Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 23:36

General

  • Target

    714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe

  • Size

    2.6MB

  • MD5

    cbd0bf2ceb1e66b901c9a5e53b9c830b

  • SHA1

    7982722543a8118da5f1d313a3b09a429e428834

  • SHA256

    714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899

  • SHA512

    8fed557f28860f87fc058dde07da8eedacceebb1d63fb131d0e5fc2487444ea3124eddd1bdc1bfadcf7f8614d35969171b851151bcd04264086e5c2a6473409d

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBZB/bS:sxX7QnxrloE5dpUp+b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe
    "C:\Users\Admin\AppData\Local\Temp\714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4376
    • C:\SysDrvOY\devoptiloc.exe
      C:\SysDrvOY\devoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1160

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\GalaxGD\dobaloc.exe

          Filesize

          465KB

          MD5

          8c48839869cdc33ee8d808cefe4bff31

          SHA1

          5b0b150ac50ac276c0394f201a9a70914f7030d1

          SHA256

          0c7ff96bd5692ea5156bae38325137308fb73a9dcc77a1d4745d404c26fd50c8

          SHA512

          92c3e5ffc33e917f5f31664804b9a54caa4fe3bbaa7597b30172b6643fa48df9ca0ab3a9dd9c5c87c16a92feb5d88232a9ba4f26b67c04e892cff5889fc847eb

        • C:\GalaxGD\dobaloc.exe

          Filesize

          2.6MB

          MD5

          3cfc1096b13ce7ab8735810ab4d16307

          SHA1

          caec2fb8e8dc9f9bde8779b61c413edc3b752e62

          SHA256

          d757b692d8295f6e5b02f40a09fea36c1171593d26429207a0b113b86ff250c4

          SHA512

          61f5644ce7a001748eabe5f645daea9a9adff9e8409f85d217e4a176fbf0baae2454b9ff2ebc158dd87b06294458cda8e5a2941720a858d4135e77d3e04cb1e0

        • C:\SysDrvOY\devoptiloc.exe

          Filesize

          368KB

          MD5

          e34520bc93203a072a939ec6969e94e9

          SHA1

          8c1f498f5e8e597e6684225ad02860b524bfd4c6

          SHA256

          4ad79bf2a64f85d256f14d61117eaae47ed13ffc396bce3be1863004e20cc67f

          SHA512

          22ee91e55d2257abd6f1819a1cc18770579d03c47e9f5b016a3c40fe565aa221358019fb10289bd3e1d33d961cadcf5cfa2a2bd77ef03282c9541b3d660ac81a

        • C:\SysDrvOY\devoptiloc.exe

          Filesize

          2.6MB

          MD5

          2d8c055e41eb6bc8a100f1bd093d9904

          SHA1

          44a3ee96b13dc251aae76666ec80f94ec62f0e8e

          SHA256

          68d691d6131936d0e1862e3fe6325d7e0d3b68543afe9a20b17c3fba427413f5

          SHA512

          75643960cfe3de728bacfaed82d67333d6f85270426c2abe069f241b2e7dc53b35a63b3b54ce2b4ca4a189b2d832a00b2c5f597146a572267595c4f635d813db

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          204B

          MD5

          df01066a5764d81c61bf68c499b3e71f

          SHA1

          b5fa03ce2cc4e54db01f60f0cbd1cb604d2ef654

          SHA256

          ebede10db995092baa009b0de44d98a63fd3cbaf32ba3b7a742c4207e1ae7b2f

          SHA512

          8a061243a4757018cf5d3078036f96392b6e65edaabecf23a258f9b3afd8b1210901328837ffb77ec197b32b5c0c0a7375636aa838045a10bfb9ba7e36ab654b

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          172B

          MD5

          b8a05e527e95d01834a8c99257bac3d0

          SHA1

          8c1489e2f6557fa8de714d0cebc6557426f5f111

          SHA256

          9aa08b1e2271249979feffa21514e0c24eda82ed1e1d39c93da8f6b75a9343cc

          SHA512

          568ebda83ba21593fe7194c0e8bdf0dc1900cf8c646b56d8a42b875ded18ad1c8b965a5abd60960fc13cafdd50f0b7fd94124a2557405a1ed4d0989f579f9a5e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

          Filesize

          2.6MB

          MD5

          22e6746ea60c6d0e40396860fabd618f

          SHA1

          18a24cbb9f6f950d7ade64704d7d89b4ec158ba0

          SHA256

          ef03825813b22188768f0ec777c21dc4ddd43544237d55babced99d919e40d01

          SHA512

          bf12004ab7dae8fed2290b1815f003002e4ed61b7bc00f8901fc4ec12b04896176b83d55711b65420071f5ad4ea4eb530d5e2fde748d41ba982acef56a96798f