Overview

overview

9

Static

static

3

f748389f06...0N.exe

windows7-x64

9

f748389f06...0N.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    120s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    24-08-2024 17:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f748389f0698788c459b1446e3467ca0N.exe

  • Size

    2.6MB

  • MD5

    f748389f0698788c459b1446e3467ca0

  • SHA1

    252abafd614803865a53d2e2db4713da3de86795

  • SHA256

    b1b55834d1e9ce9fa3974c4855d23957915a2ef58582f976393d85c770b0caae

  • SHA512

    c7c7d991f5a4b86ce8a0a76df0b0ede4ad8c694e89d3f1ba129f14223d35255dff5fc996022d46969d5d4d8731c8f7cd0c1dcf06691454d0ad7b03fac9f09930

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBZB/bS:sxX7QnxrloE5dpUp2b

Score
9/10
credential_accessdiscoverypersistencespywarestealer

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f748389f0698788c459b1446e3467ca0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f748389f0698788c459b1446e3467ca0N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1712
    • C:\IntelprocUN\abodec.exe
      C:\IntelprocUN\abodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxR8\dobdevsys.exe
    Filesize

    2.6MB

    MD5

    2d6323ea43c5c2c984adaaff57e216ea

    SHA1

    d831011285441d207f5079c38c721a14432eef2a

    SHA256

    c6d6d81d38bc69dedf140b70e167e36c0b91ceaff6bc147ef4b2fdf57ab416c9

    SHA512

    4255af5faf7c83703c0500b6ef2a10b066eb47bfe2c51cbb332f4e6ccca73eb31b7489a55c8108d6df79181f4ef9d583d50a988484acd8c0dd3ea9f82eddd16a

    Download Submit

  • C:\GalaxR8\dobdevsys.exe
    Filesize

    13KB

    MD5

    fbe3105945c809e8bf6e00f7fef8ce54

    SHA1

    e4b4b6a33f2126392c845abd1669f10511f5c42f

    SHA256

    588c56e8f6a9d537a5bc2c80903c4b2fdfd2efb06c55c8a6c1e1039a485fae2d

    SHA512

    50cbba09c9369cf432e58eac2131517db247d9a0625def1f06f2359a45a2015fe879017f05ad29c35b344e132039515dfda1d9d5a69c9cf07dc94b14c9bd5a79

    Download Submit

  • C:\IntelprocUN\abodec.exe
    Filesize

    2.6MB

    MD5

    10f1ea3db38cbb6d9caeeb52006c6734

    SHA1

    1c63f5371bec46a72ee7ffdd472b02b936d2e992

    SHA256

    142560c63ad1fc56918f2564e058a0855cec9353ad72976b8964b96bdfd4138d

    SHA512

    28d6b6209da3f4ab899cca8091193d368126cadf39c3081709a9f2e266ccd8782c23816c7c3b319c69adb7039e16dddfa36071ce7a1b2fd0e48c25b0f450825a

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    173B

    MD5

    67068b19d0b8d8e97ec0dea9613c87dc

    SHA1

    463aa8401903bbea6890946ca087494e34ff2b6c

    SHA256

    68f4dbb83cd246b3b64cc382b0723ae98bdd769dd95b7085cd615b633aa7f5f0

    SHA512

    2bc14aec659776e2dd593f29843c3cb2b366ada6c4286e27d6663f1aaf749f067bc3d5e8bf55bd699f66c78607ea43d26cc062492cdc77c8f48842e34454f948

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    205B

    MD5

    4e6a61d15f138077bbf49cfca4027ff3

    SHA1

    88726b64bc8306fde952924d92a4c622c47bdd34

    SHA256

    3ae0980eaeaa6b0770d86da541de4982f30f7be0c4c103b9ee165f8d989e6c6b

    SHA512

    a8404549d9cfca6d0724e85de3262d3d255a7f3e4e28f205de0fed447d11b5227541bbd8d47f1e69f3f4daf6664ec7ba8898a52ff94abe049a452c63ee61c4a9

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
    Filesize

    2.6MB

    MD5

    9228a5a4f8ff2db727341429c0ec2203

    SHA1

    01bc2e80bbd51c5d997f87574f2bbf91a6f2049f

    SHA256

    fc066fa76dc079c23d3ae1a5536bdd244d48134bcbf931aa68da8d808455d9e5

    SHA512

    6be1768c5bf0d20d7e4dbc1f92dc8a2b26452ab40ce4fd86e05794df3e8642f97420d0de1c110a62412050c07832c9a9158341b999ffb75ac8153defc4ec1137

    Download Submit