Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 18:19

General

  • Target

    bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe

  • Size

    2.6MB

  • MD5

    20774abcb3137c180673bf29c1e0e420

  • SHA1

    e0ea9b3a5c455bea85fa7ce17cd37fd3413e0028

  • SHA256

    bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4

  • SHA512

    962ced127ef0b1447572b45dae015d80e4ad05932b3f15acc57d396b9164c7d27a80bbb09cd41ca68b1b2e87540e010f52aa2d2e96c5344850a365ea4c88925b

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSq:sxX7QnxrloE5dpUpKbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe
    "C:\Users\Admin\AppData\Local\Temp\bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3044
    • C:\Files2H\aoptiloc.exe
      C:\Files2H\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2092

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Files2H\aoptiloc.exe

          Filesize

          2.6MB

          MD5

          a2ff3513095e90a722628a399bc52de7

          SHA1

          15fa36f3992927dede566d1082d9432138c0f77f

          SHA256

          0ef2278eb794378a7112af79195449a78f6687ab07b66bc05b36d6ac203ad12a

          SHA512

          f9b60a18c3c8d08e303b77c7a46f1cd28d0a96b98be894e52b45fe5cc19be6088b93ea2670ae9edbade3f02b318c65d90e03cfdb4d8b208e63a80753fc7ea912

        • C:\GalaxMU\dobxloc.exe

          Filesize

          20KB

          MD5

          2873fb57ea06e0913c9b5dde7bd73c2d

          SHA1

          c2794b886d0f3c44e805ffe343756fd81b5c87ec

          SHA256

          08bfacea5ca3a11f935a3a68ac2abceac42a731bd3c8bbb834bb6471d43f4587

          SHA512

          9db7ab2c48ad7fd8125df8c24bb1613169cdf1b762ad2552a31ad27ecfb1c9fca9350c4a31f167fa663450d181ba96804fc03f9938c7eea125d4b5efde338d76

        • C:\GalaxMU\dobxloc.exe

          Filesize

          2.6MB

          MD5

          ab3e71f138bc1692523acd44f8e1e5a9

          SHA1

          990b6c583bfd9e549318cca927d97b4be808225b

          SHA256

          486bc68473880756a8b8df4f256378dffb93f82408aed0d60bacf4551f2950ef

          SHA512

          06f534d086e3d4891e3c00fada936b9f5b6715a4e414ab14c5965dd35752a4f1d62d08e1bcf7819f4fcd91b0b406e23f559b01caab537891d440d9947f0427c5

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          172B

          MD5

          f6cd40a5ab3fae93f0b666d54f9b0b62

          SHA1

          bad908badc075a7186b5c3e364064de397ab8061

          SHA256

          394103ea339335d3bee9ba41f3aa41cbd6a7c29cb8fface2723bc22b226d2648

          SHA512

          3f7fa8c22ef9b7a2f244463bc677d3a7399b06edc551e6c42847a834e57d30da54891556ea3d6c6ec31d6b57d6d5c514204d64c178c3c3b4deea5d823ff7d68c

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          204B

          MD5

          4f4d6572ed5b7523fe8c21082320b3e4

          SHA1

          16351888e919e6162c388c8c4a1eadf2e3cdf761

          SHA256

          fc0de4d840172dead85e46c9036ca470c7861cef2f7d8da4fb1693aa550d7e79

          SHA512

          9261eed7769ee27fad6096695349e0b4dc04baa06bbf045cbd7c657bc226d887cc6c524119dcab7b2915fd109d138e441a71687db2e0ade814e19269762f261a

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

          Filesize

          2.6MB

          MD5

          a1a53fac4810271dfbd7f096006bf81e

          SHA1

          38ea8873f0eaeec8a91af58ff2ade27a78a8b140

          SHA256

          4bfba03a5e182b962bd1e76450c9e0cf4a3ba7b914714bae63221fbefe628cb7

          SHA512

          bd6d63207ab527f895bccf15b772b857bceee9e1ccc4045af29d8aabfcfded39ae63a7c5b4f36eed66743c9133e498cb20cf230e0db78e21751b61b9a2673d7e