6d91aea0f9d7b5fbef3eeb5ab0ed0e2dd99757ae74f134437dabc68c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

    Filesize

    4.1MB

    MD5

    796402e9b87ed8dcf34647077ffadf8c

    SHA1

    db52c035fad068f4e634b26f155714e49103874d

    SHA256

    1bee31ce7f27e18fa7819ca363dae026daa601b06d6222e6939489ad35c94e20

    SHA512

    ff1b9752d18308ff0465a26809118e693ff9c7608f30b413889506e0eecd7f5ab77418d248bd730c7cef8f000a9b0d9fece2836bb919fd9eda3030b2af3a689e