Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 20:30

General

  • Target

    22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe

  • Size

    2.6MB

  • MD5

    5de6be5c30bb2135981ae6980539632b

  • SHA1

    8e3d53cdf18a38a840114294342ab829d82d254d

  • SHA256

    22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f

  • SHA512

    822bb6bdfcc1acb0a56efe7b8b3d1201898b13196662d80e0c8c736191874c67430b32f0d65c8c3295f8fd0689a2dce36313d3d98a657997091b873ced15ea53

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBoB/bSq:sxX7QnxrloE5dpUprbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe
    "C:\Users\Admin\AppData\Local\Temp\22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2560
    • C:\SysDrv9S\devdobec.exe
      C:\SysDrv9S\devdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Galax48\optixloc.exe

    Filesize

    2.6MB

    MD5

    40c5bbb60e55bbd1091d47ac106d7e70

    SHA1

    a0a18e5ad953d4394451e1ef58fd4e6957169084

    SHA256

    f33b4c2c37a38bce3d28311463ea3bb5d9655391cc3359be13ec83bd538a4023

    SHA512

    c8c627aee442f9653bc266788d0f66cf3c9df122faed60d0c911dbdb170584be87e8bb1845544c0d269b05f140915dfe5a54809232234cf8405b03e999c2aa0b

  • C:\Galax48\optixloc.exe

    Filesize

    2.6MB

    MD5

    05177f4b4c1e473827ba1ba6ec9e3f89

    SHA1

    d1b30c1144349697383ae012676fed0e367c278c

    SHA256

    6efc6cc16c0548cff13c43576524e691f99504226b50ad8620b6c325210290d4

    SHA512

    0475eec2dae0ae565c0d10dc034cd3d70ada75821675b6b97eaa3acae9f32c4a3a2f940b13dc45291dceedaf2132f8d08d2c4ec17905101613418ce4e6b5f4a6

  • C:\SysDrv9S\devdobec.exe

    Filesize

    2.6MB

    MD5

    f04667c7c1a199613e1c669d9aa1f955

    SHA1

    e908244991e1cd2ea933ac68d2c933ea067aff71

    SHA256

    329f53d04d871137cf0404f43f52c7fc4de9a96c08ca006506bf622bc6803e1d

    SHA512

    d0f513eeb37fcf8055d12eb068be0c45c4ade949d11d6b6e9ec7ffb33cc25729e65d8a9b08f63d9b12b3a76aa4e56b2d8fb29360e21d57974dfdc67a0ff54521

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    908f256cc0adf8104fe5b78e721d0258

    SHA1

    cda7a39ddcc166fd721d5a490ad718af4e672ec7

    SHA256

    887e6c0e0a77fc57a0f0cdb4f226e9c4a2ff6ed4be56a0790f1bb8aeaa9d4c9b

    SHA512

    2affceccf1b0b03c832f0eff7946dddcdd7ce074b2bf6d670351407e6475b44f3c20fd1c59ca73f54167e4b828b047ee379077514682b3bdf117f8a1ec0c0d6f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    14bf3dadc7715960818342191277588e

    SHA1

    d6149fe51392eedc2f52d20ff58290ca4d0537bd

    SHA256

    133e3efad18e123cb5de66e7988057280e028a62bdfd3b814b39fc4eee5bd3b7

    SHA512

    2dac2340d48a081972316e5c6f1843d7d150d725253cbf8905811ee628792dd5c2469d97aecc411df0c927d09e3479f5892a66924488f4c25fd8fdc62716191c

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

    Filesize

    2.6MB

    MD5

    5e46fa8e685dab487116a70651d17f4f

    SHA1

    3f2ecfa7bf7ebaf4cc679b6239502b09eed474ed

    SHA256

    cb59ea181ea1fd87f7edd6744a2f2a3074ed3ba313d276f4e15a124dc93604c1

    SHA512

    5c95d243543d0ede23dc6414f1eced3440b711275324ac093460f82670763d0843bc75cba7469c22955f6bbd6252ac24c7295c36b24fc1960298b6a1bcbf9f1a