Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 13:57

General

  • Target

    943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe

  • Size

    2.6MB

  • MD5

    32d09059b14cc49fe68b1141fee20360

  • SHA1

    626d63ca2ce2096c6be7b8f185c5d0522109618a

  • SHA256

    943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353

  • SHA512

    793ac641b029d1050513d84c579b3d61bfeafb69fe34907be709ec5f4d132115cb097d046a96f1e52ac301cee6b2d31be988c25f55fdc88127d06c62e30b1a61

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSq:sxX7QnxrloE5dpUpKbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe
    "C:\Users\Admin\AppData\Local\Temp\943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1904
    • C:\Intelproc6V\aoptiec.exe
      C:\Intelproc6V\aoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxQI\bodxec.exe

    Filesize

    2.6MB

    MD5

    87ab0b020aded2d0bfce4ab0a9da2292

    SHA1

    7bf0c19e7588737ad424a4c472653c2fa17c36bd

    SHA256

    1c920b36ab3e2286cdaeaf468a23e7f2a21aaec85f424031d742b443fc300693

    SHA512

    5e51e18d71e5e16aeec15a6d42dc28a66a8cfa8f3ee07dbc88f5bb5915b0aa0e64975647351b4e87dfa9aaf3afd2e882292e1c559dffb65302cca6c94e8af067

  • C:\GalaxQI\bodxec.exe

    Filesize

    2.6MB

    MD5

    e80ade7701d3be3a1f00c21fa282a787

    SHA1

    2d2bf04e9e64d43cc9c8fe5630b21e3836cef37f

    SHA256

    5015b552a359213dcfa148b09249e8f164afb93327ca5b796feb7b32498b18ba

    SHA512

    4034af83235b22e9dffee7fbc8d2ee978103ba600228c7d821059c9a877cadfafa3661aed2540d42230c4f54afafc542d8eb538a91b6726a6475f78109ea5b0e

  • C:\Intelproc6V\aoptiec.exe

    Filesize

    9KB

    MD5

    bceeb783568178019cfa9ce19da30a69

    SHA1

    3918c6d01f7a27b2a71133015ea935c5555085ff

    SHA256

    41737594ceef89e9d4d0389deb11f042ea5d02e903e1359b3110a565e7c0b1bd

    SHA512

    7f5f1ad508c1398430e588ab45f558d602b62af4ef7015ce011fe61ef27edee18de0252583558376c713ddc3fdba30604a1b0746cd79acd745c19075f7a1bbf0

  • C:\Intelproc6V\aoptiec.exe

    Filesize

    2.6MB

    MD5

    c3bdba2be798e539dd11f214b2a1162a

    SHA1

    34eb55a22d8bd869abe8f9f080f7a2ccbd3c23df

    SHA256

    14dc162ae13b4322b3689c94cfe65848dd07f810518af9bc3be5598d52f897ed

    SHA512

    9663ea9f93cbec70dcb9db0d811916888ce98c45f9e9c15b2c10103c81829f28c8d8390abc6849df0f449857208754e8da807ee21f531eb417cbfc31c619d037

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    2b81e6884cfe14868ed208e3d77e0c88

    SHA1

    2cba0f09c4948f7c59eeacc478396d493b1e9c96

    SHA256

    050040fce147c64f2022bd74e8034ab61ca365bf56154bface0ab9bd5f763a6a

    SHA512

    789bb07ac79e5d094b36d7aa0eb76b476763b1fab690fc1c73aa192a2a8baa37fe708fe1d923a6ae568aa7936d6da3f1a9b0f953efdcc8b2f04848eface12caa

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    477c9dc0ccdd7be4ad3d4433ea7b8807

    SHA1

    03c32efbe585c089c882e1adc3586eed68c9197a

    SHA256

    13a9ab85cacd1572eed87984b3ac55081512389da82e243887d470a4523d17f5

    SHA512

    62c9df1e8c47f54a529318f6249a73d445f4242ca35f1a039ad3e15d0e2b48ee5f070c10f27cf29031dbefc1788a9af1e0964f5e20f09c245ad21617d652e0aa

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

    Filesize

    2.6MB

    MD5

    3a62edcc6030bd85a4099ca4dd80450d

    SHA1

    a12a072143806fb9fc192705cc1ebd7a564133da

    SHA256

    66ee382ea500f237b55e5497cc9938b6c1a33d0d3efdb33aabe458c735d98029

    SHA512

    84c86d43981a2c75add25e9c9e08c45f410064794bfaac64eca7fbef9526eff2ef1d61fb06a45888fb344648cd52065570b847a297a43667b43cdbfbe4ec59b7