Analysis

  • max time kernel
    120s
  • max time network
    53s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 14:01

General

  • Target

    b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe

  • Size

    2.6MB

  • MD5

    d4c8b342860af7931743f80fbfb54cc0

  • SHA1

    ba046149dd5e0f82d0745e59dc3bb60e07b8ca82

  • SHA256

    b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82

  • SHA512

    62c565618d47a4f594da497b35e6168802192aa4fbfc07fe497878859550e42ebaf86715bc34786c1c4c2972000d275ad7d9d936ca3f81e98079c5e4bf6c6e67

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bS:sxX7QnxrloE5dpUpkb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe
    "C:\Users\Admin\AppData\Local\Temp\b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1048
    • C:\Adobe47\xbodsys.exe
      C:\Adobe47\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Adobe47\xbodsys.exe

    Filesize

    2.6MB

    MD5

    60ceba79d69ac964383983a1c796c46e

    SHA1

    655f32f8766944928611dfa3ca01cadcfc744712

    SHA256

    8ac4cc9453d85c06c4ead65c07a3f61c1148d6c8b54b31dac7769704cf3b2c48

    SHA512

    848b2d6ddb28491fafbcce7db48b07a843eca866f6835c80e7b1e5da14b87c130eda7989ca31d4f68f3eed7761ae712158bb5398399a55266d27f025b45e3613

  • C:\GalaxDO\optialoc.exe

    Filesize

    1.1MB

    MD5

    039d3fab34ed62c8c001a02ddd8c2a26

    SHA1

    30ee4cbb8888ccc89e767285e1e310051bbdf3b1

    SHA256

    19e905f5a464f191728015ac56dde9f9bdb0103b3ad369ea0e31a85cfa3236b4

    SHA512

    8e10f5f1a5ed47b78a7ac7fbeba625f27c8a86396a90fc17cadd2ef511194ad87cfe17b92868a99c6891511ba8bae210230be0dc7b32fa8d63f6970fb116626e

  • C:\GalaxDO\optialoc.exe

    Filesize

    572KB

    MD5

    153ced5118521513e7eec00f7a1b74ff

    SHA1

    ddf23f712b8177756236cbb00a334db930a103e2

    SHA256

    39cb7d40df2124fd76a0c3d8604233ba63ee964fa44c88746709a730aa5f3310

    SHA512

    c0fb2f6c471d63f561172d8d067f05746e22a40542e1e2e392b5bb2b4300fc103a637bb5fc1951b2e0727c67d1b918c2b6e3a8f6e9e803c2237a62659db7cce5

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    819dfa4b8981ac1ba0f66aa2fbecab0a

    SHA1

    5430bef53f9f87755400e40d34fce9d0794cc997

    SHA256

    c21e6e67115d6e6ad86f42695fc838bebeecc0d579cf21e5215b10ff0c44dd74

    SHA512

    464ebe4ed0d451fc2946d39dfa547d0b4712b77664e3a10377db28cd81fae8645379145bf25dae43a11f810ab8ea15c23c99560e0d9928e04dda984df8b47621

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    5d974e0d192f5044c626ddb6ca9be3ff

    SHA1

    fc1e3e525309136a75dd5ee6689740d0704c9a83

    SHA256

    3eca18f942dc345c76388f469964af097bf6470c47fe391b62cb8fd995fbf575

    SHA512

    8b58b47b682d37b288f075b7d07de722427899f694483a76a51c7cc983166366a7c719e073179cacf2a585da382e9ce6c0d15c12649b02d5be7004d5843558ce

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

    Filesize

    2.6MB

    MD5

    5c7361fb1a33a640588fd3a611ed1638

    SHA1

    20996988ec57bc588ea055015a9c56e000626787

    SHA256

    d6914638af78194b21251965d910e98a6f3bc212bbaf6802a0a2f8fd2a934b18

    SHA512

    7b805fddb81a2f93881e3377bdbbf938290d8319cf50f145efef052d5511ceb9ac7d4a251724a4d4a3cc7db84aa793560c5f37c62a9b77eebb1a453ba419bef4