Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 14:34

General

  • Target

    b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe

  • Size

    2.6MB

  • MD5

    8b3600d845d35db96432e598e7d45770

  • SHA1

    b1cb17f0b17ab255fe2df7fa898c41bd4c9fe4ec

  • SHA256

    b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81

  • SHA512

    7889c5dc8ac7dd1b110975231f5dbee6c549de56ee8cd545afd36f87ae9bf431b1b1d7089881eb0a46cedfec2faf4f3216cc960249327e9efcc40aeac19219d3

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUpmb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe
    "C:\Users\Admin\AppData\Local\Temp\b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3372
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4312
    • C:\Files0W\aoptiloc.exe
      C:\Files0W\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5032

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Files0W\aoptiloc.exe

          Filesize

          2.6MB

          MD5

          98d1ca7bd82b728e2d51fc7691159edf

          SHA1

          e587c122c63f7c2da4e2fce902a3eb348f100cb9

          SHA256

          d4a904bf30aa5aa6c9d6769ef7555ea4a61b14a53aaaa376ab67c4345bc003d0

          SHA512

          f823dcf982b64769214ede8efe9e83fd39c02ee01f184202cf401c96dfbf5af50399ca03411fda1762c2d72fe048848dc09e6241711b44631a3e43992c4be6e7

        • C:\Galax7V\bodxec.exe

          Filesize

          2.6MB

          MD5

          a6d9fd51643f775d5f02301c5f90553a

          SHA1

          fda4f2e6c235a4e2f4274efd781e775d226e8865

          SHA256

          08d478aaa815843e0dc1a7b35d37e9790e1e84d183c770ae6907d324f4a74fd4

          SHA512

          992796719f70cf65573ff576e4cc79d64bcdfba9d7fe9bde5e6efe9534fe05d9e1127b8ee6ac781d75eb54c188699f7515f10e96f43e96f633a3a33f7aaf5935

        • C:\Galax7V\bodxec.exe

          Filesize

          2.6MB

          MD5

          c679009ad8c59858c8937025094ad9f8

          SHA1

          483459a17ff5de7d34b83feaeec02ef2c860e001

          SHA256

          6d8b0dedb800f829ae95e04580ddea922396de6d440a4625b1da5dd2c04d0321

          SHA512

          2ee5ffe895d96327c9040b12fea176bb9a773e9041affb3ec8ef69822b9419d50866045ec9ac2c6521928ac17b75f2ac0165ec59b63a406d594aa5c75f89feff

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          203B

          MD5

          df9606d0686235bb050219cbc80bb5f3

          SHA1

          cf88e5bfa8e8e20c04aa28a2ba06a3d0e5446a36

          SHA256

          f99d900e55669864b5e2f2ef9f009cace875b04e95b2ee5e7c3429da7b89ed75

          SHA512

          c040080da21505ff1184a53dc968b93cb3f78022c5ba9744b5dd266a25473a620dc39e9d625c2a1abbf83f86ac7ebfa9aace0e9ea654d340c99e80a312ec5c36

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          171B

          MD5

          903be4fc99a1444568451b93307d29fb

          SHA1

          72aad8a3e0e63a2221876a5b057301486f05c385

          SHA256

          4f77de82be5762fde55b0e741acc7175f3b79bb6fb13a5b49cd3d3f245bac639

          SHA512

          5318446cc3b955649808e6b6e7c89296493c447e0b2520943dcdbdbbcf731b66f6332acc24af6b2f8c850e6060697f27ccd916f3bd9c48b91fe3ad34fa341c8f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

          Filesize

          2.6MB

          MD5

          a0783ffe2820ed0262a17028ec9af3d8

          SHA1

          c119e61399b07484f5ca1a2a721311dd618a7dae

          SHA256

          4c2747247f35e07d38b17a50a1f529b9ee5fe1087de079f678a2e7f42b2bb291

          SHA512

          73fbfae1bab7f02fa65aa876df84f50c19e720f9b094b88bf52e6ec3fc58276b65b5676176624527f517dbbbea0ea11f5e71b66f6e2a10fa22b1afdcef7ce402