Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    04-06-2024 00:51

General

  • Target

    9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe

  • Size

    3.9MB

  • MD5

    5960c9baf8b550d272ffb4560d83213b

  • SHA1

    927608f67a071cb85586d5693c7e4f84532794aa

  • SHA256

    9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11

  • SHA512

    a647936bf55c7c7116d6deffcf5ce0ba8ee89fdb57e5ea85456b95d915ead7419dd4356d7d1a3f26deceeae13ee97ae2bd0dbf51766cae1ab0271eab2ec190a2

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8:sxX7QnxrloE5dpUpPbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe
    "C:\Users\Admin\AppData\Local\Temp\9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2056
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2952
    • C:\Adobe55\devdobloc.exe
      C:\Adobe55\devdobloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Adobe55\devdobloc.exe

    Filesize

    3.9MB

    MD5

    b51b92e69bc1f684ecf2913b061e681b

    SHA1

    0180359e58bec97ac6e53cde2b519f52815a9e2a

    SHA256

    d3d7f3400a1bc6ceca384a9ac549bfdfdf4fce0bb132b2113ec7c08ff13fde7a

    SHA512

    f634a10d6c9b133732eafc61e9fccf7096fd2e8ca219023b32321c4d30d653940cb5ce8deec0a480f7845fcb0f1a76c6802d38311e5819327d15709a79946164

  • C:\GalaxV7\bodxloc.exe

    Filesize

    3.9MB

    MD5

    bab260bad5ac54ba397220d425b534e6

    SHA1

    fbd74ffb46c4346b9799f23ae75a4ec694299671

    SHA256

    fcf5230e8bfe14b22b040b98043f7a32a16280ae9ac6b0a9eac614ca0e3a391b

    SHA512

    d7ccb9cf720457221d9544d3d2e5c430fc715dbff506dc5feff40d210a8874e9e94235e8b8bf0216c4154b7fded82fa660588ac203e0f5e277dfc37f58c5dc25

  • C:\GalaxV7\bodxloc.exe

    Filesize

    3.9MB

    MD5

    29590491484bb590cf269efed9acf470

    SHA1

    cf6f99b6cf78f80ae53c5a2fca632b07a0205c8f

    SHA256

    0e1ef66e838b63c39854eb9a7e9ad3c9b68c04460f1ee70d0c72bfa9dd6462bd

    SHA512

    04d46aa9422664efab84ac9f05a7c791e406d01309e87377ed191003f5cac4bdb4177c428c108573ed22cd6e2df27f8b688e7914ae44a6e467dbeb76b73b244a

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    ded33f9d92be9dbfc0ac4195e1427e8f

    SHA1

    f54a48e691b11acd85192fbe2ea628d2fd6baa0f

    SHA256

    e81d21f20f0b8175a54cf2eaedb0a71ba32dd8a3359bd2a324558d9819405390

    SHA512

    a229c6ffb8c6232d4ec6932a2e6eec3283242cc513f53ce83674c0995f6eac18229db589f6d678e2bf444cd4e3c37458404c87c6431c99ad42d3c9fff8165e89

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    2b428a2bcd935b34adfc3da939f58db2

    SHA1

    50d7c7f33b3e4791d18321b07832c2dbdd1011b8

    SHA256

    e6fd6003523f8674495ff0ce251407e49ad1c552c09735fabe39079b0b20ddef

    SHA512

    1a97093f639f81d474f3f7d5472932fd360934e97e58197682f50ba6e631d9835ae057fde40f0d7c8a287c34dc54d200321afa88672000966d20a790942cc0f9

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

    Filesize

    3.9MB

    MD5

    d8816d65b578329ebd4f3d03b41fcf87

    SHA1

    914c44b3a1499977eba64a437d74d59abfddb653

    SHA256

    e1ac35a94ae95bd3658bbe150001e0cb65d48f776c9266c65172c107dc886f2a

    SHA512

    cd9496e8f01e5bbbeca7ed0d6859f9788815ac7330c3743c922da51cc5ca47af8fb3daa4c1550671180f03441019062d3e8c95a0c1328e9a2e438425297a155f