Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 16:38

General

  • Target

    eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe

  • Size

    2.6MB

  • MD5

    37456cc11ecdb190fe3a6a3f53c61860

  • SHA1

    f2f5eca5d60f67a17277a8e2b8c929041f3eb031

  • SHA256

    eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17

  • SHA512

    80fd964ee3dbe341d7c71c08cb629f3b407375e5d9e5fb1e65dbfa78fb2935ae3dba2774703624aee6210bfeca475161e6b623fc1329b18dc26a5c6923f2ef34

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bS:sxX7QnxrloE5dpUpHb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe
    "C:\Users\Admin\AppData\Local\Temp\eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2544
    • C:\FilesWN\xdobsys.exe
      C:\FilesWN\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2380

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesWN\xdobsys.exe

          Filesize

          9KB

          MD5

          61b773990ee27e9e908970e63b267f79

          SHA1

          522f4b8bd8207fe759634142fdb72607b71380f4

          SHA256

          8680f82d44553da0b976a373a4c22a7847b75edeed53a8fcb3bab73b13c72c0d

          SHA512

          6a34405c32b1ed6c0070d4c054d00db08edd60f126246e30755b99cdc98b0de4394c89b066d72ca1b9f4c4ef554bf4713874e94aae71615254c3d79bc546c29e

        • C:\GalaxM8\bodxloc.exe

          Filesize

          11KB

          MD5

          4b15a8dc60fb28ba194308947f8d0bdf

          SHA1

          addcf6f0cc5dc9577f5354dd3efdf91843caddb2

          SHA256

          eeda459c0f86c4f2c639edc7bc26cc6dc4f508b51063a31d85ac8a6f6e64b152

          SHA512

          35c0dcc269feb3a6378ec13dde959d0dbc121e4ec5236b5910536beee95f1128b58b5d7711ee4f05359371d8097a799e57a11fa6b9dbb26c543666dffd669e7e

        • C:\GalaxM8\bodxloc.exe

          Filesize

          2.6MB

          MD5

          27dbcfde0d4705bc70943febd554ef43

          SHA1

          1c2c2293fd608bcadf8c20e45222fe822ca7d757

          SHA256

          a1c99f033e3441a83209accd7575df428f73c1d783ee9a6f4007a1cd8667addf

          SHA512

          47204c06cb8e8d7979717a543c2a2576ef90f987064b65bb202554d0f87e915c7c3a4b6d7e04a40ba833449d0ddbf0f5629d50829c2d3e322d4ddf1139c261b6

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          169B

          MD5

          234a8452369ad3b3d23faff84b116e36

          SHA1

          1677bd47a29c984fd1f10696eb85658b60c35a07

          SHA256

          6424dfa0781e2366f6c4a2356cbf5c276272c8c5a5183e9567bd80cdfe83645c

          SHA512

          df9680ef3dbbab90c174cebedd178bf7c6ae1f71b02cb46ebed7b7625c063df52a3a2ee2f6c6288959f1f06af41474d309d42161f3ab5cbe2de3b1fbf62f8469

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          201B

          MD5

          cc143e566c36996b0cac15316edf3241

          SHA1

          ceda6ebac3992199a9e42c850287c49381536643

          SHA256

          1a438862dbf2fe975191d3bbb3d129f9308fc465f53960c768671dcb7b81eac4

          SHA512

          4b5e2fe0b752392984d41846216d89dfeb4f7d3806555ad3d56c645444b97db3f0f51879d39e96330a2982fac407d63ee5ecc1ec6576cdd9e1ac3f1b2320b24f

        • \FilesWN\xdobsys.exe

          Filesize

          2.6MB

          MD5

          c12a9f08c88022efb2ccd48ef903fd60

          SHA1

          3617e3d1a20f3fa4693ed8d29923ded594c2b341

          SHA256

          dd977b120a28d78334365a90f86644005df38cbe3a4467a4c5dbed3080971ea7

          SHA512

          bd1a3bb5e45b460071b556df1569997eb4376b5d386dbff5ea163b6d8f04691e39c05ffcedfd654a9a34758f34982cda497e6aed8917f7104f3b8de7b441690a

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

          Filesize

          2.6MB

          MD5

          8d978cfa0c7e6d1d2fd391c7315acb47

          SHA1

          c45bd78adab3febe44b41a6d2d792669289661ed

          SHA256

          286c333d619bccfdb98416927d45accee3b95d9bd3a1e776e1ec610182aa69cd

          SHA512

          431dfdd8d95992d1b2c60060a67ba3e7a2295dcb14f416ca4c715df8f25261928b1a0679e16546197dbb3b2f5227023088bcf838378dcd01d2320b939bb674d3