Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 17:00

General

  • Target

    d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe

  • Size

    2.6MB

  • MD5

    f7cf191c3efdf86f2d1a224d2d47fd70

  • SHA1

    4d6cc971511f21e001654d7600db6984c71a57ed

  • SHA256

    d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8

  • SHA512

    730714123d20e8c4dcc046ae7b6f4d1fe5a08f6d044eed175c084f3dfe39ca141222c6f85d8f885db5d8494f0672bc491cd364abdf0ec31e3875ba31f96d0ae3

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bSq:sxX7QnxrloE5dpUprbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4076
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2840
    • C:\SysDrvMC\aoptiloc.exe
      C:\SysDrvMC\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3208

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\GalaxB3\boddevsys.exe

          Filesize

          2.6MB

          MD5

          492b4e27b8c2abac678e83ba4efc0633

          SHA1

          f0ab8c39ce09760bb41dcd26e4b057f27de0efa4

          SHA256

          62e0768f3c6da3402bdc83148f0c23a6ea5b20dca221136ef75cde0b03e5bed4

          SHA512

          7dcdcedb57d105f204740f6e40a6fb7327f4d4ab7459dcd8b9a562e1c75a9198fd29ca77d7976795c5d686e5b8d44b1033cddcfb2b055f402ce4b90fd41103e8

        • C:\GalaxB3\boddevsys.exe

          Filesize

          2.6MB

          MD5

          9c3fb6f1464c3b66f26978685a612e1d

          SHA1

          63373df0eebc9e09e4bf17d409ae5d55b34d064c

          SHA256

          8f7efdca0eedb4934e17c0c75824d173ab3b8d5aaabe6bd98c448a70d36c94c7

          SHA512

          a0c88aa14e366bcc840c47081539467c1172bb8218ad4338cc4e39d9cd5c548b6d26b55ec73d070d67aed1f7f99a1d5101be266f57c45b5bbe75ce5303586138

        • C:\SysDrvMC\aoptiloc.exe

          Filesize

          2.6MB

          MD5

          2cd6540bc31ba951368ba52fe9ccbef9

          SHA1

          8e8f6f32a491abfe0f8899e563096e73a2e81013

          SHA256

          e65e93e41401115f18f482b0b8277928d3dc1d53499a4cac50458a63a4c92fbf

          SHA512

          7d94c96419f585d1f1646885456969e60f78375e096d2f083ad4051b30975363c8c98b1b574c9cff1bdaea300b335382641490e2ecd4b05ec642e2568bb762e5

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          207B

          MD5

          55d1f78c556f44ea74d924f87dbd624a

          SHA1

          56fc3ff1ed19649564b7df3e97354243eb599764

          SHA256

          d2e34de3ec093f1946e93856124975eddb2a7afb18618d27f9d1a3244fb23e8f

          SHA512

          c2fe1972e810e208a07eb0708147ed8ef35bd5b158600d86e0783d079810f20cf758ab9551f30b05de0d010d649bbb569c03d5dead46ba305c6af0d208ea814b

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          175B

          MD5

          9195629f9811689c115cdd0712af0af4

          SHA1

          a6c14fad3da0c7f180312e1385ed2ee3b9ce0a98

          SHA256

          0f212ee88bf9a0e23dcd8bc4aa99a447a366fc649b03702f045c5949297d6a41

          SHA512

          c037283437b81c1967e602a8f706cf1ef90146e3f1fe879bad769fb61abccaf333f2af6a92a8df46cb650a8a5b8660304a00887d2c2cda08f6b93d2d20230b8f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

          Filesize

          2.6MB

          MD5

          34247b38d90d6005694747655cd68ace

          SHA1

          33bde141ef498d654739ee1030ec2aa06210d0cf

          SHA256

          666f7961ee64e64d5a9c4b18bdcee33dfa34d10a5f912851e7c8a4ebe952d239

          SHA512

          aee75332b159a7b3fe341b80c214f584d6122b8cb389bd59eed03ad095d0f545151d50b2d611f09ac047d20e200c9aa5739062faf83dffed50ea015e729d5410