Analysis

  • max time kernel
    119s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2024 04:30

General

  • Target

    15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe

  • Size

    2.6MB

  • MD5

    779680a307a34a3c91d2090dc6f89fc0

  • SHA1

    64082c617087cf1f8e5b179e2cf4a3ece7ec6b2c

  • SHA256

    15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448

  • SHA512

    ab1dd2eb9b7d479f8b89181243ef1fa401ea920df6636691d41bc100464ae989fb4ad0c8f0b975e33719ea17c881e21fa7a7aabd6e2f7a43ed6ce3e51c85ef87

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bS:sxX7QnxrloE5dpUpmb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe
    "C:\Users\Admin\AppData\Local\Temp\15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4640
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3460
    • C:\FilesP0\devbodsys.exe
      C:\FilesP0\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesP0\devbodsys.exe

    Filesize

    117KB

    MD5

    b30af74c34a007928f25b3c482d6aeba

    SHA1

    111abb46b79b44819e95067b1b91c24e37f73cb4

    SHA256

    1071a2c72c386796b985c82ce94e08aca150bdd2b9c75c6e6b13e0d9494003ea

    SHA512

    4665dd8cede04b8f67c2e8dcb48ec38fe8c556c5692ffb92ebcbc656f7b1880947d4bd439a0c5906b3c93f0d0c18b3b39c79470d1f510dd5c5fa41152e445041

  • C:\FilesP0\devbodsys.exe

    Filesize

    2.6MB

    MD5

    45729fefe85d6941a3f8639fa40ed6ce

    SHA1

    ef3bde99214f2da29dd6ebdbf98517bd6ba35b32

    SHA256

    1f3a75fbfbc2dce916cd50a5ab379f3f41b56b3ab68b03b22cf324f93e79b6c5

    SHA512

    e496d8bded7959a1ef9657862910dc78b000e9d181bb95e7725797cc6b01a0e0d4a913073ba3a465f6d70fca08fceedba84374d19fc10857e7844efa6456f185

  • C:\GalaxTR\bodxloc.exe

    Filesize

    1.0MB

    MD5

    759aec5f038416e01893d90cfe048577

    SHA1

    ca4fb61ce8b05248741f436c357e8f398a765384

    SHA256

    80dce40506c7a13c6a3e02c2a65f17f09350181f3893361a9acd8c0e860958b4

    SHA512

    3bd433964bc697503ad75d279a10efc318bf6ff53d0c6959885b936b4c24a8e1d47045ce3bfde5e3627b8fb1bf79ab50d8ec9bd00fb50508356168a55a0f93a1

  • C:\GalaxTR\bodxloc.exe

    Filesize

    118KB

    MD5

    49af68b42b3107ac792422c10fe0b74f

    SHA1

    5fc398ad18774ec4495f063f018f4db58862dbe8

    SHA256

    83a7f31b8578e7a00a994f3dbe8e71747a382cf0e351c7d7fa0610dded8976c4

    SHA512

    89a91aafb5af39699748f6b84a6bc5db955d5f5d4474447893b829c9fed9377a791c01483bbd890bff4c7e24d20a7a372137094dd20fe9de5c9057a61f4a37dc

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    590bbc03bea59ca5eec167e87d81ec63

    SHA1

    286454970195b190514d3c52badfafb4be07a082

    SHA256

    5eb17119a80045c2d9d07fec509c4e31d30d5a7513aced8b51032551d6ed3822

    SHA512

    5153bea746079bd40547ae9c72e3de9f0f772321f2851259edbace6a3b178ed09e7c598b4cd31ea25450843656eb044423e96e30980927693ee13d5db20a419c

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    6a64c9ba46a6f32dc6b2aeca90b309cb

    SHA1

    432e0de09b22ac58f64943e0160910909380f96e

    SHA256

    c546265db78c4cc30e0e2dc8352823d715cc121b70b501ad100729030e61d7b7

    SHA512

    1246202a58cc63ef5bcfaa9ad7e67556e5e23a68e3eaac0ff95077d5ceef62fc2f1e562ad340e9574027db6507820e88e096160cb11860d3ddac4903f0b4deda

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

    Filesize

    2.6MB

    MD5

    075103a38e58ccda2b4213017c671dfb

    SHA1

    9c2177b52c0e15a5cf7c7a7db79e250542ce09b1

    SHA256

    8d78c8edf9c5423256ba484849772a920422236052237b4d1b230f35c8fe8607

    SHA512

    3aa12d7a5031604ab5a094d0ce066e94ba30d1d60ee68834799a0c9c1eb741b379fb5ac3fb7b8221e1faf0ae6ddb3e4ead1d43b39d50d0e858fe5a88ef7b5df7