Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 13:39

General

  • Target

    84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe

  • Size

    2.6MB

  • MD5

    9bf4f468bf0478b72213306bda31c250

  • SHA1

    6efc0ff3dda70bffbb144d9a1097622a16113c0a

  • SHA256

    84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855

  • SHA512

    56e9c10e59c98b5813a31cffcd23a3c2e28af4a19c5f30bfd62ff761872300167c81e227343327cdc2c5c913bd435b77e14e1a262078acc2c84638512910b9b8

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bS:sxX7QnxrloE5dpUpKb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe
    "C:\Users\Admin\AppData\Local\Temp\84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2444
    • C:\IntelprocWW\xoptiec.exe
      C:\IntelprocWW\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Galax6N\dobdevloc.exe

    Filesize

    2.2MB

    MD5

    62c2189129fab5c593617f1e52ef586f

    SHA1

    b6c87155563fa20de416377370e780dd495ca0b3

    SHA256

    33d79d9180a9aa7023fc9a2360309f0d5e5182f3ca5ef511da4e9a0418dd4617

    SHA512

    5b591f381844561cd5313e9dd62d2793052879781a5e73351dd137d92e5849731b96a5b884eb7b25a52792ea32cbbd6d47815e88c32c783e904cfd3ff3d62b67

  • C:\Galax6N\dobdevloc.exe

    Filesize

    2.6MB

    MD5

    ed462bec0532d4e49525e1664c5d8840

    SHA1

    6cbdb1974be3f3b61ba9cdeec6e7d89a45a2ec92

    SHA256

    99fcbc4e3e0c2e574f510444e8a0bcd470ec9f23f1033d08001b63076eeae80e

    SHA512

    2127794ab6479c5d060b2800d662c91f145f2d40188b3ad745ceb3855a911ba8a37534e1d9e18cebb4325cc7df8e07abea977bc8e02e66cfcc3076e24ffa9d19

  • C:\IntelprocWW\xoptiec.exe

    Filesize

    2.6MB

    MD5

    c1cf50fe1f971a4f3f331e4368f94d2f

    SHA1

    af87af81edecd7f82dbedc78200104f7b3e8d25a

    SHA256

    c9fa26ee5d6762efb29314abc5e48610e1ceec0428ebb53950ec98d46ca21101

    SHA512

    460cb26f8499a55fe20acec84b2d15a205546835832061ccf8777c4a58b168aa9640370ab9436d2f8a3ed47d3990795e903e9ef0852d8198ececad5d48be3377

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    177B

    MD5

    9d0805f24d3b515ade1c39b8e3c25fac

    SHA1

    207220ae9d0a03e2f4b16de5c5f250f01ad111c2

    SHA256

    f25cec10e7162f09b076d176a92e96776a1a206f667dcfa1697926719ffa6d3f

    SHA512

    2a7043951c1cef0795dcac75997efcc29d3e3239a1590ad9c84085dc44c1edf55083396a9749cc173065f8ec2f64f4c58c81da5eca7ac5f23fc9a6e7b0cbc6e3

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    209B

    MD5

    711d0b2e6d825efd62d5c271a3eabf91

    SHA1

    cb97d3bf1aedccff9b6488b8236ec510baf42ac9

    SHA256

    4eea5d3befe24f8946c5bcc09f4e329e7ab92e1ec1dbaf2fa80aa6d3ccdb11fc

    SHA512

    0af3d0825d57e52eab3f35fe2b031dd297eecf5c0908bdccc96249180c28fb9979058a40e1535fc14b4ee6b6e7e50467b9bf710aa19f658e9322d78f26e2f8a9

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

    Filesize

    2.6MB

    MD5

    68a97ac5d8e549b69410cf595a5fc77a

    SHA1

    8a962736ff67d39c58fd1e69744685ba69a1d394

    SHA256

    79cf4253be718a385f584e03286609263dcb4ac5393d01fedd1975f1b8941085

    SHA512

    6ac1600596ad3d4909f221e8870ded1e111cd07b9f0766ae3b668e28789042f8913056c41eed9595b599d5be60008d4cb2f449173c66bafdf998921f2dbcdbb3