Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    04-06-2024 00:21

General

  • Target

    941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe

  • Size

    2.6MB

  • MD5

    514f35751c767a1c308307b8ab16582f

  • SHA1

    5b43a258c112ebccb311f32777ccbeaffaa7bbac

  • SHA256

    941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987

  • SHA512

    62d2f0425ec4a306bb35272e3530fd911085df47a384a4f9d729866a36bf56ca671a80ebfa1f192e0272ee7e8f0f0cd1ce5cddf9abcb51caa8a9272382eb7536

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bS:sxX7QnxrloE5dpUpob

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe
    "C:\Users\Admin\AppData\Local\Temp\941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:808
    • C:\UserDotST\abodloc.exe
      C:\UserDotST\abodloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Galax2D\optidevloc.exe

    Filesize

    2.6MB

    MD5

    4b3bd2484fd59ba0473df68d0d7f8a1f

    SHA1

    c4d7b4b3b65db233515e3684b773e4d6232040fd

    SHA256

    0620fef7d51d97a3d260a1b2b3acbef836002afa52a90f1a54a15a30e389d545

    SHA512

    76f797e74f5e8a805b499623a079c61964682b4af238b288c56c388fbf7440b6c5e86d09970d8ba90bca853b4dd59144a1d1c961bbeae39cdf952b8077ff9504

  • C:\Galax2D\optidevloc.exe

    Filesize

    2.6MB

    MD5

    dbf5aa1f644df3c27d8bbc36e1056871

    SHA1

    5e10f05c7a6a10c456b0be9b38c751a2967a9c5e

    SHA256

    75bcf13c8a274457f05112e09f702957a7f541c8760c10bc86d3a1ae77679793

    SHA512

    9b132bca4ec19f898a62e5a53b74711a3c11fa3f71aa5cae5419be39ddc6d3738aaae75a3e35bbd01f2d09b9882aac11e1deedc2a8ed8b56fa05437fd1499fe7

  • C:\UserDotST\abodloc.exe

    Filesize

    2.6MB

    MD5

    fc5ef04b2995b69640cec1f071f7926f

    SHA1

    65b3d5c360f0f2a4f8a64992b021144b0bba4979

    SHA256

    ae4ed96b635fb8663aeddee18e3bddb7ce3581e9e2ac021bf2470b59fab93ed8

    SHA512

    afde463e64baccfefd830f183b113dab6634f699af9000d86cc28406ed78d5475ac918240ccd834abe6d4b16be5a08853293c60ce96be22c993ac02806f20308

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    177B

    MD5

    a4889691ed0a42d9f82e1d115ae6b0e4

    SHA1

    0f7700dfbd856756ce5b06962356006f23deefab

    SHA256

    8f8ddaeb127bc861671cb51ffa5c23e080f53d455b0e2db7e874e4a3fef9915b

    SHA512

    c4ee342bd97ccdb293f91eefabee641ec74db3b1ea9c483e94a43eda9485f325efe3f47f5d78d38d660bd7fd152f694b5ea519e2ccbd4661ffece6c6a9e137be

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    209B

    MD5

    3face50e47f9e3c9ede0355b9c722292

    SHA1

    199bc25a99f8e984e6c6a307d8fced55d97fa37a

    SHA256

    c4e6a0742c97caca46c1d4a94e51d0a8af368ffa309b18872644a7aaa0797e91

    SHA512

    555e4efd9f2566f19f80f3453cd790e1b7fa7327f00f35380848a0a24cac998d5efb75a11fa8f4f2fefe7df8569fa47e15a120671cddd44d7591a1953933780d

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

    Filesize

    2.6MB

    MD5

    8b979d17b1e31c0d9a6508dcaab6ea8e

    SHA1

    49ef3dfa7e35188a43387c5cf73372d46d6f4135

    SHA256

    056ea282f20d6e328f17aa225b37109be19dbd5d701e99684101625a78129e46

    SHA512

    0ae2d4163a510376b46806744bbaa17df57fc6a850c6a89067ace610ff990fa9bd6b41cf05130e8d6bf6029204e4b92b30a17a6d1d959e12cd31caf5d2daae9d