Analysis

  • max time kernel
    119s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2024 03:52

General

  • Target

    d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe

  • Size

    2.6MB

  • MD5

    5ea12786e77fd6800b9cfd6c9aa64cd0

  • SHA1

    52e706cc2bf6df78b29079d3e45cf68cbe0d49ce

  • SHA256

    d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2

  • SHA512

    f19204e3fdfcbe6af4d455df247bc8a260f4d934a5e98c2e33214b8b728757888e982e79920cdca640934981b1a113339bd99db2c26396640535ceba9edb0c9f

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bS:sxX7QnxrloE5dpUpOb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4464
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4088
    • C:\SysDrvAQ\xdobec.exe
      C:\SysDrvAQ\xdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2272

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxMP\boddevloc.exe

    Filesize

    2.6MB

    MD5

    06385875dd55022a41a5eadec8557162

    SHA1

    1813249d23aea943a7f5c4785f850c87026dc382

    SHA256

    57fcea517e5106ef77f2c5eb86262491451de635f3d621ce9d7715605c97d386

    SHA512

    e4b3748a99525b2600c4f58f67ad87850e26c5d324f202efbebf6e83518177e637603cbee1db22f62acc250c77cc0efd4514b56065381cadb0527f5f01992a97

  • C:\GalaxMP\boddevloc.exe

    Filesize

    64KB

    MD5

    1fe0d14acbae1f4503fe3c851d715a39

    SHA1

    6e9ecb695f2b07b82aa67f8a0c7c244f7baada13

    SHA256

    61af4ae2b9190d39219d4ea312628eb2db34adbac0aa2bc5b6af808cc0035574

    SHA512

    5bf6fdd03a8c739369ddb3db15ef0efd1fb0d8b899aa9ae205bd5ba9ad2806e27164a613b06c9193fa7bbcb331ac03f2295da8a1a6ffab78db5acc631d95b583

  • C:\SysDrvAQ\xdobec.exe

    Filesize

    2.6MB

    MD5

    17dca6728c3750be0e8e5cc3c45d7d4d

    SHA1

    45ffb2ae2d9e6f96852e2b748863c52c820a8470

    SHA256

    c422701479bdff3fba63eddf3aabc99f264e16ce9d6ac203fc5d35c51f161f11

    SHA512

    1faceb8676902e3d676d53f32b3bcc66044748bdb87bcfdeadaed105fecc55647a36a741f8fc7ad125b6678c631f43113820d06c09ddca05c381d08048bfcaa1

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    206B

    MD5

    bf313a83fe5eb48656a2133d0a82701f

    SHA1

    38583ccda122d5a789bf363e6c889b265c15f2cd

    SHA256

    77226b12346b836edfb08e0d4ce60aa8bfa179d7da4f679f5e51bf3ba8c960fa

    SHA512

    87a2fada08b9d8c72d610fadf859d810d0d3a7e2326d12023ea75f96d429c8a6647c4dd85fac2e137647ef8647a340a057f042988a53e7fba7d49e4152430648

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    174B

    MD5

    5ab8bbecc4ddcded6c544082b4fbbc19

    SHA1

    eda27d640020ba79cc9e67461f08ca931cf91ee6

    SHA256

    406baacc05b9b4da49f0060795e6e3a0624edeb49b4f9deb7e0fd44ee888ab9a

    SHA512

    d1b27e21d01c2257f9689fa820376649467b859dac01b17972887a52a0f8231a916afb0ec7fc8ecfc1ece82ccd0ce1913dace945481ab59fb7ce1bd6a22a93d1

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

    Filesize

    2.6MB

    MD5

    894cfae85a0de41286d90e75b88f08a7

    SHA1

    a52fa5354da642c6e764bfad66488224101c1179

    SHA256

    39401a89ba147661bddb5600a8c0e177dcca832170ac643e34949f90df3e4c3a

    SHA512

    e2dd2025c6173f4893d611738a34f52b7351c19c7c1ad6c489d77f618d2ccd44505c73d41afce1f21fa879ac2acd53eb45f3ac0060b850519101f4d2d601af73