Analysis

  • max time kernel
    120s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    27-10-2024 15:58

General

  • Target

    87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe

  • Size

    2.6MB

  • MD5

    485119cab14345a88de5b76cdb10ccd0

  • SHA1

    6d30a874aff198919da09984739c24ea6dd85ea9

  • SHA256

    87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206

  • SHA512

    f1d3483d567267362c868b0a28ebbc93dc767c824ccca0fc13bef04245f9a41868ffba9e2261d3d1f1df30c628f278b815ada0d76d19da98d493c693019e0fcf

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpmb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe
    "C:\Users\Admin\AppData\Local\Temp\87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:392
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1184
    • C:\UserDotMF\adobec.exe
      C:\UserDotMF\adobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxLQ\bodxsys.exe

    Filesize

    1.3MB

    MD5

    9e5c47ebf907fd49713d362401639607

    SHA1

    7403795c61bdd015981490672424e91d407fcfbd

    SHA256

    af365f05c0c1d759666fc1d08927c7b78c2e9a8560b24bac0ee3c0c971256006

    SHA512

    df426977779c648e91a20a45f4cd6b01ac02de17c3dcb3fa76c2a763244c71749e20cec94f5ee0eaa711f5e014b96a39bf099515b4f7fffd578787f58bf99818

  • C:\GalaxLQ\bodxsys.exe

    Filesize

    2.6MB

    MD5

    ff03a214bde96015a9ab7317d09c70cf

    SHA1

    34c5b89483d53bd81c5ea0e3c06b8a7588446865

    SHA256

    0d45847b7939b06e826f91d86bda77480f92c33c40f79ef00dd7379d36725240

    SHA512

    e43d9992a6a3961f55067947cb1acdbe145496e7cd2d772d590404e999dd0a32c0400f69f956f9d3804793418024d49321a8ed2937a1ac64f78603ce4944664b

  • C:\UserDotMF\adobec.exe

    Filesize

    2.6MB

    MD5

    1847caeb026b2bf8d289901423efc9c7

    SHA1

    677dd754a92e85b6aa9be35d144e627a1ab26558

    SHA256

    8e9ea329f575ddff4bb741815e335e590cd0e18fa4ecb1e13f94765958c3f381

    SHA512

    8e6ec98a250e6ccc3ed70b7fef284f448abb9938c5681bddb45a0b558a20ed0a0661dd3f8d29ab8d5b094c63b665aa12ebd8f9cc324c65b591e3bd539981251f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    173B

    MD5

    a0c6dcc51b56622788643606a2d527de

    SHA1

    62cd38b62eaa37f614ed4f30b6331f426fba4d3e

    SHA256

    47ed11d16479b7712ad89717b941c5a12f5d5a9d6a1c0f922a6cd5e17ebf72e2

    SHA512

    fa6c36707f3ba78382dd6078747e24b2d7941e59dbcb0640abe15d1d8618b61469f1782663fe28029b372409fbb1b50c14b155de687ad103c2af6a36a65212e2

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    205B

    MD5

    67f2c8b48294bde9a7a4a1d94a9cf141

    SHA1

    fc991b3254d4ad05965b637361fb046595e35a9c

    SHA256

    ecd9af44cd7bd720f072fb4f4bea588b756dee542575317911d4ee85de334041

    SHA512

    358f8411f95aa19266d53d39cdec75794296fb5b256c3789916666b6ee622522da66b87a97b1813e6c23751837471f8093b14f054472b8a11b4baf7a9d0d41d7

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

    Filesize

    2.6MB

    MD5

    1770dd3b001c55598f0d309a36d22016

    SHA1

    3f74d6c04f83a4e01ceee3c8b8087e7cd7be66f1

    SHA256

    c333a3b88f2e6aaf0d152f565d7c1cec270373b9f52ea9a1546d9a5dd2ef4410

    SHA512

    f4d83c0dc2284fe942455d1ef7c7ba3d28395f5a654d8a7b422b68a4fad913d3827a0eeea505a9c593e55baa233e8a221c6a9b91abc86dc8f98873d8202d4e84