Analysis

  • max time kernel
    120s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/10/2024, 13:43

General

  • Target

    54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe

  • Size

    4.0MB

  • MD5

    14be2a9e768c5f9b271bb6e12c719800

  • SHA1

    296d5bd1976aa5a7c4171a877fb03a99ee7b0c82

  • SHA256

    54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904

  • SHA512

    c43f39c3c8aa961f320f4d47d3b42afeb81e5eebab7f29730f919ef354fa474cc46ed5b854816d0731cb6118027370efdcf6e4cb487218229ac953cda1ac3468

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpZbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe
    "C:\Users\Admin\AppData\Local\Temp\54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1832
    • C:\UserDot0R\xbodsys.exe
      C:\UserDot0R\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2468

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\GalaxAG\dobaec.exe

          Filesize

          4.0MB

          MD5

          ce2193fd462b020f43065dec4150ca1f

          SHA1

          20b76b4dee1c041d30fa754a450e3e6943404851

          SHA256

          334dd85d89773c53f2593c3ac55879135c9dbdb0fabfd649b07c3e2165fd5717

          SHA512

          376a85554f74ee327734d2a4e56470bf736f5a2574a848825ac658be842c21de4c2a8b77230064ca73ba80338c18714a7e811e20ff2921fab28c1a76f403dc5c

        • C:\UserDot0R\xbodsys.exe

          Filesize

          4.0MB

          MD5

          15aa7b0583c526fc67ea17496d518d6c

          SHA1

          dcb514fb3bb989f25ea8c458226ca1d7137940fa

          SHA256

          b0fa3c69e11fec50de5fd2aabdc24820b75631d2726fa79025b058d0b3656fe3

          SHA512

          86bfa3c7aa18e93742a879e2db5f7814ea95d0a26cafbeea5587f25aec274ed6fbe141ffb2dc15514ddd8c4d486719d663c3c386f58dfbb900fbfb4200c54075

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          173B

          MD5

          740a8cd29c1e649f9dda8bee73f7fd0e

          SHA1

          7a1702c103210c15f76c9c283179a80ceec2d8e5

          SHA256

          95f36d908c2177dff251c410f5217e9d48c85c8c5dd70c2a942ba19d6aea4925

          SHA512

          da263b67494f2c3e2936ba1b44f6ccc9bfccff5751ceadaa144f69709f405e4b59411818810d7134c8785984b9f817f6279c78484d956c25a32f363943120284

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          205B

          MD5

          72385154e7e9f3e5d957a23b99ce2409

          SHA1

          0d690556430fc576f3d74c0d4b703981e6d2e807

          SHA256

          aa65798974970730cb2e416ce0450316d91c471a4bb0e0905c8dd5fc1a7348d5

          SHA512

          bd9f4bfbab735e5a6c906a703a6bc46c0901fc1bff6ee5f62847cee6c1cab0a5d3e74e198fa0503813bc5116f2f2b80445478c6aa974b6f0409f18e58ee29e5f

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

          Filesize

          4.0MB

          MD5

          a9873b76a82278cd3bae5209187d41c5

          SHA1

          de6b50075229d88fc6d7c8da8f912dd91be81db6

          SHA256

          6578b2929ed78b4e3311559adcec4f66af5a0c167c6727c32ef9336a1b462f6d

          SHA512

          7f5a2db98aa3fe2354d20bbbe7e84f2ba74984058a3f4962a59b38bbda1309e06d224e5b2327dfbc4f5dc2adb673a23ca5523cab3a78597cf22db137a34c6aaf