Analysis

  • max time kernel
    119s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 14:56

General

  • Target

    6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe

  • Size

    2.6MB

  • MD5

    660feb1886398baf42ac5e6c1d7fb930

  • SHA1

    edeb7f81eb514b3a68e9cc08037f2ddaa65d5a28

  • SHA256

    6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23

  • SHA512

    0d4b79c99462c84731facf301a593836a29ab179eaa3dc3d0ab02e4830130ed8d5f26d091f9ab16f5a3109d8ba17bf71bfc72a0d2e65addf8c4056f058e32d24

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bS:sxX7QnxrloE5dpUpMb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe
    "C:\Users\Admin\AppData\Local\Temp\6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2700
    • C:\IntelprocZ6\adobec.exe
      C:\IntelprocZ6\adobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2744

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\GalaxXS\optidevsys.exe

          Filesize

          2.6MB

          MD5

          9c1b14eaf859a5c8d1197347b5ba1f9e

          SHA1

          9478eab83db7c1fb53c9c94947022329c0867665

          SHA256

          7133cc7f5018312aeaf1df1752dd6069c72cb53093cc8fca25aae87bdae82650

          SHA512

          390ef6bd5984bf3be90b09a9a286577982c74b282c6ae5728cda4f98af4c9b4ac84309490aaa7df536e41758af850d0c1e93d84691cabc89ac4bcc84fee5b615

        • C:\GalaxXS\optidevsys.exe

          Filesize

          2.6MB

          MD5

          c2c22aad98dc9d4bec0c8f1f518ddfd8

          SHA1

          9a40ab0480bfd4665005e238ffe8d1cbc6c99000

          SHA256

          5657fa62d6474603973e7f543958b005259fb114dda06b5c9e785f102edb5d94

          SHA512

          6c1c89da14b34f8fed64c4339ac093cb155e8af5a012cbc7728cde28ada30d3eab376349d05960dbf545301b3e8503d12f07a6f2cc2fff386d962dcbe8a3bb59

        • C:\IntelprocZ6\adobec.exe

          Filesize

          2.6MB

          MD5

          54164f59540335c05a33967050bdecaa

          SHA1

          a564fd69c44d5006d55115e1e42a7a220f7dab0d

          SHA256

          c9b5f92be3df921a7033dd3364ab285b0c51e87b076dfddb40f83515fbb6ec6f

          SHA512

          5a491d9d3a0831d4aaeb7f74a2606d09e0437c66fd9e54e4262540cfd6bbf3b00bf2cb931a056369f9ead4fa54df243accbecd16342736f070ee32ee2ed89f4d

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          176B

          MD5

          d7a335f972f34c9a127707baa64f6cd0

          SHA1

          1786737e1380bbc2993711b89fba8eaa31ee8d63

          SHA256

          9f2a31b39f22748cf1d5d510fa8feae29c477dcff5ebc12a54c4306b7874f597

          SHA512

          16ce5e53717a6b3bc54698b86da1a3674cb6665228f4648d9306892a5e15fa38ca701e564afa4e84f4750c66041880c822c15bbea06af20f20191ef825afea15

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          208B

          MD5

          cf667dabdedcea742fb3481fe8ce27c7

          SHA1

          fcc43bd9e31066044376cb15b1528979fecfad13

          SHA256

          28f9ce5b9b5c8fb76937e47fa71da4d3bba1db3a7921b529667e33e651acf879

          SHA512

          0c33b3ca0011cfc80983e24e1709333ef5145eef53dc544f8cc92cbdbaf4d232f9d02bb201a7edabc01189824916d78ca9754fac5a9fae9f1b01f3ae29298cd5

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

          Filesize

          2.6MB

          MD5

          9844cf281abadfda855445b503ced7bf

          SHA1

          df32396a511e060b3df3dbd32ef9d89a56f1c573

          SHA256

          7790045b61f138815c64302b6a8d3cae62bd652c4e9388d66ac7a3eeb62e45f1

          SHA512

          88717d0c50ddcce5b5265981a6e19e9f012b911770714c6e8c025551a0fde61be1f83a51c1845e50966f67ab8382d50bb29072597714141b36265837cc7544d6