Analysis

  • max time kernel
    120s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 22:58

General

  • Target

    8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe

  • Size

    2.6MB

  • MD5

    a8c23cf01ddca118253b54c8bd9c7c40

  • SHA1

    46d3a880fde7512b73bc768ebcfcc0e37b023fa6

  • SHA256

    8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823f

  • SHA512

    c1bace1db34362cc10b193f659bf57e9227cf0cc43b7da676c00af05ad94653ea527acdc6bc99c7282f61ef6c1d53c43b71a16bf72a1a1100e9ff8e92fd4c5d4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bS:sxX7QnxrloE5dpUpzb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe
    "C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2100
    • C:\IntelprocW9\xoptiec.exe
      C:\IntelprocW9\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:796

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\GalaxKX\bodxec.exe

          Filesize

          2.6MB

          MD5

          9fb4fcfed5df47333511f6ff321a1e3a

          SHA1

          6abd3fa3fb17770f0e2df3a500569857217d70ab

          SHA256

          b7fb271cc53f9789bd54ade05ecdf4525e7f677a9c2b0280d1890bf34e86db5a

          SHA512

          3bed07fb3b06f4af64d65f5cb9fa7d3211de5a4149cb109227d95649b32c20df1adc181894c569343ed51724e7afecf85363ca972e6c9d825bbafa352dc3744d

        • C:\GalaxKX\bodxec.exe

          Filesize

          27KB

          MD5

          9066f9da2f6e14f558228b695e72cbf2

          SHA1

          91038a2a5cdbee686253b1163db1462b67afdc3e

          SHA256

          afcec9da3d6ab02251f8cfb55fdbb99d8a48092388bebeb354a5ecbedcca04c4

          SHA512

          41a27889d2f9e9fe12ceb02ebb86a9a7b9be8a9c8b34ddf510ffdc5876880d78e33cc31be4832bd57fa4af876e75459907f209f89f94d42328c4aa001f56117d

        • C:\IntelprocW9\xoptiec.exe

          Filesize

          2.6MB

          MD5

          e533b20f19695e5552170bdd69b85771

          SHA1

          298d8975b6ebe39846c49d79f054deb502abbda8

          SHA256

          e9f7f7dab03d46466b898c8dc68d2bac0ebf7d871ffa560cc000a6329eb593ad

          SHA512

          ee6af73bb7490c22205ea5080344ca90a6c07eec537cdda98e6516d8fe9fbef9908fda9c9728741a38443bffd61c41b6334d24c51b97a4f08ccebed5099fea1c

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          173B

          MD5

          6d5f30b803628c2a1a971408fa78378f

          SHA1

          f6035e1680d6bf09b2f17967c78b003db73ebfe0

          SHA256

          7c95a2217ea8488351cf7d52d151bd6fad167fef47da0d6a4e218ae5a889def0

          SHA512

          68e0bd54a762946964a647539a216690d32ce2b7dca0f1ed4770070550640cc4221461009293fedff9183e3a947ce0bb896cf097ea4de586ac59928432df4432

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          205B

          MD5

          f0322d49211dd3301cb67b88029594fc

          SHA1

          cba9599d99f4bfcd3b63f6d3387169e0fac98a80

          SHA256

          e4dac26e2504ccd837088e187f5e18f7ec1a0b680bcec3819468972d840bc7fe

          SHA512

          2218f84c617ed3558e1eac673419dc399d14268dc67b26b2b87c0d50e78ffd186e639919c67af6c21d77b4ae783bc0d5cf6e7c01f9190a786e6b3e73cb728ad5

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

          Filesize

          2.6MB

          MD5

          a91dd70e068653a5bca35736775ddd97

          SHA1

          d8c3cfc54fcb6979133a4a56e88741cfd701b2ae

          SHA256

          8d79855e91f051a6dc0dc2ca4474f6c3b0d42061a9d892d626e2a112adc8b4fb

          SHA512

          9cadeeb7619c80eb5686b910c94e229ba16507eb4052749c3b172c0f717355e6f09a9387ca68dcebdb8038e4f551ca0c2f39ed6599d33d4ec13f794608f55208