Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 22:00

General

  • Target

    1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe

  • Size

    2.6MB

  • MD5

    0ac1a0efc1023e6cecc0c6c6dde40980

  • SHA1

    a0ad2ae3a452ad35b8ddf2708260cb0af99da89f

  • SHA256

    1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ec

  • SHA512

    c918a55040ff23b428814f621d774d3698c2cb2e66922bb7f79f7744d3c60717dd69e260189a48dade85b7dcbdf2ee1ce164baf0da96b82296573d72238e9cc5

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBhB/bSq:sxX7QnxrloE5dpUpWbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe
    "C:\Users\Admin\AppData\Local\Temp\1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1804
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2820
    • C:\Intelproc4Z\devoptisys.exe
      C:\Intelproc4Z\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2312

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\GalaxIH\optidevec.exe

          Filesize

          7KB

          MD5

          20ec6effd447fb35f7db816f8c616148

          SHA1

          c8c9edd9f30b93dc161fc035c69b57e7af305dce

          SHA256

          43b6a06c6d792569dc3a4b802a1882bcef34d458cb6c626267bf303fc8dc3fa7

          SHA512

          6a01a317698e30eec8ab65c628488a1e6108d6eb9dd6bdef9a769d497807ace3b68a23452d40d010b95f19759903bb9bc1910e8d7e46fa618aaa3fbf6a80fecf

        • C:\GalaxIH\optidevec.exe

          Filesize

          14KB

          MD5

          eea4aa3d13cff294fb9de101050d3b95

          SHA1

          8be9253d0215e54c585f56eadb2280278a3ef3fa

          SHA256

          4bfbd1374923be20f98b58ddc780be3cd5a3714124580ccf4631700f056077a5

          SHA512

          8793ab23bc508ea67a7d382f851f692b10c6141d6a08aea34676af615c93c597ab6a7bab354d52cfa7c84c568a31eee4521a37ed280aa9a5c1a200be1d176b44

        • C:\Intelproc4Z\devoptisys.exe

          Filesize

          2.6MB

          MD5

          ecc3915515f928e30912302b17832044

          SHA1

          f1e5d95c8ae6cb3531a7ba46790fa3d9370bef9f

          SHA256

          649450368f2695fad404dc4a0a6624d6c52af78ab765340f5f0e3863b2383236

          SHA512

          2d0c094aea38c2b856fe06a2995645c9bb55ca7159ee48000c1dae69381235cfb9053789174175f6566d37465063899c9ed1e47514be81f540568c2eeffd0dac

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          180B

          MD5

          dca88425f12c54b4d61bcebd9574e85f

          SHA1

          e84eb30683b7a5a301be9ed38ffee31a8fd5cd15

          SHA256

          001d8ccb50643d0abe0fdbd38ecf5973b621a6d5621c60257608e2292ecf1629

          SHA512

          a8b917856f9ac1c084c56291d7f8387f9a4c14218f53c59a4d13a2a59506615a457defda299413a3d9b86161a875ef79070ddffb52d65b9dfdb0555bc0059e4c

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          212B

          MD5

          c0cffe81e84f4aed80dd57202a7b94cd

          SHA1

          d48fa008b2c75643eea72c2d7e553bb82a91787b

          SHA256

          a155c92f74d70898d2fea00cc6d6c43037643879e7d77347c3ff48eb8aa1cb0d

          SHA512

          9faab45f910cb29df24339d520cd27248f8a3335ec495f4b285b1549cd9271ee3670df84aabbe4ab9e179a365bf8568eb3b8e58943949e37cba9faa6df905f53

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

          Filesize

          2.6MB

          MD5

          b3f7bc59cd7d27688a2187825dc9ab91

          SHA1

          be291266944fe5bde91bb6eb2de75fd60774d2a4

          SHA256

          12d2e4491a844e28d43751e9e691a5bfeae0b62fe75423f227cbe3fcbec90eaf

          SHA512

          3456cf28fb87e284141bf581bff0e1bb8a3a17a64580c7d85dc51aa34160f47598dd39dc0ac3e9466d8fce2e20f3813120a391fae786998ae3b2a1d1d374e129