Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 00:06

General

  • Target

    2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe

  • Size

    2.6MB

  • MD5

    c21ee1eebb8a3a74eebfe5f4f5a6e590

  • SHA1

    7589d40f762bdc6857fc5b9830a5e803c9329173

  • SHA256

    2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898e

  • SHA512

    89377f2e304218854729ce9bba13fab4a892fd6b18f65c5b13d5c8abcfe449058bf320056ba3bc773b2da562331b0a40bbef54a5f58b02741868cdb295c3afc0

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUpmb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe
    "C:\Users\Admin\AppData\Local\Temp\2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2412
    • C:\FilesUS\devoptiec.exe
      C:\FilesUS\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2936

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesUS\devoptiec.exe

          Filesize

          2.6MB

          MD5

          7ba42336e0b7c150e5fb19e0d750467d

          SHA1

          533c53cc42656c0a3c05f6508b4ac04c64a5c587

          SHA256

          63b29a5760787529f861a2402ff0d80b2cc56af8a3fadf48d48cbd1def4efeee

          SHA512

          fb20f6516c7746a5d0c02f2b947b1cca1dd2ecb2cd2c6e0c2b32875c748703fa23ce7912f26891090a2304d3c0dbb65811b3db4f1a62e03e003147bf9477f0bc

        • C:\Galax21\bodxec.exe

          Filesize

          2.6MB

          MD5

          8c2c9efb4adc543428bb0f2de655a84a

          SHA1

          60c8cc50c99f756989d4cb77ca829be8bef5fca6

          SHA256

          44289753e65116cd3be4a55bb944dce4b3865f9090a11a319dd3b9ade7172928

          SHA512

          01009e54a27c5733d5d2d2f928da6e60ef877640017512bf40046aa9a6d299bf82e2d7585b43e7ca1684ed43672b576f10602ef8ecabcc4ce5f762750d635297

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          0a836e9bea9293e6881ee87ce0ade9bc

          SHA1

          695494b96c0791385b168d624e8bd921eda56bf5

          SHA256

          8b18e7074cefd0f602a940d81f11b7e023ee93d103f3003fc487c2923ff2aa57

          SHA512

          f0c7a52122a95f364b3f38b9352c5ac8dacee1dfd3f0877eb243bcb6ff413626c4a4ff5b9a612bebdefa7f7d5fa9e0965376a70355fe9f5d1833f329984e90e3

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          6420dd230b9d7833fabf2666c2d1dd5e

          SHA1

          54b8523c696abc12a44a5a96def61d171efc60a9

          SHA256

          4107017b524e76bdc3b5ea23df5ce6287e0844212a69733bfe49ebf2e04ed504

          SHA512

          9e6d82d8850d8d200a1414e16388135c1095927d8f77255c1698f6d1006d8b57a1691535b92d4f3a24031178a5bc22acddbc39263ea3fad97e53b3eaf881090f

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

          Filesize

          2.6MB

          MD5

          533c6024f3174cdd6ff5160a2715a018

          SHA1

          0febd7ee3dea7a43ae0c478bfdfcbb9057296ec1

          SHA256

          ee54c167f9d0093f501fc1a348a80bba7612aaf4c7b8c282bf4f1e95fc2258e0

          SHA512

          fa6d708d7176fe25c6b1e11b52d66db9d95d33e327f0bce6bc9e418a71638a3c70787c227d557cbb7e5b2420073f7928b20ce6e3b747b5c3b99d1e8292e05d74