Analysis

  • max time kernel
    120s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/10/2024, 14:08

General

  • Target

    298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe

  • Size

    2.6MB

  • MD5

    5f4f1944a84e9de12002ea1bdad7e7b0

  • SHA1

    894083158d61e521c5564f4c9096eef92d745361

  • SHA256

    298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273

  • SHA512

    6bc6c334ff8d4ea78f270859d87c02adc44ca9658d888e3cb9d86f8294364ad70d3038851dddaf9c8277aa641142a2694e929c7f6db2618db66de4f97b966b2c

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUpBb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe
    "C:\Users\Admin\AppData\Local\Temp\298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3044
    • C:\IntelprocBH\xbodsys.exe
      C:\IntelprocBH\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2368

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\GalaxBZ\dobasys.exe

          Filesize

          2.6MB

          MD5

          f352f380ae889fc106c5cd33d0f394f5

          SHA1

          86a1f5e36cb8a125dc78e4ae2afecbceb51d5693

          SHA256

          a77b5c6fdaf62dc9dd33b6abe3ba79d4ab08dea242586b669e6612bf8ccd1bf9

          SHA512

          cc8d37edef07224579dd77f8d754422444598ec344e6393af6eaa6b466f60ff68c77130a110370c4120a34dd0fe73434da92c75495b63fda922c4d639a7b8089

        • C:\GalaxBZ\dobasys.exe

          Filesize

          2.6MB

          MD5

          aac74e8974e0fd5da63b44dd061f80a1

          SHA1

          bdcfe26b91d968f331913268a3807ad95fa7a3f3

          SHA256

          18c566d77b99cf75275f1a1c8e0c9d7557ac511d2ac4a4391e8cbe9416ad65bc

          SHA512

          100de874a1517b8974e6ee0266f35aa1d234e882667b7ebe55bfe170889c5d3cbf3c68f32b5988d8b4a0fcf7e50143e85d2a7d37789aff13de2aaf9aeadb6f12

        • C:\IntelprocBH\xbodsys.exe

          Filesize

          2.6MB

          MD5

          0ac81f0cf65b0c10b3a47eef0fe8f03b

          SHA1

          c7581ea428b30139a83c14d058c2eca10db8f679

          SHA256

          456cf555aa941a4b9bde06bee683275d2ffb6d57a9b96d273ac5ebf5408fa350

          SHA512

          59177009c5d964497d74ca7eb7e742391864f4169f1db809fc152e7c19bbb06dfcf3a19276ca24f148908985cb09f16bc93816e368ce60ea96faee4f36895525

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          174B

          MD5

          55e0dbfa6eff772945c470db86c29055

          SHA1

          f76162df69191c8f7d193f3fe114225162b435aa

          SHA256

          b03ba3c418a57c8c295475e0218ff8acbc8a415f81ba27ed9374881db1811aa9

          SHA512

          542a9a8b949511bf2ed1e33b6c040036634d4feb06f60090348825ee2a021f7b2212462dda115d0693cea4bad0d44d4af1710225b017a112f02e988bb161386c

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          206B

          MD5

          a2c8139958833a967304ac5f05b8908f

          SHA1

          897c56e3e6ea8df50be483e6d1d38daa09bd17a6

          SHA256

          bdcf91815db69460eea86e529a99b2da9ad2699808e15a71ecb5c6283e8b892d

          SHA512

          3729b1d1d71e2719f6543b5e2bf65dca3495801df2cf4307016e06ee79e4b800db7db8e626ab4dc90a907d35054b7190959f93153b7ae3706e203ae8abcd6a62

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

          Filesize

          2.6MB

          MD5

          1b17197225f458814da214ce4200d5f6

          SHA1

          a140f9885812260c1d23b7c848148660bde7367e

          SHA256

          c3f5453883d3a78499e2969aeceb86e8b48b64c78a71d3edd65e500d64b104e1

          SHA512

          b44de425486f5e5bf8e4a0b68a147b3a7ea2156e1fdfb8fd5645df1a3d0949c890788dfff9d4e19f8bacf0b51ea8930004a213a64d02f35840b70dd0a37b5cf3