Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 17:13

General

  • Target

    95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe

  • Size

    2.6MB

  • MD5

    7dfd8ebf5512591fc9a1f79239380f6f

  • SHA1

    ebe3dcdabe9e7f5f07f1f44573406172453c064f

  • SHA256

    95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10

  • SHA512

    d566cd4cdd428a1d554da42cd6ca17ba53539e682c220ca447c714494f5f32e4cc538f0f526df06129b73652c882d0fcd14dc166c46efba94daa84cd069288cb

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bSS:sxX7QnxrloE5dpUp6bF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe
    "C:\Users\Admin\AppData\Local\Temp\95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3560
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1844
    • C:\SysDrvTL\devoptiloc.exe
      C:\SysDrvTL\devoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3200

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\GalaxHV\dobdevec.exe

          Filesize

          2.6MB

          MD5

          974108f8eae5989e5de66fe5d292f1f2

          SHA1

          a35467a47148f7ab18d194773d312d8326edac5d

          SHA256

          1f00ca27270fb0d29918f7ec4e0fc1bf645853fcdf26580ee6c014769f0bb9ac

          SHA512

          41ccb85da84ecc7d25bee647496d659d5d7ae15e339c92f544c23f0b626380fa0a85eb7883f692f54581035f6431a43384294ecc4ac5d13d8000d60f44ee3401

        • C:\GalaxHV\dobdevec.exe

          Filesize

          20KB

          MD5

          2873fb57ea06e0913c9b5dde7bd73c2d

          SHA1

          c2794b886d0f3c44e805ffe343756fd81b5c87ec

          SHA256

          08bfacea5ca3a11f935a3a68ac2abceac42a731bd3c8bbb834bb6471d43f4587

          SHA512

          9db7ab2c48ad7fd8125df8c24bb1613169cdf1b762ad2552a31ad27ecfb1c9fca9350c4a31f167fa663450d181ba96804fc03f9938c7eea125d4b5efde338d76

        • C:\SysDrvTL\devoptiloc.exe

          Filesize

          2.6MB

          MD5

          33d6f51202cac1c64796fbcd39009f56

          SHA1

          350039420fa2be3e0b02ac505728937b12bc0794

          SHA256

          4e5096537808c2348893a196315059b17fb90bea236053413dff8e762644e9ac

          SHA512

          f8bb1ce6e8656e49dec079cd68fec01e50fc8b0a46e85c76dec9eb8ee22f6ca51f1583ffa36595d7543ae27ca1c95222a982cc345dbeeee3483f96d956372ac7

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          208B

          MD5

          20be682eaf1079762e5994180acbd9e5

          SHA1

          b3e4059b5f59bf7f1869dafcfdf6063c53cc69a5

          SHA256

          b18b882a5a9993494ef9b76c32df4c4fc8dda307b71710fd76f7f15b29580515

          SHA512

          0d239649283ec7719dfb70626ad0751ce2a3588c3a6469a6a5b7f238e90bbb22b15dfb18cc83b385e2675a71d8058a649055c353c63650a0fc221abe5725eb10

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          176B

          MD5

          7f30ac06e8bec73fd277f605c2d19c9b

          SHA1

          70249f190dc1ff24a3d0ea1823756ff8d21b4fb7

          SHA256

          7ac2ffb93ba4aa27a0b2ba702d383d9945882b144fe7c6b4279ca66772aa5f5a

          SHA512

          11d071ef911da18fe630321cb59d5b4809709afefddb96432eb613832ade61afcde1db258156ef6e73dbe3a8d4408d09967a5f11e5d19d3635ed9fb60e3f58d1

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

          Filesize

          2.6MB

          MD5

          cca61f6ac85d28f74d37350c14f130eb

          SHA1

          48098d438b017a6e0f0bf5527d9a3f6127ae1421

          SHA256

          1d9ae25b0de8de331ac7dce1ff3233e453ca3de309f5cef2197f13001e1bee45

          SHA512

          e9c56c5b6298e91e85b21f18562ebb2acc6d5f6727f76342b12342a13e9801e1fb57409bcb5143060bb769f04dd6f21f32b2df46183a1c8d1d9c1cdfa4ef5b17