3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe
Size

2.6MB
MD5

f2b732029b7d0d90984c2257a1f69e4e
SHA1

1d98d0465855ca94725b21b0fe22a76e82fc43de
SHA256

3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2
SHA512

8c3fa8dfaf1e202cdb20daf23417685bd65e6789e7472b680fc130b1e6ed860d68ccffb973bea6a71566c78646b5e52a0b25cf97d4e4c49d613c4af0f76fd973
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bS:sxX7QnxrloE5dpUpYb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe

Executes dropped EXE 2 IoCs

pid	Process
2020	locdevopti.exe
1928	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2260	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe
2260	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot0R\\xbodsys.exe"	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxAG\\dobaec.exe"	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevopti.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2260	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe
2260	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe
2020	locdevopti.exe
1928	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2020	2260	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe	30
PID 2260 wrote to memory of 2020	2260	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe	30
PID 2260 wrote to memory of 2020	2260	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe	30
PID 2260 wrote to memory of 2020	2260	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe	30
PID 2260 wrote to memory of 1928	2260	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe	31
PID 2260 wrote to memory of 1928	2260	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe	31
PID 2260 wrote to memory of 1928	2260	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe	31
PID 2260 wrote to memory of 1928	2260	3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe	31

C:\Users\Admin\AppData\Local\Temp\3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe
"C:\Users\Admin\AppData\Local\Temp\3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2020
- C:\UserDot0R\xbodsys.exe
  C:\UserDot0R\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxAG\dobaec.exe

Filesize
2.6MB

MD5
6b0e931da6e74713906622a47b2d8a04

SHA1
7e8b1fd0389a4c22a21455a92bdece41fe5a917f

SHA256
f2ba04f8558e22351738b366514537909450d4986ef6c0a8139c5eef9f6d862a

SHA512
3aa9d5e46584290d1ef455473c43385a2aad513eaaa8c71354588f9015c6a36787c062ede08de846f517a575c25f95c7b4cdd6a2b1c99340300b98387c00da30

Download Submit
C:\GalaxAG\dobaec.exe

Filesize
2.6MB

MD5
a8e3504275b78622a20767f146a8b309

SHA1
0aeeb123d18aed187b505a23ba9688c7600c77f5

SHA256
6a56680dc028931e32dddad8ccd9505fee5c41facfdd91726b1c8d5fad39803d

SHA512
725652c74bc7ffe9b13c8773ae57d6385b0b5fa88554edb2d379a80074c6cc5f18c67ae8bfaa39e180e40815abf78bb5a2823b69d459e7eadef53cc1e47fc827

Download Submit
C:\UserDot0R\xbodsys.exe

Filesize
2.6MB

MD5
60ec18f0213eed738888a854e113a7f9

SHA1
462e237714fd2ef91c203560caee3da905f3c6fe

SHA256
43630638ea66be235135ae57053ac052043e8ef5239a9da1b601f23c211da16a

SHA512
3ee8e06280d8f5a2cae57963796fa7015dcd8e7128b2de273270a01672265a3bdc6e214e8641ae9541abcec48f756b3b3c87e31da0bc9c97c16e0b33b76dffe5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
740a8cd29c1e649f9dda8bee73f7fd0e

SHA1
7a1702c103210c15f76c9c283179a80ceec2d8e5

SHA256
95f36d908c2177dff251c410f5217e9d48c85c8c5dd70c2a942ba19d6aea4925

SHA512
da263b67494f2c3e2936ba1b44f6ccc9bfccff5751ceadaa144f69709f405e4b59411818810d7134c8785984b9f817f6279c78484d956c25a32f363943120284

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
72385154e7e9f3e5d957a23b99ce2409

SHA1
0d690556430fc576f3d74c0d4b703981e6d2e807

SHA256
aa65798974970730cb2e416ce0450316d91c471a4bb0e0905c8dd5fc1a7348d5

SHA512
bd9f4bfbab735e5a6c906a703a6bc46c0901fc1bff6ee5f62847cee6c1cab0a5d3e74e198fa0503813bc5116f2f2b80445478c6aa974b6f0409f18e58ee29e5f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
2.6MB

MD5
e99f6e83cb0b82fc596972c32ac4d623

SHA1
c6bbe9214927141081ebd9af094347ed25a6406b

SHA256
2e0389b0d948e43cc6c9edd7959a4419284301fcabfed8254c1ef7baa777c29c

SHA512
e8e64f339066355f3a8fd26cc7a0596989e2c301340f949843daad18e287469459a7a53e354f1fa0879f909e4a0eba5f35d2b654f07895a16217aea9b376ad20

Download Submit