Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 15:02

General

  • Target

    d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe

  • Size

    2.6MB

  • MD5

    38c782e87792354ca420f178655dfaf0

  • SHA1

    55a9e267dda831d2f8fa98094e6ef04442c51bb2

  • SHA256

    d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604f

  • SHA512

    acb6c699271127b8f9d38604f28388f924f8f7b93d0ec4e3280a42d6c0f7229c225ff4224d52c46510c8abfe17bf663d02103d4b561847ab20a226f64340f220

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bSq:sxX7QnxrloE5dpUpBbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe
    "C:\Users\Admin\AppData\Local\Temp\d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2764
    • C:\AdobeUO\xoptiec.exe
      C:\AdobeUO\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2668

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeUO\xoptiec.exe

          Filesize

          62KB

          MD5

          e3c1e18d7770dd893aa942c9aecc4dc1

          SHA1

          8adf83645cf43a82cda77bf18d759a37e4ad54df

          SHA256

          5b8be73bb804b9ca4c37d5459b2c0169da52e4ad81ee12172845ea4a33d90525

          SHA512

          534642203718bf2987c9ba3ad14ccbaba203295936a70dea0d2087ce906fe72fa2864588cadbe8b211cdcd8a247aebe86b466d7a4476f58100c1a9e2368bab25

        • C:\GalaxIH\dobdevec.exe

          Filesize

          124KB

          MD5

          16c54a64187790732bdf14c743e75567

          SHA1

          cd4508cd11043066a0110db280963282bd8e63b4

          SHA256

          d1d257486204cfa71efb312a88c94657525696c9ef867ae06728f605f0868201

          SHA512

          433466abc27394a54bf1f98aaa193d32b4228ae55e6a27028a8940b3aa0f4442515304e2deb1bd5ceb1f246c9a03d772e25a864af733ef386bfd15b53b232154

        • C:\GalaxIH\dobdevec.exe

          Filesize

          2.6MB

          MD5

          56a7de17573464ed782da58d2969bcf2

          SHA1

          4b0c65c9d7dc2982402361ffa09eaddc1bc87d61

          SHA256

          6210a5d3ca6df722f01bcccfeb1ac9d2fac85fe84488850e08eb1f70c8e5331b

          SHA512

          1863b89353604e62dd267761e96146665f92676fa4af7b59226421f9779b6f453caed88396025dfd294c28267fbf7fe7a293de3bb7a07e79e37c057725c7e40e

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          171B

          MD5

          0c61154b9ca7113fcbe6c2f4c67e15c3

          SHA1

          851d65913064140c8ea4c0d96a21812da2cd5fe6

          SHA256

          f2d73691031bda161f82e28e858ae6bf0c5c38f85db7974b421938521542f2f5

          SHA512

          211a629fecf9d224545d7a30fc170c8c7f5a016062dae3ca42f5047528fa3d1ee935a1e4cac4922e9f59533f5605e5f30463b26975e60c28faca34d2cbfde053

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          203B

          MD5

          16f60b429e68d5719235976ce06e65f5

          SHA1

          62d31d5967e0a783935016695d858a8495e3090e

          SHA256

          1289172641c63b485add18a9588fcb94ce23e802c5c9ab5e9170819220095b67

          SHA512

          b53e1fa10b4f9d1f22d421f43e897fe892d382133d02a71f01e27a16216dd90f5035914a094da30ef00bcab8eef9b0e92eb85a47e4d025f996580a14d009fefe

        • \AdobeUO\xoptiec.exe

          Filesize

          2.6MB

          MD5

          c3d24a0e487ca5b5604bee9b5701be2d

          SHA1

          4890aa1af630336fbde43031803e048ac3f07911

          SHA256

          b8d75be3b5bb0541eea5bcdc5e59c5b9db87688003a264a3dd179c5b667b9939

          SHA512

          7c9fbc04f33a6cbc98a5ea136c21d7a09880b49d95fe880795771d30799d9fb46e22e74d3512e2e67136af3d810d1194f48a8abca5049880be90423fecf75a82

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

          Filesize

          2.6MB

          MD5

          1eedd30760f00ef950f4c8ef01d4e2e3

          SHA1

          6d7d79c03fc6c13c40ee8591d5e86b2e3b9a0ff0

          SHA256

          809c349c8be486e55017cdb0106b34cfc62929a7ffaf330d9c7af4f4f4bea232

          SHA512

          72aa0ccfd480b1581a5455d9eb911b851eed7db70386a8c71c77313da41496849be94e45c16411b5c2d97efb8ab1ee3e2719f258d92e36fe9e85c79f505ba9f2