Analysis

  • max time kernel
    119s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2024 04:37

General

  • Target

    df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe

  • Size

    2.6MB

  • MD5

    c34c3c696612aa793e3357bb84d187e0

  • SHA1

    37a84a246d37673a35e4ffd90003308bd45c7c7d

  • SHA256

    df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4

  • SHA512

    d5e0f513da5d4c6e850e2f90ab7116061cd9a0a113981905c15ca4623cbe3023a8511dd944440d9e78ad91ed45ce39d30acd7347dc26d8b031505eb19f8f62ac

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bS:sxX7QnxrloE5dpUpIb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe
    "C:\Users\Admin\AppData\Local\Temp\df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3988
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3292
    • C:\SysDrvFT\devoptiloc.exe
      C:\SysDrvFT\devoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxPJ\dobdevloc.exe

    Filesize

    2.6MB

    MD5

    580adcb785f4c9d7fa7af2eba4b73288

    SHA1

    dd1446e035ff646b25159a1b9d6352cb8c78ba4f

    SHA256

    dc1206cf447efdadc029458d8426a799fd9feba020da4e33b840485a8ac234f2

    SHA512

    32c1ad509780ee27dfae40a19188dd3d2995e4b59e9151c0a8fc426b29ec0c5f9cd1d4342b7de6a18704d08cf16f3e176729725c0943e9370c7ad3960b60aebd

  • C:\GalaxPJ\dobdevloc.exe

    Filesize

    2.6MB

    MD5

    d5c473000255f9842b989abcac1069e8

    SHA1

    ec9b07cc872b4bef88dda00e1ea7808736a3fd9c

    SHA256

    06e9caa7ae9ae632c13d0c646aaa1fe655dfebea8158ad82821d37df90eb6e19

    SHA512

    65908aad2838a2af4c331d82a66f17997002c817506f27afe57c82336b3438c53df3bee857c048686efc5ecb1706f74f558b588119cb2fd653f18671e78898e5

  • C:\SysDrvFT\devoptiloc.exe

    Filesize

    2.6MB

    MD5

    f1439ca7f62955cea0a11fb3ce1eaa2c

    SHA1

    cfb70a8e67e3d23f56cbe694845f9a4b76dd760d

    SHA256

    bc80fa3fac51184be5787fdaea266bbd8ee08aa558cc39b8c48e1425216c8a04

    SHA512

    2a1d04e77067180777cd68f50594e7e3d3041bdc9e5a15f443d071cd993a2fa0405e00a950fbca2c1e539ec41f43dd24d8e7873cfb672681ea6f7fd6d71c271c

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    207B

    MD5

    aab39225ae2a555248e3e417c63940f4

    SHA1

    5789edae92c854e555ba4771dd9e2fa6faac1e0d

    SHA256

    5c4544f0db351afc886a361cae7c5e185a1f1b51833c2787513b2078519608c6

    SHA512

    371d675b2aaff18181d6750ce6cc273a55d8737ec08216cf19953c21bb736c31567d055d98e7d010afc5dc8f0327ad1782aa6170e2b966af8d65195dd9d662c7

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    175B

    MD5

    c87521cac59dc8636cdaceeffff57f95

    SHA1

    2e9d96cacfcac9068bee7f9761441290e3dd6836

    SHA256

    c954ce24cce760a33ff026afd004f993a89830cee13044408dce1794cedb25b1

    SHA512

    ab8cf815f9c6d8342631276772c59fbfd1fc5408b6bf4ae17f4199351874b229b75073ee44fd0df673223c853d9e7c3d5b504f42e8075b87abba9fa4d6134642

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

    Filesize

    2.6MB

    MD5

    43cd4bc776276a934a84107dda664c37

    SHA1

    3c28aa5f0c13642db1b85ab016d3d675b71d52b2

    SHA256

    2d935c69b3eef3171680e2860159f24ce81d35a73f7ef2c32e99e810b6fa4e1f

    SHA512

    27eb8169b5e82da043a77f160f2dff0f414dfa661389e41824cea38679519c6a7d1c54f4d6ad07e46e3ae540f2e6440e1fc2e987700a5f11c289a3489b4e54cf