Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 14:34

General

  • Target

    b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe

  • Size

    2.6MB

  • MD5

    8b3600d845d35db96432e598e7d45770

  • SHA1

    b1cb17f0b17ab255fe2df7fa898c41bd4c9fe4ec

  • SHA256

    b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81

  • SHA512

    7889c5dc8ac7dd1b110975231f5dbee6c549de56ee8cd545afd36f87ae9bf431b1b1d7089881eb0a46cedfec2faf4f3216cc960249327e9efcc40aeac19219d3

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUpmb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe
    "C:\Users\Admin\AppData\Local\Temp\b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2816
    • C:\SysDrvWJ\devoptiloc.exe
      C:\SysDrvWJ\devoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2812

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\GalaxAZ\dobxsys.exe

          Filesize

          2.6MB

          MD5

          5240b4188a25398ef9b2e86db2bf7e2e

          SHA1

          efbd6b8ed10d2dbed28819f2683ccfd542b06bb0

          SHA256

          391a35718f08e046d910fc0d37b8801932108a619b46b52589f8ed0b5d6859d2

          SHA512

          e11c5512679f417058a0d2e0b5f0b4d7d934b30230d69591a823309c8f98fe404a3660bd356b93031d6faecad8dddc0b568258063d13d236aed23977c8879523

        • C:\GalaxAZ\dobxsys.exe

          Filesize

          2.6MB

          MD5

          48ab32d98e52a7628838322e365268a0

          SHA1

          254cfb57bb07ecad700b9bba22e08bc06f8c24a8

          SHA256

          898b85fa8a5225d2f989527e207e2f33f4bb6522597229d3fd0148e8acad448e

          SHA512

          f1f7c3ad1746f300b4d6ee6591fc30a1fc6b73f8a10014814df7cafffa69a5e182c4aa5a92074e60fb7aeaefbb36d3144074d9df3c6b03ee6f95ffd1ead9b8b4

        • C:\SysDrvWJ\devoptiloc.exe

          Filesize

          2.6MB

          MD5

          60da257db580d2d6f7a6ac56d1ed892d

          SHA1

          a2764674e7dca1003b48a4d57acf2cdb18bb9443

          SHA256

          feaa1e0cd43a61c39646aeff63950b01546f466bd1d77187383aea8de37c1715

          SHA512

          d93455330728dea792754fad1dd001aee32e743823b37a470f00d435911be3e6b61d6186c7cbf864167de350461c059b3f8d12314c9f317bef36717ac65831c9

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          173B

          MD5

          b8814a2b791633755cd8555d168e31cb

          SHA1

          91938bfa4c9410f69678bbb92ba22039e399573b

          SHA256

          3d38c0629f42977c76c5754baf4f6c589a71a2a3b1ad6e59f544f5916c2edf7d

          SHA512

          5bb44331756eace25a7079494b1b03f29a3605c7b8e6c2a3f05e25bdee3de14c26975f3fe40d3ddcab36f5821ddf6797c19bca59dff722605ba913c67f953dd2

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          205B

          MD5

          620ac2d3b36478b698ec8ec4e6417b8b

          SHA1

          2ace3018cf070ece97bd38d7098051f57a87f563

          SHA256

          8b6fdedf1509fe338c7ef0989eea2f3f67174137d11b150965a4099df7dadf6d

          SHA512

          f63901186e58f65132535eb4034844ff6d5e0c4ff78dad5b7fcd4ef442c1245a32023515b9fe6592859bef17b3e507ce751e8b4095a4db425e84036674e2b64d

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

          Filesize

          2.6MB

          MD5

          14eb18cf9d76ed990b80dc1b817c0a0c

          SHA1

          1f98653d8c4e053d044873368e6cd0170f4cf799

          SHA256

          e3c97a32126c69417825de96248d04d93cc1e93bd079a7497eda83c0492e518e

          SHA512

          033b8439c4d7899a3d260635839f3752c27ba9b6ed857aa888bbde9d3e42a798483226941234f67c3cd0a1afdb2d5c7ac45d3a951827801b3471802b54e67f2e