Analysis

  • max time kernel
    120s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 17:15

General

  • Target

    5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe

  • Size

    2.6MB

  • MD5

    1adc363340d141addd5da75bbabdcb50

  • SHA1

    37ae4b90d13aac1a98963a6577c209078230ebfc

  • SHA256

    5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6c

  • SHA512

    0cec4e680a693c24871bd786ac4ffeb36502ecbd69ab89686110699eaf6d37b2cb3a28dea4026ff86964bed114a817576df53243687e11b94d1853bd15150e31

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bS:sxX7QnxrloE5dpUp0b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe
    "C:\Users\Admin\AppData\Local\Temp\5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4964
    • C:\IntelprocR3\xbodsys.exe
      C:\IntelprocR3\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5036

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Galax88\dobasys.exe

          Filesize

          2.6MB

          MD5

          5ddeb391ab3ac28373c49a18a9fc5820

          SHA1

          e20d2b080bebd9139c84c58416d7c70625c1e9a6

          SHA256

          53702ebe2017c945f2c47a2f890fa8800d9d4580a95231c1647d51b5506d8a21

          SHA512

          915eb3a726b9264b2921ba1dc3dd7b58782f2b3513a4a13d8e08ab3548bf22c95f531cfefe0682c23602c5f94873b3f1b15ff79c4dc946cb35728044e5768597

        • C:\Galax88\dobasys.exe

          Filesize

          2.6MB

          MD5

          01b7985dbdabde462880f807a7d6eea3

          SHA1

          a3512cb4e11ad51950a66767fcc8a6739490a366

          SHA256

          d2fd4575805e6a38e91d64ecb6a8825e094ce5f3b6fc2374c63d72264f4408e0

          SHA512

          fb454bebb68bfdc3c53b414ab27c8bc0200aec6e210eb80ff6f5ae9f0fe292426c0b07a100d4a6ae29b32fa9cfce1a9becd59c28c5e9913afa711e34f744202b

        • C:\IntelprocR3\xbodsys.exe

          Filesize

          916KB

          MD5

          0294e6ceeeee93c180c029b7954ea242

          SHA1

          a06d7fd94adadb1d07c1b5894a5f571fcc7c8803

          SHA256

          0452b24867b18148fb59fee832f300f49740e4fbd7b2b76784f728bd3cc76905

          SHA512

          cbbbd4c938287a2b48331487af93a25afac7828689a90853180af2888236041d406b3f07057447c3fa1a9c8e6edd32036c902142ea91a3549fb0affa4a7899a8

        • C:\IntelprocR3\xbodsys.exe

          Filesize

          2.6MB

          MD5

          7cc65550790060baede29d570c3e8564

          SHA1

          2ebe4680e39d6df4520c2027f65c863dd0fea4f3

          SHA256

          1d4eb8d7bf319b2b7f0027c6399c4b5e316a225d36341e38fd4141f3ed244fef

          SHA512

          809e3c538bb1753b8da04fecdac1ba575d829f04503351be95e58d00a68aba76ca26f042dca81874e598a9573d261d8e91d5c761e5729974ae87959a8d7ffe17

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          206B

          MD5

          e3e790db0abf7eaa62cd41a76c23f3a8

          SHA1

          0f5543fe574cca5cad0997110c3a631768b7dd86

          SHA256

          51d1a8b6eff29cf6b9923cc4cdb279c1d88ddf9186cd9af5df630ae19a2cc582

          SHA512

          63e4c50eb8e32f7824cf3208a4645271a751209cf7a01556eff94cea09b42eb8fc58b2b14885fda19c9367b93102e77bc79803c52bdc0611bc8dcaaab2e3e58d

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          174B

          MD5

          f684046193b294bc3ffe3ee35e836ed4

          SHA1

          bb19a4f6bac8e9d3e56c2062b12b669eda7812f0

          SHA256

          7e89b30dcbc83effd13c61cf3263548a239bd3f4723b85f351050f7873ec225f

          SHA512

          ddb99a2df83dbc5f3ed94ca688c8c442ef09b555e329ee4797bb5b943ddcd278f12110a7a307eef4313b12808a90c8cdcc3739b0a77db3bdbbd912e2d4fb173f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

          Filesize

          2.6MB

          MD5

          dd5e1277518c2506e3013a2c56130122

          SHA1

          abef124210cb1359e87977d09ed8f79fb30bef35

          SHA256

          50ed4ab234a8c8362ff712ee96611eca44276d041c6ce51496d45540e8558f25

          SHA512

          169511251e9351d28d0d10608b9794dc184ec99972b5a9fed7e1d2388aa71ca26dc0c6c50d401bc3e63eb7497be09ef037daefc0479e04917fed88afce632bdd