Analysis

  • max time kernel
    118s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 00:02

General

  • Target

    4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe

  • Size

    2.6MB

  • MD5

    58f112e134ba38876c9e55651bde32c0

  • SHA1

    cedbdf28dc10b68ace93a699fdcb19176f8d9501

  • SHA256

    4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631da

  • SHA512

    e299c0e560028e708192c8dafaea60a6daea3ba409421a0f060d2c52ed08ba27f0bf661dd8b5077ae0287d0ce873ba3cfcffec15c1b16979f5702be9fcc71457

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bS:sxX7QnxrloE5dpUpHb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe
    "C:\Users\Admin\AppData\Local\Temp\4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2856
    • C:\UserDotMW\adobsys.exe
      C:\UserDotMW\adobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2116

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\GalaxGE\bodxec.exe

          Filesize

          2.6MB

          MD5

          d9d9e2f72d0f4839ee6feb448bbecaeb

          SHA1

          6d16ae3bc56596a4f332eac963cf3765e97312eb

          SHA256

          6b6b4fff12b975220cd3f79e19a59b54276a06351fcf392d1a0abb9669ea6e22

          SHA512

          a615e3c2772498055cc0ad873f7b6bbe16c0eff58f14ff5fdcffaf2c6aa07790205066b0ed59eb2a4ce0598e2380b9558a09730e538f3a0a4f3677b9f4d02918

        • C:\GalaxGE\bodxec.exe

          Filesize

          2.6MB

          MD5

          925ce024e8853225a93d61ec9099f0f7

          SHA1

          e2a1929ac93b3a70604c8220e8f3bf2fbb70991f

          SHA256

          a142b15c368bcebd3c37a0f7ef319ad1638b9222464790622dac723a3a7b21cd

          SHA512

          c07bdb59e1d4bd2b03a29c5a83efc476e7d20475cda21258b0fe16a15f6d5cb4e9686959f491ac79982e90d0e9754906992fabadb2036990517bb44eb132ccf8

        • C:\UserDotMW\adobsys.exe

          Filesize

          2.6MB

          MD5

          e0a6663c0d9371dd7be312577e2ff353

          SHA1

          2170c77afa97037771538f48e99c108b1e1d1191

          SHA256

          a505c7f4ed4adaa662b259fa3ee3e7b5cff549fa8cea1992454802712bf509da

          SHA512

          4af56bf7761c34aa5cb7ab863e2c41a40f1b370fadfe25882b0ed59d7fe2694500fc4d918b688b1ba29fcf5334e4f60d5bfc55f3435e1a13bad00be752ccedf5

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          169B

          MD5

          2916f0739a13a424ed4c9adeea18b2ce

          SHA1

          81056ac9d2d6ccf34f6deec0a9a5367b72d3ab65

          SHA256

          4457197ac2143635e6719911f72d5623287b2e96e3fd202eda0e09a8348427b3

          SHA512

          11d19ded905529798795a8efea5153fcfcc713b0e2b7129070d0a55ea5e523bc4b178b041aaf68ffdce16b39de78837edf7ebaa981a4534f504cb1200c14a050

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          201B

          MD5

          55fb4b9fa9c17a71147fd203eb2988b4

          SHA1

          548024c3f48ccd5f8f902b3656081eab34771c5d

          SHA256

          7b3a4df6f5730727e9156da2f09c7c732935710293c75f987e8c800eedd27379

          SHA512

          7d6f776e60828ebabf358da653b3fe971678633e6c7ebdeb3b07d96d258434e368ffd55bf28ec5c891633aba639fbb7bbcf76fdef27ac42a8a67d74cc665664b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

          Filesize

          2.6MB

          MD5

          0046cbbea71c79d6860359d808025a8e

          SHA1

          c6ebc350aa55fe4c74c3e23704c2acfe810d8258

          SHA256

          003d688df6f427a38e5bf1602f3ee98fb8521f4cbe5823c40d89627472fcb3d9

          SHA512

          24db24cc0ff81810caff87b3a19c37314ef10f954d2375144ada70e3423761df961d2627c9a34e9afe2687a5e99d35caf0f467517c15d8986a7ffa8b32f63086