Analysis

  • max time kernel
    148s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 23:27

General

  • Target

    6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe

  • Size

    2.6MB

  • MD5

    e38140640c98a63a8f77a11318314497

  • SHA1

    04eaa25131abcde8ba90647f08998b2f0b550034

  • SHA256

    6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1

  • SHA512

    43d60cf61ded1b731022303b85e641b80f4bb4da3400d65d5e9f53ff7d9956d7bd9dc57f16ec41ae13f881e757c4df5ce4d7b84c04c14a85331388b51f5b6e64

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bS:sxX7QnxrloE5dpUpnb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe
    "C:\Users\Admin\AppData\Local\Temp\6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2432
    • C:\SysDrvXN\xdobec.exe
      C:\SysDrvXN\xdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2584

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\GalaxDF\boddevsys.exe

          Filesize

          2.6MB

          MD5

          9cfa03b4de8aaac1eb30cd83e2cb2354

          SHA1

          9a4d031d2a634ffe2ddcc6c068a2b207afa8a803

          SHA256

          d06d6eb1a9825353f98d994b4b27740d0539f8c489ac16c147a00aa14462cd4b

          SHA512

          51b0b945b90eee2baad642e54448acc22b720152787e075ed05ccd7c63b1244fb24a2281fa7606283236d056c6822e4cf04fe570120e9129fad0b58d3be40d22

        • C:\GalaxDF\boddevsys.exe

          Filesize

          2.6MB

          MD5

          13500401707c5370492d3577a8a42cea

          SHA1

          1a508cd39f0a017beeb952cdc509a604c5dace50

          SHA256

          e8a3cc464c099f92a966899a477a3a400f6843717062035092869ec2305ca36f

          SHA512

          9f1b6dade81dfb411f7874663d7c715092f443abaaccdcc742218fe9e963dd834e7db1506a82d8b648e70270ec1daf0d1f65aa57e8ef468c4f90cb6f58d940fb

        • C:\SysDrvXN\xdobec.exe

          Filesize

          2.6MB

          MD5

          f306ffd1834922e210ba79ad6030d74c

          SHA1

          b71cdbe8787a7e0c0164e7bc3be27879e00602d5

          SHA256

          04a55b5ce07ddf9f818981a645c15ceed92923364941593fd7c7dd56a9579990

          SHA512

          7c765f473ac2d844f2e9a360cbd1c51f3d9387b5d8ed6019f53dc3e070e351ae6fb1664445fce4403e69f253ebd58e8935a5e16b972796d5bfedeed17676c998

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          171B

          MD5

          132cf19b7d4bfd05d0b1857039b8e826

          SHA1

          a91dffc216f680bf2a11ebc9c80788099b578832

          SHA256

          497cec8660b9ebf79980cdc04223076b5934cbfc43c25d3f03cd8f4cc7e9bff6

          SHA512

          120895865f179aaa6b82eadb0c35fda2c439baf9834824f9ea97dcecb96d77c3425a80c8f2259833ddae4c21bac4db7a4cdc3860d2f0d507371a829f539ba563

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          203B

          MD5

          4275a56b1731a4baff37b8fad8dad183

          SHA1

          cebc5d1b7b9aced5c95ecedcd84762eeaa3c1dff

          SHA256

          e8cc7303dc66a4bf70091afde1a168e5738cb1af2c2408d396605300276e4665

          SHA512

          f9a1c193b46d5b503eb9fe23ee0e83d76118fe545bea1b23a3384d902a6374bfe76f23ffdee15f6499ab327974a23a73f005ecde15e60227b65878630ad491c3

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

          Filesize

          2.6MB

          MD5

          ee28770a7977a03c18682a0c18c1df85

          SHA1

          747ab889d0a3595968329f413bf964c452a19b04

          SHA256

          dddd899e44201bb301126afe559ab527eb43269ac534f7073b6df3cc69fa0fb3

          SHA512

          2b785541a63764883a789d1639f589b5e2d55060b18d7bd7341021b44e7d2e769797b70cbec86611ae9f91732d64ff9a8eafca5bbbb5e2043aa0be25e57afdd2