Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 13:56

General

  • Target

    9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe

  • Size

    2.6MB

  • MD5

    cbd5e96b9a7b33d1320493b1327e8110

  • SHA1

    7eb7af8cf902e4cf765f289327d60c7cb1be55fe

  • SHA256

    9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8

  • SHA512

    cc3de625dc8be39db4c62b36ce4ea4d7fb16b841a13b1bc5fe378e54b5a1074b2106f4f85d1db4fe44455f0721540d16b6ef509a5899d7dfd53d9a07db8d34dc

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBGB/bSq:sxX7QnxrloE5dpUptbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe
    "C:\Users\Admin\AppData\Local\Temp\9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2156
    • C:\IntelprocA0\xoptiec.exe
      C:\IntelprocA0\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Galax39\bodaec.exe

    Filesize

    2.6MB

    MD5

    3819d1e68adb1e364e0293464ecc63fb

    SHA1

    1593fa658080cdbdbbdd30e4747e3e218ee89410

    SHA256

    f1d2602b66e4ef00f2d3f4ff9cc6d29e6b59b6e92c467cc1807d93b5318ac621

    SHA512

    d92767fa3bcdcce5a1b3cddbb5ad87dc8a059777bcfa3a82853755f426d98e6e7b29feb0b4a5a4f44cfc31830ddaa1e1843a8ea617f6c64316a624a25ef6e7a8

  • C:\Galax39\bodaec.exe

    Filesize

    2.6MB

    MD5

    680222dcaf692802bc1aa0ae1bf5e7db

    SHA1

    01876aa75d4748d92b16f64acece7ae1dcd7e758

    SHA256

    be0b46505250e30c63431d44460df8eb54734af7aacdbe3442b553463ed93997

    SHA512

    57e8d4f6ebb6598a51d4d8be7723e12dcf2843cba39a78700a239a22313bc3fd76428c2148f26f57d173240b6bc1af8fcc6f54914c55fb36214b857fd072344d

  • C:\IntelprocA0\xoptiec.exe

    Filesize

    2.6MB

    MD5

    dbfc8b6bc1d2ef5d9682c1298a6ddc5a

    SHA1

    179ac341738826804bf49af8f39cb6d05e3e6521

    SHA256

    c13e97829739171aae3332d841bb725aef88adf7df434f6706f26dcd433ac552

    SHA512

    408bab3afd32fdddca2956da94a61f8671fce2afdfc60b3f28bcb67c49471898af2ef1a95fe4d2a7f7d12d795399caaf296d80aa8588333fd74b6a4f0d5070e5

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    173B

    MD5

    dc64137f77b2bf4d1514e4db35bb7119

    SHA1

    9a3ebff89528e3d96a5272a6b361b3866b859051

    SHA256

    4cc862a8c0ef22c21a4693d0107b2bb7d40dbc2b4f77f6a4fe14922a0ba43d2d

    SHA512

    27a36f3b8a4d96f6526c4f8c7f35b394f437ff5cf8ec95a281d1f95c010b5d7c98acbd3a0b7f5b03f8d60a1dbadc765727f5f15132399f96237e40ea0f11ba2c

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    205B

    MD5

    20e83274b1cc4cf664af79cdce20c028

    SHA1

    0f22631c5eb6aeb25b20d18e55c6dc322fae2f0d

    SHA256

    566fe8a824d15110563fe33bdb22b6d059abb55136911a95d802216f1ebca7f4

    SHA512

    f9e0100a1c11fbbbb87dcc806eece16068b57130bcbb8705fc3d001b6e0651a2d39242dd8c3ddc564b32e49079ec85c35faa6370d15b4add209b153ca58f0326

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

    Filesize

    2.6MB

    MD5

    b0373fca7645b2518b7f232fb0087941

    SHA1

    51b399d3ed0e443dba011357a4e4c2a3d2fd352f

    SHA256

    872163631dd1691553d5b73e1cec1e24828b9471a78f3d7a6821ff992ce77405

    SHA512

    f348e9e31a3752cc5b4d7b48882e410bb6368588c4b300a46581c96a84b866f3e37d341f6e762f33c5a1a7e8451cd996565818f1f873e9370423ce9feb9076dc