Analysis

  • max time kernel
    120s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 15:08

General

  • Target

    ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe

  • Size

    2.6MB

  • MD5

    453fd7630731c656c396ddc193d59e40

  • SHA1

    d6fb879028f527d622555695f55847102fd4b47d

  • SHA256

    ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736

  • SHA512

    58060e442a49fd1cbf144f851cfab4ca430b8e9e150eac625ddeef5d2a02eed82fefc8b2fa6c4436821ba98dcbf95e54291406e2179e4cde38a3c72fa2a58f0e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bS:sxX7QnxrloE5dpUpnb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe
    "C:\Users\Admin\AppData\Local\Temp\ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4616
    • C:\SysDrvQ2\devoptisys.exe
      C:\SysDrvQ2\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4840

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\GalaxX6\dobasys.exe

          Filesize

          2.6MB

          MD5

          4e965642b360681528c8f5125aba574b

          SHA1

          c34fddc401807e256c747638df9745c2e853e8bb

          SHA256

          de10a88f95be38be641f63e255e5c31bd2a2d004d1e8ac915c74e8fcd77d8eea

          SHA512

          be62eb8797c02fd84c2d2b0112751885f4290802921187358bcd10b606747bcb416902f3f4533eccc6e326f645a0bc887ea504f94b60b0489871adcf58f60a13

        • C:\GalaxX6\dobasys.exe

          Filesize

          1.9MB

          MD5

          3240fee6e83f6fe53b2bed700cd7f35a

          SHA1

          402ba2d91f71b67cb2f9c469e346921f002d3595

          SHA256

          b8ada584c069a48155045ff2393f88ac5f70739fe8ef7c6fa2a2b31d77c194d4

          SHA512

          5299d7ab732e3581d831d90d1a3d04e50c7496bdcf6e2c177f6b82f6ca55f06a1d6af37035c8370db1874129db2997febd6c779e1e752b7b96a75bbb0a712efd

        • C:\SysDrvQ2\devoptisys.exe

          Filesize

          2.0MB

          MD5

          48cac46c51577705034e8aefe6e3e26c

          SHA1

          18b7dcd0190b31a22078e53de73d10f639e7ccd7

          SHA256

          d9ad39a6ea61ca88fd5bf44d792fdefc6b724a6d7cf5cf6b6b84b9ec8966c653

          SHA512

          6b072c32cda36076a408e1896d9f25a03a37886e87bf4f45a4475b7603e42cac8f5193a71f1cd4c21abd39968a246a9996bb1c4feaa6dd438c81961e47000689

        • C:\SysDrvQ2\devoptisys.exe

          Filesize

          2.6MB

          MD5

          bf98eec1d3c215339a6f9b9cda791272

          SHA1

          ef820f281918d19efbbf4e77320497305981255d

          SHA256

          2f66409de32e3d15a91688b20cf290790ec949b64ff81b2bc3bfa0b245dad89c

          SHA512

          50bc98473404c75bb3232f4971fce734cd1a46b7e091604aa55b5b625dd48fb1382e89eebf439029682c6ab1ba00223d6c4fa1b1589e21efab72e944417c92d8

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          205B

          MD5

          ac80a94d12a54cae29e6eb6aed6bb7cc

          SHA1

          f555bbc1d8dbbc75971ded28466d11ce9b11e6ce

          SHA256

          0473ac8c1902a57ee283d6f67f5cf262ab4edc1c2f3af137cc49e72e6c6ff7f5

          SHA512

          97fdc4f7e2b951088693c441eca0c69da9d1e292433f4de46ef2c6e25df6bfe57418084edfd972a4e5bcaa5e50ad9f374e81ee7de60871fe675aeb1f7d31981f

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          173B

          MD5

          525e275c6217d4423188c55ee97c1bde

          SHA1

          518c721fb1c672e4cc25f30906e73cb9d28f66c5

          SHA256

          fa1ec07ebc43aa1b5a61042cb87fe77b49bccf965b2142695f5eafd61b103079

          SHA512

          67526ef9bce5e3c60cbca4ead6a29fc0981dc343ad6febfba157d64897f71014e86f8176b8fabe28d81620eb21a5e7b08e66658136783c333b84ef2ef73ae714

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

          Filesize

          2.6MB

          MD5

          1aff8409e99a76064d811e1320248c2d

          SHA1

          7bcae354523424df22d184c412aaf26c34e574b8

          SHA256

          99fe2ea9833730ab338e181b1a62b051f4efb86cd9ac33e4384dd36766599161

          SHA512

          3d8daa8836c81a953f1949b81c9d2a3880c182268a672f3244b2bf66a8cb8fc7a943fe882da092ee3bed0872bd709241a0bf9955c583f3b91ff986844e482275