e3c60c1c875497d6d2968c00c5005dc3b3773fb8febe9ecb444b591015afeef0

Analysis

max time kernel
149s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 06:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e3c60c1c875497d6d2968c00c5005dc3b3773fb8febe9ecb444b591015afeef0.exe
Size

4.1MB
MD5

bcb3bafb633058759527c977dd01c12d
SHA1

39b5555db6594219fb36d700e8f4dc9a7b5b5484
SHA256

e3c60c1c875497d6d2968c00c5005dc3b3773fb8febe9ecb444b591015afeef0
SHA512

f932a47e55fc362f950b700c9b8db0d837db27cc8cd765873ae116758b456899a8b3c192eaea54e98dc1521f594b6629980337eedbb7d95060c7b12e80259837
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpIbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	e3c60c1c875497d6d2968c00c5005dc3b3773fb8febe9ecb444b591015afeef0.exe

Executes dropped EXE 2 IoCs

pid	Process
1500	locxbod.exe
3952	devdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotAX\\devdobsys.exe"	e3c60c1c875497d6d2968c00c5005dc3b3773fb8febe9ecb444b591015afeef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxGD\\dobdevec.exe"	e3c60c1c875497d6d2968c00c5005dc3b3773fb8febe9ecb444b591015afeef0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2240	e3c60c1c875497d6d2968c00c5005dc3b3773fb8febe9ecb444b591015afeef0.exe
2240	e3c60c1c875497d6d2968c00c5005dc3b3773fb8febe9ecb444b591015afeef0.exe
2240	e3c60c1c875497d6d2968c00c5005dc3b3773fb8febe9ecb444b591015afeef0.exe
2240	e3c60c1c875497d6d2968c00c5005dc3b3773fb8febe9ecb444b591015afeef0.exe
1500	locxbod.exe
1500	locxbod.exe
3952	devdobsys.exe
3952	devdobsys.exe
1500	locxbod.exe
1500	locxbod.exe
3952	devdobsys.exe
3952	devdobsys.exe
1500	locxbod.exe
1500	locxbod.exe
3952	devdobsys.exe
3952	devdobsys.exe
1500	locxbod.exe
1500	locxbod.exe
3952	devdobsys.exe
3952	devdobsys.exe
1500	locxbod.exe
1500	locxbod.exe
3952	devdobsys.exe
3952	devdobsys.exe
1500	locxbod.exe
1500	locxbod.exe
3952	devdobsys.exe
3952	devdobsys.exe
1500	locxbod.exe
1500	locxbod.exe
3952	devdobsys.exe
3952	devdobsys.exe
1500	locxbod.exe
1500	locxbod.exe
3952	devdobsys.exe
3952	devdobsys.exe
1500	locxbod.exe
1500	locxbod.exe
3952	devdobsys.exe
3952	devdobsys.exe
1500	locxbod.exe
1500	locxbod.exe
3952	devdobsys.exe
3952	devdobsys.exe
1500	locxbod.exe
1500	locxbod.exe
3952	devdobsys.exe
3952	devdobsys.exe
1500	locxbod.exe
1500	locxbod.exe
3952	devdobsys.exe
3952	devdobsys.exe
1500	locxbod.exe
1500	locxbod.exe
3952	devdobsys.exe
3952	devdobsys.exe
1500	locxbod.exe
1500	locxbod.exe
3952	devdobsys.exe
3952	devdobsys.exe
1500	locxbod.exe
1500	locxbod.exe
3952	devdobsys.exe
3952	devdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 1500	2240	e3c60c1c875497d6d2968c00c5005dc3b3773fb8febe9ecb444b591015afeef0.exe	85
PID 2240 wrote to memory of 1500	2240	e3c60c1c875497d6d2968c00c5005dc3b3773fb8febe9ecb444b591015afeef0.exe	85
PID 2240 wrote to memory of 1500	2240	e3c60c1c875497d6d2968c00c5005dc3b3773fb8febe9ecb444b591015afeef0.exe	85
PID 2240 wrote to memory of 3952	2240	e3c60c1c875497d6d2968c00c5005dc3b3773fb8febe9ecb444b591015afeef0.exe	86
PID 2240 wrote to memory of 3952	2240	e3c60c1c875497d6d2968c00c5005dc3b3773fb8febe9ecb444b591015afeef0.exe	86
PID 2240 wrote to memory of 3952	2240	e3c60c1c875497d6d2968c00c5005dc3b3773fb8febe9ecb444b591015afeef0.exe	86

