Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-10-2024 04:26

General

  • Target

    931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe

  • Size

    2.6MB

  • MD5

    2ead6a6da90bc4921365d428319a4d80

  • SHA1

    8c5ab884a871c1901a8223c9295db1b6125a26dd

  • SHA256

    931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6

  • SHA512

    4de06daa51637c60fd04075a5ad690a7443102e55b612171d05149242236653f9617164b56670bb0bad703816063d4aec24e1cf08d0624e1be369659a8e04f85

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBzB/bS:sxX7QnxrloE5dpUp4b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe
    "C:\Users\Admin\AppData\Local\Temp\931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2160
    • C:\AdobeM3\xbodsys.exe
      C:\AdobeM3\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeM3\xbodsys.exe

    Filesize

    2.6MB

    MD5

    9b4697f98a51dbcb5e776336c3add935

    SHA1

    a67be0a45bf12f0b683ff3d4e0ade73fa3a030d4

    SHA256

    e450087ec4200f7ffff07aa7a8ef0f38c4c1e1ad556b0add40a4ff1214f1ae40

    SHA512

    fb6d3218a1a8fe09b72abe6ebcbe51fe9f3aaa37d417bcfd5a4f83ab1f719ff16cf2b8797048b5a5abd8447082b06ec511a8b0249d761d253926013f4c9b94c0

  • C:\GalaxTQ\dobaloc.exe

    Filesize

    2.6MB

    MD5

    f199073bb1aad26714da31ce7d05c566

    SHA1

    a1fb63adb9c24f23967112ade629269d5f24b9f2

    SHA256

    9ec63096a8cb9b3dc094bc560678cb63b34eaaf84f4969593c4eecc2f98956e4

    SHA512

    43f86021a35266c5613aaedfddff82a37bb7f5b2b6805bcf3fdf5d5923b2bdb23ec9dd12c5879a5cca3c0f8a06385a34c1645a057759f6e16aa95f8c318c0aeb

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    108120861b264c297c8ee6901c695155

    SHA1

    e5386c9b91504be5d579f3a40f141ec81a0ff4ed

    SHA256

    d05ba070693fe159225d5667ff3251381f292b8e1dfad5f64ed101005e0f13e8

    SHA512

    b31168ba5d1d06f435f7f3c5b5054f4a79834540229ffe1c81ac150dbccd75bb7e704de7f4aaf2fb4edafed1612da701b99ad4f2473377e575365e62ba2fa4d1

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    812192a0de9b53732cbba5d5d4a93fc0

    SHA1

    c6687a7dfa746d966a1a172363901fbad4abccf8

    SHA256

    70bfe1b747a412be640de2750a6a9be7e021f1eae249c859108f4c96ec69642a

    SHA512

    4654f17cbb1de06e01b8284875751fa9ba11d61a629203db7bd2b9a5e39c28f29c5bc5e0c3651903f871493adcad75a7059c99cd6a1ace45ca00fbe675d6c0c6

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

    Filesize

    2.6MB

    MD5

    5bfa0ea5c4ea84b08a4168e71942ca75

    SHA1

    c1cd53fd45ac74f4702db1feb96a154bd37af93e

    SHA256

    1d702c27dcee007db646d69e6b0d7985a0f2a322de1f50f6223e6a95608e0a83

    SHA512

    a8753cb0ba5e5e86f9e57837ce898b7acd5fcb87bae71b422f7ba3d873d3f2348a6df8f46237e4f61db195275703f8cc27849ceb8b7dc0223163c0b3e4192e47