Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 19:05

General

  • Target

    010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe

  • Size

    2.6MB

  • MD5

    cd73125f1fe8152cd43f3f5578c8baf0

  • SHA1

    5b24f6dc3a9dfd3c96daca88b89fbf2e46f2972e

  • SHA256

    010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111

  • SHA512

    6a552589b1f1ab116f526e64096d495e697871c86409056b80c0654a68dd74eedf3ab9589ec0b26e3faa559bdf042f32116f4458101d19049715a7621b044bfe

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bS:sxX7QnxrloE5dpUpwb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe
    "C:\Users\Admin\AppData\Local\Temp\010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2928
    • C:\SysDrvG5\devdobloc.exe
      C:\SysDrvG5\devdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2248

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\GalaxV3\dobdevloc.exe

          Filesize

          2.6MB

          MD5

          5d46f1583e8f4b4f3c31e60c84ed4477

          SHA1

          00fc9f97ff5f01d418d6d2e9158546989b8b3d46

          SHA256

          f49b02ee5f5b8bea5ecfd150c426e399d32bc8f9e03d4bae4bd5ca4801b100b6

          SHA512

          0cc4995b86bfc065c21b581d0771bc5778dc0fde6e4ded7c6d9c62e5437d6b5d02e8557f66f07ae7ecd9dfff6004f9c0f10c93b2c31384a8539b1b7e014441f3

        • C:\GalaxV3\dobdevloc.exe

          Filesize

          2.6MB

          MD5

          81ce1b81c873dc78212b666a9283272b

          SHA1

          e29201ac69cfad4064f4e5b21f35a36f82faaa37

          SHA256

          1a8a3dafc167fce8464ee1f461fa97c3305c74f8e96d65fc9ec1e3c5ed962e8e

          SHA512

          8174ec4db9d91f50a4861bd4f7604c8bbe02427e961f3af38ecca0c37454f0b596d83ef7f0e3006ff55dad9167cc8b91d93a73a526039d0725f08080f08d4744

        • C:\SysDrvG5\devdobloc.exe

          Filesize

          2.6MB

          MD5

          a1ed1585f27394a6fc24b456f780823f

          SHA1

          691b3f888c6b6325cdbd9b856c608055440a12aa

          SHA256

          25a29a05767c888bfdfb16282fbb8bdbb75eb678b4fd6a40e98cb08ae56abc78

          SHA512

          b09178bb88e9a9065ef112539cc2912bcef63c1df7ec2fa392b4629526dcb5dc37e3725bfb4c5549787221cdf7b49b14ba88a03621503a8582bac4428c1b00d5

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          174B

          MD5

          5026441d728cc76b2b04f4d90f87a6e7

          SHA1

          27b633d2bcbcaaf02a3a9ee88373589568acf8bc

          SHA256

          6ed41d72c0ee34db214ab8680578f2711ccb382f6b6f8629f1cd81199d002fde

          SHA512

          f2d746a2758d6bce6b2326df36a2cf24bce6176c0efb331614207f2b3ada6490bc8ecd79eb607f24a2d2bc96762bc2e2ea6b983d3acf7b4fd7b2d68dc70c1bc1

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          206B

          MD5

          9fa69ed3efae6dbc34d31b8da980d2a7

          SHA1

          2989cef3bb0dc327a2339e3c7eba982ca5177e7d

          SHA256

          4e44d56dc9d7016d93edc4a3cc75164bd8fbc687c8cbfe10cebb2ea037aa9ea0

          SHA512

          d5171855501119e58cd83ff486177c003f5093b2a8cd140a3b22743976aea645ab2495a350329f4f572d87f771414b70d7f2e05bcfe1eafbcd04c531edfdb4ec

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

          Filesize

          2.6MB

          MD5

          ce9805bd16cfcfda238a1a42573d6300

          SHA1

          50ddf1a060e6493764120a5e84712ee8a6ec24c2

          SHA256

          58a7bed7fcb09c5ac2f67b10c6c60603290f1c30625731efc04c1f8231ce01f3

          SHA512

          37347a0a5b24c2af6bbc9e9837f8762742474c55e0c67f2c9276bf682acc36ded2fb83441691a21374ecc323736586a958a55a822b4c51bc9f9851ce9cac168a