Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 23:31

General

  • Target

    7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe

  • Size

    2.6MB

  • MD5

    04a1537d62800d2cba94e14ced5665f5

  • SHA1

    02a4c88b2de8e63189b08950e4c9ba4a6f8b75b3

  • SHA256

    9a31ec079f9330ff7ddf0422629886da291a0eb802c11a33099e00a5766221b1

  • SHA512

    3f365007e6e73892140da601a659e2b42fa10daa60eb322bc972efab349bb0cdefd1b8c5134b62cf7546e25c0c3ee237e67ee71456d5dea4a5fb9ab3da7e60f3

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bSL:sxX7QnxrloE5dpUpvbQ

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe
    "C:\Users\Admin\AppData\Local\Temp\7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:436
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2716
    • C:\UserDotC8\devoptisys.exe
      C:\UserDotC8\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5000

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\GalaxHD\dobdevec.exe

          Filesize

          2.6MB

          MD5

          fd04578131df58619238f8d9c22eae9c

          SHA1

          a0a05380bf81a6d836f1e2c93573406e4a015591

          SHA256

          d7d32f28bbd01a33892dbe344de4f8d347b9443423999717cf04876ead366e71

          SHA512

          fc4151bf77250d7d03f9633374482607277c63ee90fbafff73dcfe85b29a2550f8159033493912a9f419431b82642d01b826316dd18c36cd4264bb02e06d2d73

        • C:\GalaxHD\dobdevec.exe

          Filesize

          2.6MB

          MD5

          bc0ef9b484040b7bf13e130882371e55

          SHA1

          74a9aea8532f13f0a69cc27e157ffdbe927f8619

          SHA256

          1d82534dafd5be101db76c87f5da57f9001178a43fc8898df555e3dc7e6e7d75

          SHA512

          54d5caed5c3c2234d6550f658e8f774e33e49717773ed864a3b120290f5c94b1a315e8d6001ae1c869c9e74baacba51f3415ab42e85bf0ee8b89c8d2503ae5d5

        • C:\UserDotC8\devoptisys.exe

          Filesize

          2.6MB

          MD5

          dde42f4395c427ea045ec626621f5239

          SHA1

          fb661c9b227dd3dd4a5d50658e664c91e81a27a2

          SHA256

          5acfc66994452a6906101a05806fb81f208a4cfcc06dba4e897068c063b3515b

          SHA512

          9062f343efd4de8b45edfa712f14b7029269e4ff86f3cc222ae6d19071503f417586e256283154f314eb6efc279bb6b48976cc808529238549c3cc8e0526e661

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          209B

          MD5

          53ae2d5866a99f94ba2c2499b58c1c97

          SHA1

          f3a50937c3f7bb00dff746615837d9811797f5a6

          SHA256

          9221c7435a928caca93ba02a836aa3616db937580c17e0ed25e1e893478080d1

          SHA512

          54baa5bdf7cada6d7938a6e760e555f31d9f39b2d63c6847c3fe8f84a495baf83ae3f4c79e52b8bba92c970e21c6325c91bcd1e8eed9b23fda868650376df122

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          177B

          MD5

          65cc5579b175760661356e7ab82c32c8

          SHA1

          8c69575b2d89d647d8e2cf16f294d79fb26f6b77

          SHA256

          964e6adc1d7442f6ddb6a5f8250cd9b76506649d9f904ea558d122529a0151a9

          SHA512

          f167eadf32ca42318619abb66ef075415970074f1055278abc45905b3617e69097cc368b2800d5123e30cd270b7bcf8f23c5462272c54435e69f3c913e66b77c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

          Filesize

          2.6MB

          MD5

          2d8b436587c21b5e8f3831df4a337627

          SHA1

          0aa02187ce93536ee60e88452a1e61fa437d7ad0

          SHA256

          5e00fa980d16dc0fc41dfb708eaecfc2e648367a97caa6a4904b4ec957c9dbdc

          SHA512

          6824fa52a90cffacf54943f9f728fd848859be5ffdb2cad0777c60c579f87d9100c796c1790e23689dd72890c980709bf7efd8ffe698a97bf120a2282c259146