Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 14:54

General

  • Target

    a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe

  • Size

    2.6MB

  • MD5

    5fd1eaa5bafc7b3c881b91da1d0e0ae0

  • SHA1

    fc34e90d58f6e4d457fea938a790713b58e43ee2

  • SHA256

    a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04b

  • SHA512

    87ca8039307e11b974a1c3fdb891defb14f7dd3096397813d80ae443c36a8dce4608d21db613ccf76371d183a1a099222eca2331fb2235d672bc1bfd16f36049

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bS:sxX7QnxrloE5dpUpKb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe
    "C:\Users\Admin\AppData\Local\Temp\a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1916
    • C:\SysDrvGH\abodloc.exe
      C:\SysDrvGH\abodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4520

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Galax4X\optiasys.exe

          Filesize

          1.1MB

          MD5

          2532ba332214a67467b903e638299475

          SHA1

          435f13f7c1d6d66241fe6c9271d84e29b63a6aed

          SHA256

          90778c6f6b73765e81c517607f05d82ac7a92ce96ceb96a6b3a804d9dba0e50f

          SHA512

          02636831644121e8282c1d04aa0168054f053dd2de8b3eb1f34679e88209c9599fcf541bc34bf11a4af07dfd2a7adf59b013d918a7cf7869d3bad9e84d0a7e13

        • C:\Galax4X\optiasys.exe

          Filesize

          2.6MB

          MD5

          6c82f3650b5cf30235cb253b707db74f

          SHA1

          1e0626c3f9eb03ed891c183ab4544c32f040141a

          SHA256

          c09521a0e53e51c05e8e940294f9fc4d50d4e81771d8705921e53221047f1ec5

          SHA512

          c65ba5fbf68b2a38770c7e078cbf9d5dfbabc4d5f57162a44c81f6aa55fc7bbfd3626add3caa6ccb2ccb8aecfc19ff3c202585940e6552c0c0f91f4221d5bbfd

        • C:\SysDrvGH\abodloc.exe

          Filesize

          118KB

          MD5

          49af68b42b3107ac792422c10fe0b74f

          SHA1

          5fc398ad18774ec4495f063f018f4db58862dbe8

          SHA256

          83a7f31b8578e7a00a994f3dbe8e71747a382cf0e351c7d7fa0610dded8976c4

          SHA512

          89a91aafb5af39699748f6b84a6bc5db955d5f5d4474447893b829c9fed9377a791c01483bbd890bff4c7e24d20a7a372137094dd20fe9de5c9057a61f4a37dc

        • C:\SysDrvGH\abodloc.exe

          Filesize

          2.6MB

          MD5

          5071982951112da534f4bd261d07d4b0

          SHA1

          30d4985f1ca3dac846ed574f2eb3c038a8827a83

          SHA256

          2ed1e4634893387959339cfc1e817f2a2a5d1a310f1e60a154de15916bc77926

          SHA512

          4af81d6186eb3685d63465fc2830af6455f009729dc8361d5176f3db0cadee7da133999852242ecc2a55a5c5d0b12c44da14da052e237004f073684a2724e57d

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          202B

          MD5

          99a20c320060b654a7d4715587b77b23

          SHA1

          c7a29c481f392da50a08a658bb5a413b1ceca8c9

          SHA256

          3fc0aee7a5816dfa745bcbf5cadbe9aa8c3b45d4951357ed93059be57412c637

          SHA512

          e81ab6bc12c02499ec376cf9f289b7cfc9ba1812acbb3873fe3c5bec5e52a7ff9ded5cf247cc23738db04e5122167f04b461fc1ff52fcd6adb11bc0471a111ef

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          170B

          MD5

          0bf4cb912a4f3618779c191cbb09f27c

          SHA1

          5cc6bc4d62c7d77351c72af511f5796612f8844f

          SHA256

          1a0ed9056f11065774b2228374024f4ebf090bc6c96d2467468448f678646679

          SHA512

          b1fb21ffe8bc246afad039c2e895a52d4b7ea9e6fea36b7307ccd30430c71f1bc3b6c6b70d2947f31ce1e7f0031d74643b38daabe14716b7aca1f6b2644c786c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

          Filesize

          2.6MB

          MD5

          4f637034ec1cd5d6b73e5dba437f19c9

          SHA1

          8bee46bf82a5fc0b4bec40b7df6be7ff21d70ee8

          SHA256

          fa3ebf440896d17da7d752981b3a35e25743cc23ff6af0aa0110e910a7db3228

          SHA512

          8e0003c1a092b2eb0cd4b14540562b79b4ff712ed7af48c94554940319b1ced7e32213f0c29b5097d745b267c6c8f69ce1b7b9e96896a8c48c4020be650b2696