Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 14:01

General

  • Target

    b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe

  • Size

    2.6MB

  • MD5

    d4c8b342860af7931743f80fbfb54cc0

  • SHA1

    ba046149dd5e0f82d0745e59dc3bb60e07b8ca82

  • SHA256

    b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82

  • SHA512

    62c565618d47a4f594da497b35e6168802192aa4fbfc07fe497878859550e42ebaf86715bc34786c1c4c2972000d275ad7d9d936ca3f81e98079c5e4bf6c6e67

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bS:sxX7QnxrloE5dpUpkb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe
    "C:\Users\Admin\AppData\Local\Temp\b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1992
    • C:\IntelprocRD\xdobsys.exe
      C:\IntelprocRD\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2084

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxIR\boddevloc.exe

    Filesize

    1.8MB

    MD5

    da8bcc6ebcbdacba8fe89ebd44e85bac

    SHA1

    7c369e2f2be0b6bc4a64de460e54e9e9a186f1ef

    SHA256

    ca2389213049d67f68da9ffacdd6c3704849acfe3ee1512413d0db54dbb9394e

    SHA512

    5c53bec4875ed32828d3a3bc9b48865484504253d712aad9498dd62d6db716ea3efd7ac9513f86b127007d168e2b9c6c77e5b9ba6ca6e43a99f7478b1241f638

  • C:\GalaxIR\boddevloc.exe

    Filesize

    2.6MB

    MD5

    dac147a8c3d9fe57b952ef158f23fdb8

    SHA1

    b31bc539f2555ad8b895f7f85980efbd1d68c151

    SHA256

    3779d3148bc855d4bb404ae14248b22c6e54f6dd006382c1c2473fb39a396887

    SHA512

    d5da2d77ed048ca3879ebafcf5e7dce2558f64001c3d89034094df79bce469ebb9d21675bb54dcac35abbc5a70d0373a28559f930fa77e623914cedca6f49853

  • C:\IntelprocRD\xdobsys.exe

    Filesize

    2.6MB

    MD5

    95e5ab406dd96730838f0cc849018587

    SHA1

    7e022e553e25e3e3701bae8c867c67c0445b0eb5

    SHA256

    8d61bebc12695dfdfe584478d375c6f20b7695baa5aa1ac14b5a9f5aab8d555c

    SHA512

    ad284e0e2edef304ba7da9c20b1f713908c77bf8f53c63731b0836fca8293086c6fa3932cc98c4a9755e324cdb76c4a10619477b69bbb06e2a2ab7290c4f43d1

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    177B

    MD5

    3d91fa2c74ddb8c0de7ee8274d1686b9

    SHA1

    b2ddc2c36a1c6f06736d250d5daef112e8c05027

    SHA256

    87891a03b79fe92640a8ca90f88647391b686fe616e1558b0bcf789da3a80b50

    SHA512

    6c38ea2a4c784879acbdb7275f3689af1453f33faac05fc2e1d0de718b01d980d0a50ae761a3456124161d5b5899e27fb756e124e8741e1541aeff34b998dfc3

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    209B

    MD5

    a36b973a46c9503a9f84964da9baa1ce

    SHA1

    a78a6010d4b1fb95558026302ba2a0aa3b95ac6d

    SHA256

    381ea41fb22beb9450de04cf7743a219485fd42369bfe052360ec0df5fabdba0

    SHA512

    6897c12deeddff7479f144d262d748d1c4a552af2880c7b2ae15f7f06556dd47a97e5ad2120bcfb7aa905d428df70aeaa1e0733219dd825203efe8dc21de05df

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

    Filesize

    2.6MB

    MD5

    88685b262a5780558f3fb6ee6e8f6f47

    SHA1

    57ca49dc1c15765c80ffe43be4e3da2362db92c8

    SHA256

    186476bbe9bf38cf4605c16a100760d2351eebdcc6c3661c39ece056304c2c54

    SHA512

    93f1417f70afd7c8fe3f36fd7c496a32798aae4b323f663b8c316b575f3d07d6f2975a330113bb4f5b709b1ce929dc6a4f71c37548d42742b4471dc571ecad1c