Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 05:48

General

  • Target

    fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe

  • Size

    2.6MB

  • MD5

    70e4a479abe061eef8ae8a00438c0e26

  • SHA1

    8e44b2b251cde8581f0bceffd66a5cc2d7e785be

  • SHA256

    fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f

  • SHA512

    b57b61d6a477705f50b441c63924c5c76ec08279afa6df18f524f70f0b614f56b3ca1448f20bafe59717db55a6aaa5d92990231cba9713c86e7c97e72c12e33e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpSb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe
    "C:\Users\Admin\AppData\Local\Temp\fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3236
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1548
    • C:\SysDrv1L\devbodsys.exe
      C:\SysDrv1L\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:5028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxWQ\dobxsys.exe

    Filesize

    2.6MB

    MD5

    ca27d44cd5d4736c047eba3e92d9fdb7

    SHA1

    2ecdc11965fdb7e273d47ee17cc5be439725c28c

    SHA256

    5ede62ec56b6f7ea781e4c128db6d8cc8abfbb97a2535ca9af953b96ca2cb888

    SHA512

    9eece0d9d402965acb60af7a917ec2148355261b1568a9d6b2b3e4f8bcc0552a353e655b5bf24f8757dd6c64cacc9177cb903bd821cc0596c1aa1adb225f3343

  • C:\GalaxWQ\dobxsys.exe

    Filesize

    2.6MB

    MD5

    ad1d01504adfbf03d536e50e9aba7882

    SHA1

    ad47e3eb8effb3a1b046404c10c0f7766a214357

    SHA256

    2d8e6c00323ac0eaf1a3279664a3fd9c7cdf37c814d4688657831d719d5bb097

    SHA512

    f9811a544c11e31db4962fd87c499fc1229991e2a36aaaa7824d0ad2017b6a120f92c9f8ca6213f85888808fae9ab6b6de369b1677ffa74f0daa9db308c22fed

  • C:\SysDrv1L\devbodsys.exe

    Filesize

    187KB

    MD5

    6adf2557121d022963847c4d052b3839

    SHA1

    5835dd2d84590b7ab93b148cdb56fd196c97f69a

    SHA256

    6c33c3b035ed5f42eb41dadc06bee0a79ca9f98dd62f8feaa55f8badef6758dd

    SHA512

    646802a5af63609c3ffaa794512009dae5f31742b471047242692243fcb91885f5055b0c4b74b582a29ed1dc4265e4838a0e5d226b23f4d025e24bbd8ef29165

  • C:\SysDrv1L\devbodsys.exe

    Filesize

    2.6MB

    MD5

    6550fd0a86d2b2d267e02efd18b52b93

    SHA1

    45d726080abc4a022fae42c94c619cb233c10c69

    SHA256

    6b77161625c6377cff9f4a5fe288c51b4a0c3a71a7b08c10d5e82a6ad0065b04

    SHA512

    0e00c766cdbc07bc595f4f4a65669689f4f062f76a11857b5c89cf39ef60f225b3b0947129989bc568b3c200c949a7554c3149f1c9dbdb0c19e3710c6b881e58

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    a92e443b72e09a419c5f72c829b241f1

    SHA1

    39c81643a999c63187aa67636af6dea2f36c99dd

    SHA256

    1804be3ab7fd4e9f25a1601588da133f7513e49759a2579b891d91ae75ec4944

    SHA512

    6f33b81a91cdd835e1cbc31ea0c11c4e9a3ceec7708f19c15600939d003d13357923a872c09727166721ebac901d1b83fd7baa9995883436adbe4c342b5c995d

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    3c5d673db645641d66f1dbbd13033438

    SHA1

    678b037fd28ca82745d67c36ce50eef43db39257

    SHA256

    c72d5278657434b515a753ff6e1a96eaf45b633e7e18586e4f7c312e20c3d4cf

    SHA512

    3d159058b70cad0cd3030e8541df9d4a38f249229691c8ecbc945542d021527a61929f64e710148a9dc69ea78ce812bde1a8be9e3a97b2611e12152559938261

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

    Filesize

    2.6MB

    MD5

    8b3c3cb4482f7c184aa863dd3a8ad92f

    SHA1

    781a19504af7146d2eb67684d134d9e24c930171

    SHA256

    0bbc1e766da309291f531f5ec49902047fa748dcea6cb70d9a075e225d105d06

    SHA512

    9f68588ccfef041a653ec6052625eb79f86ccad0d6eaa4d571df4d600bb362ec8a330a24895ce9842d0dd491f67792272cc5c446c85264b3436c923ac3576f57