Analysis

  • max time kernel
    119s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 01:14

General

  • Target

    595bf5726e74f537f4bc87c53fcd27e34eb901ccfced1c9dd4baf1949470c550N.exe

  • Size

    2.6MB

  • MD5

    f3b41a7c2f796c16919a93e2fce98790

  • SHA1

    b4d93dd38d255dc20f209a20e87814bc6121a151

  • SHA256

    595bf5726e74f537f4bc87c53fcd27e34eb901ccfced1c9dd4baf1949470c550

  • SHA512

    efb2351ab78d032e4baf49560ead450800e33cae803cfcdce6c7a1260b8624cdf0579752969d722a3dc2fb5122a04bf914da76a1fcf4d63b15c138c8d25e2864

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUpyb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\595bf5726e74f537f4bc87c53fcd27e34eb901ccfced1c9dd4baf1949470c550N.exe
    "C:\Users\Admin\AppData\Local\Temp\595bf5726e74f537f4bc87c53fcd27e34eb901ccfced1c9dd4baf1949470c550N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2900
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1396
    • C:\IntelprocJQ\xoptisys.exe
      C:\IntelprocJQ\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxVX\optiasys.exe

    Filesize

    2.6MB

    MD5

    39725a9263bf972f3003b9eebaf3e95b

    SHA1

    69ba165f37663bdbd048b022c3be345ddf91cf90

    SHA256

    eb5d0e283d9548a9a4c76dbdbcb3dc5a6c454f97c1a653a40e5b2378ead9a223

    SHA512

    d83ba7f963c4dfa124b535d0dc2c776a2d5109ee971f50577d40b2baa7a58b779f5f84d2d0ebaab8fe1f24a20861e2afc920adaa92099926638c247062904fe1

  • C:\GalaxVX\optiasys.exe

    Filesize

    2.6MB

    MD5

    9e1a42c50a00e8df390d92e7b61fdff9

    SHA1

    6c9341d8481de37320a31f4388721143011c37d9

    SHA256

    e59fd9f02f0154ddf51160745374d1e7e9ecb4bed2aacd88314d38fde3f44c42

    SHA512

    7a057748f36145ea318b1444e9659901ebaeb74e4e77d408f19e62c4605eb56909999ede21c8c1b622e620c772a90f0afb9226fe30d017c4300ab59e4ed9dc72

  • C:\IntelprocJQ\xoptisys.exe

    Filesize

    2.6MB

    MD5

    19c41762a5587df5806ca20e08ff4777

    SHA1

    9585d6ceb1beede888d7fbd14aee518fd60cef89

    SHA256

    83ef22d1856e37923ebbee5228f8b0471f36bb507cd0380284701b73267e55b6

    SHA512

    14298c598c9b01840d0f6d3490026b3c14a3c94cbbe6606afdac4ade47f98d1cba87bbe79c5bbd7f56bb2133fbcd0336bc58bf7f71c3ac0cf33303684d04722b

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    175B

    MD5

    d525108202ce982ba5ea97abe16fdcbe

    SHA1

    b9847cd8e6512ca2d3d1b21e00cba33f316ff5d6

    SHA256

    ab6611473f3d1ccc44d4bb6465b0998f315bfffb9778ed481a72e94a36ed3473

    SHA512

    f4293ab2dd325b6a5a11ee921001a15170738febbf56ae7572b43d6d9480cc3f556477732a4f40a17db33ac34c5cf9fb34b6a6ba2bf6826ac1e739a8c6008106

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    207B

    MD5

    013ff852ee117ee4b855c6019b400e1d

    SHA1

    676026d223e3635b8b9acbf304c7ebcdbf039be8

    SHA256

    8a5fce468db46743c57b7039ea4db06a2ea18b3752bbbfa17ed48935905257ec

    SHA512

    8edf2063194c0119adfb772d884810f1e7b1e09bdafc235636f0b32f4f44b57702ba2a02db12365779edc02f02ba27bb5d62c14e32a8b8abcdf60c1482c67761

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

    Filesize

    2.6MB

    MD5

    193eea43aaf1bcdecaa4401c2c621203

    SHA1

    7123bb4173b8217b9741d0e4f7a5d55117283c73

    SHA256

    c953f4f52477080af5b98c6daab6687ad240d19de5a3cc66d14873fe6774f83f

    SHA512

    3b19ffd2b72c03c5cd3e6a68ed89dcf70bedeec12eccf036b21ebf72304ecafc6788469fc9fc9af75c95b8d9fdd59e2b5495a9029e472b6a5e25b995fbf673e2