C:\Users\Admin\AppData\Local\Temp\e3c60c1c875497d6d2968c00c5005dc3b3773fb8febe9ecb444b591015afeef0.exe
"C:\Users\Admin\AppData\Local\Temp\e3c60c1c875497d6d2968c00c5005dc3b3773fb8febe9ecb444b591015afeef0.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1500
- C:\UserDotAX\devdobsys.exe
  C:\UserDotAX\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxGD\dobdevec.exe

Filesize
4.1MB

MD5
3f26bed845f0be39794527b8475dc023

SHA1
d645dca0a44156fe691a2a3a6598479faffa56ec

SHA256
31f35fabb902c56da397c3781b0c07b34c1773a4923e4c6c0a5b2fa1acbb4d90

SHA512
33b1d1058fceaf9df006ffcc27591e127426628ab808ad5ff29eccd52784ccfdf2f8337bdc4c0563be8879824624d2d69323c9ed0d2e32725f7ecaf86712b02f

Download Submit
C:\GalaxGD\dobdevec.exe

Filesize
4.1MB

MD5
d96ce25b16255ecdc360bccdb73500a0

SHA1
eb7566c860e2b3622796989938f03af86f1c02d3

SHA256
312a8bfdfae9946bbfdb369d700bb9a26d4a4a1cfddf43729e3b04505fcf43ff

SHA512
9bb5250f305e18774a1025547019a0b4269b336d80c2792fb8505b1139d9ecf7f24643629cd19e7eadb50619d7f926b38a0dffac77a2c65992077c208a36fe9b

Download Submit
C:\UserDotAX\devdobsys.exe

Filesize
4.1MB

MD5
61daacc711d169da1c5bfcc9550c70bd

SHA1
65530eefe2b4c1e9d64ca0386cdd0010ab3af878

SHA256
dd2650aada93f48c30e3f1f2c498732fed590eb98024798836cd5f9dfc9e6200

SHA512
a27e07f42b3d32c94bff64303c56528e592517fdd44c05921d08afec89234f4ee1aa52f31de923b2ce3f34fabcfa8ee67cd60b6b861ee90ce6750d8241edaed6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
48972975c2d9024347c7c1659b995da5

SHA1
4d0c5c25f3d08026f86c7b6627e4b384968235fe

SHA256
891cddf2903c63965d97c95a28339fd8a551a7bf425439c1222d57e2f9e97bf6

SHA512
8155c08918b52b184299fd3888f013d2dec89cd4da30bd4e2169535542513f3f99bf23037b3b18fe1ab738191428bc9ad87d6597bd6b44f61d61aad7e64eeb3b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
5b35cd0c07ef9d368dc141985942ec1f

SHA1
32d248ed995e6341dddd7dbb4f056002bdb10f26

SHA256
aef75e72d458c18a1b5d1c55a7bea7ec9359c016f22568e435219869538ba44e

SHA512
39b14073f68f6b58a497754c5ec8cd2754893a81cf7636066462a68a109b4c094860ebaefe4779612ad07f88733a0498a89460efaa60b4b856ec719c1f7daa03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
4.1MB

MD5
895cd551f17270998fc2bad42343eb56

SHA1
21a4e4f2f90deb469023f00a722fd0127a82fc6b

SHA256
32d9c3456c0ac451f1537f650e7bfe88762b505089c6b25e8a2dd29a5b72cee2

SHA512
7757deb702fc830b4fedb7e6de0ebaed76e648c467b1d258ea090723c210b4f2fa128aa734996b3fc46b074814a804512a56ae5b9375c32a88355f374c26f680

Download Submit