Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 14:49

General

  • Target

    50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe

  • Size

    2.6MB

  • MD5

    a090dc0f5b9a2dc6498e66d6336da710

  • SHA1

    ca5f8b4ba7aba68609734727e7c9ebac0bf6a407

  • SHA256

    50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7

  • SHA512

    ea713af642c65d011ad5b2c9c8fd325f7027c4598914589f6033ce0659d2e8a86798eb15a7eee591e5e0d2bd01c98dad3b9ebec296aa6743741795f5415a1243

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpWb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe
    "C:\Users\Admin\AppData\Local\Temp\50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3056
    • C:\Files7D\xdobloc.exe
      C:\Files7D\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1452

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Files7D\xdobloc.exe

          Filesize

          2.6MB

          MD5

          72a16782a265923db2e3338eae449172

          SHA1

          3d406c1c5ad077c9de7c5565bf6e027f6891992e

          SHA256

          f9affbcd2fbcec63009f87e5afdf949c462ffbcd79aec44d7a929d1ae2a431b5

          SHA512

          1b3f4642564a6dac318f01caf19a40799fe2f4ac073943bc92ab1111bcb050cb210124bed8af682b8ccfccb9fa41e25070ff56f027e242e5f3c9c8be4b5df1b8

        • C:\GalaxK9\dobxloc.exe

          Filesize

          2.6MB

          MD5

          8f79af9310a3d262ef129d280b180f5b

          SHA1

          dda598130d6af8066af8021d3fb2a03eb988c830

          SHA256

          e94f96a514a721db424b083511c4b06447de77b3886c691d4ca0121621235837

          SHA512

          55c128d559b24a10d645aefd556f5a84c8da67e7154cc6764669dd85350baec64e0bbd784d4daad9e88efddfe7e838fce55bbaad5ea8b935b64753d22d162719

        • C:\GalaxK9\dobxloc.exe

          Filesize

          2.6MB

          MD5

          187bcc32c6c18b1e7fe8267bb33c4b4c

          SHA1

          32f3b48e085799e3b00d307f1ee2325a2e10b9f3

          SHA256

          d53e432e31c7ab029ffb742210ae2933379728a900a09c7dd3273ff2866e1e94

          SHA512

          1b0c5f38f68c226901ccaaedff88b853d96583b5d59c0a2201944ae8b95ad7f566acc12a9baccb037d43b2d24477b62c80719c84616674785843e57460ed1202

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          202B

          MD5

          6f0322acc60cf496c2bbbbb9c26a2f6f

          SHA1

          c70a17d64203f5da0c7c180db09b6eedce7c13ab

          SHA256

          98a29bf3345f6594dfb41171594a82b35bbe6410cf456bcebbbd569c009cd0fe

          SHA512

          216db69a66b5e67a0192c183644e6c4339b9c73d31a961a8dde138be1b7aee1c77645152589cc4fe716c019267e08c5beaa9239037e11499cb2b2e822e4fad52

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          170B

          MD5

          e6ce8495ecafb97985dedf6f40d586df

          SHA1

          817669ddfd3f4722fa9f4206ef14860e1c7756f6

          SHA256

          63c975ba49f1cc1f2a45825137768cb1a3a7b6e0912c3463535db294f7e72e3b

          SHA512

          f8f10af4756d68c39b7d22a74fde07d3c8b0278e16616d07703b65f558a1affa34e7fb15a26c2ade5c5b4f7dbb7e08859876d3710cedf666fd15395a28f2843c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

          Filesize

          2.6MB

          MD5

          6cbf66966e1e3ea688f41de9ea990e30

          SHA1

          f5c65ebe69b5482d8f6e3b3f701b8f8d5e8dc38a

          SHA256

          6589656debcec3d6d6c25a14fc620691e4ebf64900ac6b4a2ea5eef8d37215db

          SHA512

          978e0d7d771ad8f62fd77adb9f9b57457d76d61f96c5b03d672950f2fe01798114c53e2a9b3ceb8bf85d01dfbdbe5e02cdda1a510e9a87d076aea6de82c48700