Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 12:45

General

  • Target

    f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe

  • Size

    2.6MB

  • MD5

    a3875c96399721e33b1ea6180d7f6e50

  • SHA1

    ee29ca8862ccfb321c3cee04d6564dcf41d56402

  • SHA256

    f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3c

  • SHA512

    7681adc3c525607a6bc9fcc33d39c961a0eb0cd95deffcf9495ccd447ebbedfe026bddd3dc501b9ac61f057f82237125558869a5625482f21f116efd67912670

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSq:sxX7QnxrloE5dpUp6bV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe
    "C:\Users\Admin\AppData\Local\Temp\f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3052
    • C:\IntelprocBH\xbodsys.exe
      C:\IntelprocBH\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2104

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\GalaxBZ\dobasys.exe

          Filesize

          1.6MB

          MD5

          a23f73456cf57f6942ff1fe1441b4cae

          SHA1

          2dc6db7f1898ce8fe16042906a0cca3004bcc464

          SHA256

          46a4a60f35788c824b4899fe1e178c160bc9f309a484bca43fa7273c2806a411

          SHA512

          862f33ca57f221b0f66a5fe456eff7a2deab22c377d53af64984166a25ef631f136997e8e3f4ab64cd0c55a335e2ea69edcce5dbf987c795617883b972d8bbb4

        • C:\GalaxBZ\dobasys.exe

          Filesize

          2.6MB

          MD5

          5bbbccac963520a478f51eb3417ffd9c

          SHA1

          ef7d8f00495c497203c639c8f8533db933124f3b

          SHA256

          7e4c897d5c957374ce2b5f609de037ca456829f91352347ba0c308f02edf06b8

          SHA512

          4550b44ac7aa5db140bac24d740da9f1fc59f93188770ecc18d94a52d700d20a4d3b8d19f82626688263cfa0b6e4439ef8854f20689c800ccbcf21ae1b934c97

        • C:\IntelprocBH\xbodsys.exe

          Filesize

          13KB

          MD5

          fbe3105945c809e8bf6e00f7fef8ce54

          SHA1

          e4b4b6a33f2126392c845abd1669f10511f5c42f

          SHA256

          588c56e8f6a9d537a5bc2c80903c4b2fdfd2efb06c55c8a6c1e1039a485fae2d

          SHA512

          50cbba09c9369cf432e58eac2131517db247d9a0625def1f06f2359a45a2015fe879017f05ad29c35b344e132039515dfda1d9d5a69c9cf07dc94b14c9bd5a79

        • C:\IntelprocBH\xbodsys.exe

          Filesize

          2.6MB

          MD5

          678c88b8f84541a82ed965c60b03fa2e

          SHA1

          6ad087048da401e43a73cd2611db275a98523223

          SHA256

          980eee12aa3c1f8f2051b5db18c345c86d53ce08d734905d404f8351413a9427

          SHA512

          399764b3aa81f4bf790cf7d71dbdc1d99600e7eb2edf49b327a479f7125c2bb369860cf9fefde8961c35deaf8bd4b587726dd0c53b6f8ad84ada5b3f4b166126

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          174B

          MD5

          55e0dbfa6eff772945c470db86c29055

          SHA1

          f76162df69191c8f7d193f3fe114225162b435aa

          SHA256

          b03ba3c418a57c8c295475e0218ff8acbc8a415f81ba27ed9374881db1811aa9

          SHA512

          542a9a8b949511bf2ed1e33b6c040036634d4feb06f60090348825ee2a021f7b2212462dda115d0693cea4bad0d44d4af1710225b017a112f02e988bb161386c

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          206B

          MD5

          a2c8139958833a967304ac5f05b8908f

          SHA1

          897c56e3e6ea8df50be483e6d1d38daa09bd17a6

          SHA256

          bdcf91815db69460eea86e529a99b2da9ad2699808e15a71ecb5c6283e8b892d

          SHA512

          3729b1d1d71e2719f6543b5e2bf65dca3495801df2cf4307016e06ee79e4b800db7db8e626ab4dc90a907d35054b7190959f93153b7ae3706e203ae8abcd6a62

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

          Filesize

          2.6MB

          MD5

          9c3cbbe72db06f2fe9e03a7835194c86

          SHA1

          2960265378ad54c4ef65a75e0351bb9c9a4e1204

          SHA256

          57bf6c092a7b8f76f39579b99e988937f45075598c0632bbe6333d3dc558bf45

          SHA512

          c9e1dcd006734a62740331448ef338d161e847d280bce5b7639d4de7c240442600e5becfce16330792ca3551820ff5de3c6af5a01ba8f501a2ee37adfade403b