Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 01:18

General

  • Target

    95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe

  • Size

    2.6MB

  • MD5

    905d011a98a1a1811ba2223a881d28f0

  • SHA1

    858eee90065ff04f060b3e24ad01be50c29544c2

  • SHA256

    95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44

  • SHA512

    8ed38b6eec1e6a871f3c9b41e0c4c2578c67253f429eb68492237fab19aee36e136610feab801889825e23953671dac6ab1bb42aa85a0b1ea2315655bc33eec1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBtB/bSq:sxX7QnxrloE5dpUpWbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe
    "C:\Users\Admin\AppData\Local\Temp\95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1704
    • C:\UserDot68\xoptisys.exe
      C:\UserDot68\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1836

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\GalaxES\bodaec.exe

          Filesize

          2.2MB

          MD5

          e3c26f88b14df08468774142942efd79

          SHA1

          3c68474d943567be9a949aeb7e84596060ff2039

          SHA256

          f323527e6dd64a5705c54fed7af93a3f6b4eccbba8c4e7a547aae005be1767c6

          SHA512

          bc7c9de747fc0a58bda64369869aa6362c0f54266b6f1a0ecad18469808494c9352d024ab97445a7957a554632a5dfcd0490d44acd199e3e3287de9cb34341eb

        • C:\GalaxES\bodaec.exe

          Filesize

          2.6MB

          MD5

          fb338a55370167b7e886f48e20bf12ef

          SHA1

          d4d98dec886f2e89d2460c28bb75c670dea30870

          SHA256

          289a0488d65b14038e6e35755cc3ca09ba1d37e2533bd909b8f899267157c7ae

          SHA512

          60b657d7cecad71f4c606c0c314883aaf8b2632e0181b64189a1b3abff0d40d31a9d3d76567549320ac43552b4942da6e22a9dedac5bf97ecc42302e66cafb82

        • C:\UserDot68\xoptisys.exe

          Filesize

          2.6MB

          MD5

          161250e1362ef11bfd3e438648bf4e4d

          SHA1

          d9578c45ce6738d9e2702f2679baadb09b633080

          SHA256

          4ceb7e47ba3eebe7536d747ff0fba4c523cad3b517c3f170ec47955ac8613134

          SHA512

          4edf8b020292b77b8af1b7d8b9bc28a48c4c55bb4f9e0ae30367620d604445493355fd43d45fc558d431fa75b55c3989d5d37462c765988b1f5f0fbbb439d953

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          171B

          MD5

          61a4e943e276350e545472f356346ec6

          SHA1

          c2372693a7a18974b818b6a3f478f3573d766e3e

          SHA256

          039a88244cd4c0b30cd3d701a96c9f7139194e08ca58407158533f06ad4866f8

          SHA512

          27b0d726ed9b8319b664615064bb1aefda5430cd978572e0d2e6c2c5fef878e795789fd7de0c3a5ba69065d58bf6db4c1e6371e959da5da48d141dc1cd4d7455

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          203B

          MD5

          b68f5cc85a7ff2ea0eeb772160bc1574

          SHA1

          22fccb8b7b1df7ba732d707fe476561a82b6e263

          SHA256

          4a07c9e9dfe835c6df1e8c8c7b55a0c0b3a9bfa3f948893743916ae284326763

          SHA512

          3f0ababfa58fe400dc0e02cf512f189cf8f81a144a23543810a0dde99a3b91cb5af8215d6c6b3e9c0d12c36167a18da1610a0588d4ad3d2252a1ef3757bd3498

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

          Filesize

          2.6MB

          MD5

          d9245070145e6b9bef2051362f7ec7e1

          SHA1

          967d89e46717de5d2636bdf33fca76518f5071af

          SHA256

          5027010129cd490ec576a5ed049ed13d951f463500788d6170c8aaae86c549c6

          SHA512

          3b25cdba46cd781e6eab152946f9096c17aafe74332d5871d8bd35cfdf4a5a3498f0a602997e34de64c61360456066162974a187102c884f2c8dc78918fd063b