Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 22:38

General

  • Target

    c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe

  • Size

    2.6MB

  • MD5

    44e34eb4cc19d4dd6e2cd8838b5bdb80

  • SHA1

    e87d983c1eb39ef25554dec73e82ef355c9fb613

  • SHA256

    c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4c

  • SHA512

    71cd4921c9a49e5e6e3224372223053e03169b0e6ca2b58080e421aee98abfa9703d4e26c556b88dab89bf0143b0212505c7411aae1dd8dcb0d430556b9a69d9

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUpHb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe
    "C:\Users\Admin\AppData\Local\Temp\c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3108
    • C:\IntelprocRA\aoptiloc.exe
      C:\IntelprocRA\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1772

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\GalaxP8\dobdevec.exe

          Filesize

          2.6MB

          MD5

          2ee5c3d8602fb571814f295d8c2b93ff

          SHA1

          270b24bedca1c79062c50e524a90a748eb89d7c6

          SHA256

          ead41c53762acfdc5bf3c53bc87f02074c0a43406ba92ed00f067410c61e12c4

          SHA512

          6c7000e763d3cbb78f67d48c76adadb75680bedfd516079e99009fea6cfabdfbddaa98ffff10f8fdec9611b43d724190d259f038c0901bb8422c471041500d07

        • C:\GalaxP8\dobdevec.exe

          Filesize

          2.6MB

          MD5

          45578479a84404c4c9207651743f4732

          SHA1

          aa5b005b5fa67dc7661a7420b7185e94491f8124

          SHA256

          78899659482d326209dc1ade0a831bc60b86237679f92efa3727d1e76a5c7e73

          SHA512

          e69e1f0d2c4d612d6cca1557dedb61c406978fd05d24500e1f53b7605e9c69cd24dc1c67b4aa36e6b4f0e2a6a303b2adb95655fdf9719c2869fdc87de9cd1a5b

        • C:\IntelprocRA\aoptiloc.exe

          Filesize

          2.1MB

          MD5

          ea02732ce515056907b93a5cf5ffdf52

          SHA1

          afa9370c6c9770ee479b6748dc3b830e542651ee

          SHA256

          a54fc3e011dca9dc76e40038ec4ba73091ff440916c1307f29f7f5f17f5414a6

          SHA512

          997fc9f5f63cb30e3fc1d10fd76cf0c7a53ee89c06c6741f059858987286844212c197af40572a7dac5bd4c1052124b38cca1f817c51b68246561acb5b66c1e7

        • C:\IntelprocRA\aoptiloc.exe

          Filesize

          2.6MB

          MD5

          03be06041b543877be92277560087914

          SHA1

          f28d20007f7088d0beaf6c40707609a9b8dd9d98

          SHA256

          ab1b1c08bd22e92530fcc21fe8d8d90ecb08681786c07151e1d0d2b91fe2b2a0

          SHA512

          fee56291e99dd939851e205a95f3dff7ce29fdf95e1892e37bf27ac0b147f56f27cb46dd083a329ffd33521d1f9dd1980bbaf9db2c366a7369d7192a9a2c43ef

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          207B

          MD5

          4f4175d9379bfe68015862710532f4f9

          SHA1

          8baaee141f6b6b0612e515c7e1ecd506e4e5a6cc

          SHA256

          5ceebcf3f2abb8c0f50e2278ebb72b57c7f7c4f5626be7281bea4d8878964eac

          SHA512

          e8cd5346ec927c03f9a995b7062353177aa26dac73f40121ea21b62e01755b7315a003bf7e7f25d6bb52d5320cd7b5fcb5c12bca93d016af4712b9f7af6778c7

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          175B

          MD5

          06c1c81701bf99088ee128c65e21b1fa

          SHA1

          17404868537a8fa76f0a0c6d6c262d2372408ace

          SHA256

          4b8a3cf0574a3af95303e3d03ab068229e6dc274dbca5fd3840a9b47f4f6b363

          SHA512

          494a274ce46e6225d0301a1c509d51fdcb2a610fff911ef18fb857ddbd3fd49dad33a6e8d4ac998faf42d9f4c55d66db327b58616cf40cda989548481b5a5f8b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

          Filesize

          2.6MB

          MD5

          f8e484cc6cb00202163c465b97fe8bd6

          SHA1

          8ef010f19c53218bcbadf34497f9aabde37f32c2

          SHA256

          01b79b1693a1d63933c1ce0fcf3b233167969f4b6134d3ffb51a34aa52e30af0

          SHA512

          27f93c1c0d89efc3cef250e261f059c7951a460a4af4d40631929429a5daf0ae4746257703edee4e2d96bfc21f0b24d6205ee4150cdebb2b78ecb8c5819e74bd