Analysis

  • max time kernel
    120s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 16:49

General

  • Target

    7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe

  • Size

    2.6MB

  • MD5

    3d9a5f944c590f6857ce536f40489f60

  • SHA1

    f5075b9092f36a62cca582b47e454cc13874aee5

  • SHA256

    7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428

  • SHA512

    3aa09ff9bfd1922f0fe807cbdb78499248127cdfb58d40c4e08ab449be0e04efd100e59dd1fdad328dc573cd8d2023ae2ba9da0399a52830544b8cd7d8ed9b96

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bS:sxX7QnxrloE5dpUpkb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe
    "C:\Users\Admin\AppData\Local\Temp\7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:932
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3128
    • C:\UserDot9H\xoptiloc.exe
      C:\UserDot9H\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2480

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\GalaxQB\bodaec.exe

          Filesize

          14KB

          MD5

          9262cab29eba6c8ec58cf55dd510774f

          SHA1

          9c109088d1dc40745dede1654950cf3c14a07d0e

          SHA256

          e30f45b4f1ee5afde05ab748a8efaf1830710f480600bd9792e3a66ea5f9f945

          SHA512

          2241d5680489d6b0281a7b46d1c23f8106426f9078273c98fc99c381f0e3e738acc7e4684387d72ceb40a071fa85ba9a8df3e8edc6bb55c25a029dbebf437004

        • C:\GalaxQB\bodaec.exe

          Filesize

          2.6MB

          MD5

          5bfe2b9716e543bdee47798a769839d9

          SHA1

          878191dedcf35a996a83e354a56493f6cff7fb4e

          SHA256

          2ea00a57dfcae75cc4deffe5f42850f1bd1b1e66f0892fc16209350bb2e9f0f7

          SHA512

          305f3dc3d78edde1d50e68bfb5e21db1185e8bd389bfe9eb8e12ee504a37e2fb0e7e8ab49bc0508b46bc99fb39eb935c7657e2f0bc40ec948fbf615710b1adf8

        • C:\UserDot9H\xoptiloc.exe

          Filesize

          2.6MB

          MD5

          0c4b64916ce69274cd527b0d002b7707

          SHA1

          ea6b0407f91b82ede18461fa99eb642858c43790

          SHA256

          9a0f7478beed5f7620257d4841ebaafde05a19e50c3d10210a0c1631c440f1c2

          SHA512

          0a3e60dc5248820ff5150e0586f42eca114f5b7883c62d2d66d03739f64840f7ee0ee4f660a2863eece28a2d33dc33e29590bbac5bb87e03071a09b124b2ba6a

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          203B

          MD5

          dd1fd974b41154cb91d0260ba3e360ef

          SHA1

          31fc359c579d0f739a178df033518024ba675408

          SHA256

          2f6eba9b56b38b4ad77fe834b30a752ab713eb73653734507316eabbab43bf44

          SHA512

          f44cf06b919deea05231f0ea9452197dc5a5a8f5deb3c0936e63285651b48c5d396ff2d9f8fa21d697cdf46f42e26dbec8440dc89eb58d5484d0ddda670f1109

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          171B

          MD5

          dd6106f606da4c6b5aaa5beffb133726

          SHA1

          c400572c25c31291961f9e4ba18c412387a6bb3d

          SHA256

          92a7bf867707934677957a2bc5052707986c7bc88fd17f3fd013d26659035c32

          SHA512

          3048c1208e9215950469e5fc01d2c4062c3a299ecfaea506b583013f9b8c88f4df4fce68f4175077f6330747221f1e18f239ed6ac197336cbb7ea94e72cfb8a2

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

          Filesize

          2.6MB

          MD5

          71ef51d55e463bbc9f6764289ea08023

          SHA1

          6378a168c433cd13b5acfe122070e76a9e20de0a

          SHA256

          c8adbb95dfb10aa5057961889237bd10fd939f25e4cbbe3d4489b92c3e219152

          SHA512

          180aed5e0ef98c1312a2c179da9852d6e3c090d7f9fb93ea94dc2d71d2e6a79a96b4a48da709554b43b722737c8b0fe98254c6b363bd5bb7af8df1f9cfcf6c60