Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 05:41

General

  • Target

    f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe

  • Size

    3.9MB

  • MD5

    62de0e03112b50ef658e3d6477e0b2c3

  • SHA1

    e5e1ab14aee7bb6e30cd250378238a005ad863be

  • SHA256

    f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77

  • SHA512

    957377e00975945f8ba188ddd7580281d2678fe32f3170bed9ab6ea215b6fb738583bd67432cc6e34b0839e8d621611be52669630e1413ed626c7a814335884b

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bSqz8:sxX7QnxrloE5dpUpLbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe
    "C:\Users\Admin\AppData\Local\Temp\f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3044
    • C:\Intelproc5V\abodec.exe
      C:\Intelproc5V\abodec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Galax0G\dobdevsys.exe

    Filesize

    3.9MB

    MD5

    3a2f0e3b4dc877cd6861254f7f1b1cb2

    SHA1

    d70e8d3d966864795e342492bc53000ca22b0d52

    SHA256

    bb83ea2118069a1ac02f368bc4df1c1f8308ab93cc9852c09271848bc10fdae6

    SHA512

    d7bf72601f9db881ff19c1027d8f04c64f53f415c243285106b72f00124dc02d054d11c4a651b0c36f4658e933e7f115e7c4354392e8fcf02570219f9961ff81

  • C:\Intelproc5V\abodec.exe

    Filesize

    3.9MB

    MD5

    8289566ee15db2d66110d056656af409

    SHA1

    66cd870ba62c0cfc13bfd3ddb434df4d083c9eda

    SHA256

    9827e33487453eded58402b7e50780b2a78074411ca79a65d3d50872539a95e3

    SHA512

    e3380f045fd393fef66ae80f8c23b7004a2c42f981bc1b94e1fdd6bb8f9c80567c5ed44cf7cbe83f789326d7e6bb6a2ec5b72e1fc67c24851ccfae341a4b4243

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    176B

    MD5

    0bab846e313217a04bfc0fba9fe981f9

    SHA1

    070ee2b809947c92dfed59269d4c4845b8bc0306

    SHA256

    160f95fb112f9917b2fe2885ef0539ff97e914bb5705c48cbef63de12432e3b4

    SHA512

    f1b5d887fa7473422ababf99da996f97e3fafcc4db1b828dba671abe81b40711461d13d8eeb7b0570d1e77c8c190e6f7d06870ed415fac4ab5146054fbf01259

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    208B

    MD5

    df69540fedab0e7099c74e7713c6eac6

    SHA1

    a843362e27d9da63b742cf55bddf560b85ee057d

    SHA256

    b63cdbd6fc715691e9141cbeeb272cc535c66c26f72010de2c9c8fd163e76f49

    SHA512

    3ff0b27233f68461ff1302d75956454513c41d0a15b4168887d37e469651ef71ab191c8c86c06509162fab155c0f7dd2c43fa4672403ca752e659c7b1c13bcba

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

    Filesize

    3.9MB

    MD5

    53ee35863662e20e2c1a88c30cf10aa6

    SHA1

    dfb6413a6e184d1c0fe334a984491b3ce196d875

    SHA256

    5286947b103fcdcad0ebec26c0c5b135dc1f7bd0838e67438c66f45411621dba

    SHA512

    fabf7f79a52cde10c0126c0decd60a0ccf832a5b42659e1ee6959565deca48ed54d0d4ebafdca000b11a0b23481ae4eb37f7dd3491222c75cfe1b2408aa36c8f