Analysis

  • max time kernel
    149s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 22:04

General

  • Target

    4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe

  • Size

    2.6MB

  • MD5

    4a836cfb060f1f2d768f82f786eebb11

  • SHA1

    f845ec8ea795af33cadbf5d588935d296d088f8a

  • SHA256

    4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068

  • SHA512

    f49f79c5a8e3ff475824535b3405ff93cb6ab686502acf7896743ca8cb26e7bcfbec3f6f769e1c3db4cea36eca17c3f797f706c25cd1a519bd2f0caf5e0563c6

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSq:sxX7QnxrloE5dpUpybV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe
    "C:\Users\Admin\AppData\Local\Temp\4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1724
    • C:\UserDotYW\devbodloc.exe
      C:\UserDotYW\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2476

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Galax8X\optidevec.exe

    Filesize

    2.6MB

    MD5

    bc92ff2c466662d4a084a9e369f30cfb

    SHA1

    315e6781f7c3974404334fd6b7f17c7d8b08b5d1

    SHA256

    96e49fae039353ede60ab7ce4332d9130b1b718d888d67107b044403ef58bc71

    SHA512

    9f37b87dfe9763bcb2187cca521dbeb82376d048ead13b3fb3a80641e1734cf1d1d830535c9c3bc607d5e008e0d965074fe8f10e3aafd3cc93a82d89ec5a5e8e

  • C:\Galax8X\optidevec.exe

    Filesize

    2.6MB

    MD5

    56302b181d9d5cd7703046aca93da057

    SHA1

    71453145f8d2ea7b12d5022793ef3ae747caa8e1

    SHA256

    e55f0fd4043f2637b5b9f2dfc4a8ed72bc400945db6017fe51cd8e0b1e567440

    SHA512

    cd342c7b2cccee6372a3bf0a7dd69eeba6441e35dfa9396cf65f8f99c5ab0a4acfb0aeda14dd00be3c0fc2019cd0bb167a45bd15a833964778dd95f803a90773

  • C:\UserDotYW\devbodloc.exe

    Filesize

    2.6MB

    MD5

    646612680e812de985fe8f60c2cbba52

    SHA1

    bb66a888d8a8daf6687e64e4929011c5441f803f

    SHA256

    5e2ff79cbdec22f0c166833f3ceae77bd859dc0dfa7cb62a3f895b8c3f1506f1

    SHA512

    f9b35d9a96c7d83de80ad74a886b29ce18b29360979ebd90b7132a7a934dca8de8c755211496fe13d1fbd2b9a6d8d3f96ed2257d81ddc160b477c5c8f9bdc79d

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    175B

    MD5

    d13a9d458bcd2c8608ed5180207d61d5

    SHA1

    ff145e5bbb886dc8a2daf075a16f5aa95889358c

    SHA256

    a8b989fe084cc41f79d8e9af519cc6aa37c9e55a310569fce4015c8da4a2718e

    SHA512

    481aedf7dd3ff1d8daafae9ef0e234be67666ce58706abe6afbd3815368bad3faa893e09563545403acc80c84eb6c02cdde6f07282a6fc4742d94a4054a14f4f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    207B

    MD5

    c62ff5db21ad9566e0e502f4f7c59cbe

    SHA1

    d5f25f95509e9660358673c7c6a61286f452befe

    SHA256

    12f86de19d3e41c074300798d4bd30b22de7cac3b8bcab9acef02356dfad1aea

    SHA512

    26484f2633f843c4c7e98ac003bea8b2028f3a6deffe97590c85dd7c0a5a22e640f2a2d2f9ec689d214cdbb89a64b23165ad9ab991555e58c139407f93d96ecb

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

    Filesize

    2.6MB

    MD5

    b322bf339455139248a52159b49b2c2e

    SHA1

    bb15fa0e524f3dd083c6c19f730d2270e62e3945

    SHA256

    a19e40b56f2ea2606c9c54985eecee40d7445e68b7fbf820d93457bc28b7691f

    SHA512

    4050ae9ceeede4a113fa36e0ea307043d0670e2a2007a094988fa710897a7005f598aec8b3bee8973fb3a112c3c9aba5cf6567119971e02589f5187fdc14716c