Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 14:11

General

  • Target

    3672e1afc8da9e13038d7732a0fa08c68f8f25d81a60bb2181986917ca621945.exe

  • Size

    2.6MB

  • MD5

    3b729d280016cc0e8979dae8c6a180e8

  • SHA1

    30b36936fc95234716ce406a9a355a9ed0e7c55a

  • SHA256

    3672e1afc8da9e13038d7732a0fa08c68f8f25d81a60bb2181986917ca621945

  • SHA512

    3c99688aa4875bb4b155ae0c9fb8fec5f9194f3feb8ea7a9e54fd7e085099d779dee8b8f9b0e15d8204d9b04f9301ef0db5a872be1dd64ae9f7ed677038165e1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bS2:sxX7QnxrloE5dpUpXb3

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3672e1afc8da9e13038d7732a0fa08c68f8f25d81a60bb2181986917ca621945.exe
    "C:\Users\Admin\AppData\Local\Temp\3672e1afc8da9e13038d7732a0fa08c68f8f25d81a60bb2181986917ca621945.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2072
    • C:\FilesYW\devbodec.exe
      C:\FilesYW\devbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesYW\devbodec.exe

    Filesize

    2.6MB

    MD5

    417515ae5894076425ceaf50b7926217

    SHA1

    5e2313e562b94e9786455cc596277651962d8f83

    SHA256

    33c21577607be746ed73bfaac2ebc0bb644d85584730c09d67d079de2a126f5f

    SHA512

    e1f387a62d5307b0d067e3f5185977f6829312151ee76b3da54f6697743eb5f412f578d2d2ea5c85291ecc2e5136ddd46f216447b503c56b0a0f01d8e047f6ae

  • C:\GalaxQK\bodaloc.exe

    Filesize

    2.6MB

    MD5

    1f87289cd012904c6d1455580af41cd1

    SHA1

    e6d2b6b6a5e1f844277d961ec2f4c3966d59c6f6

    SHA256

    22cec9ae6870d9a4d516b726b486825b6e5267e245cd919657a5b3c358e4a758

    SHA512

    b349d21a48e289d7ae272f992ec8115c761b4f426efce8c854f2a390ffd469398ffbc3a0cf696be40c4223dfe09d21f26a5e052c08d0e4d08c89b9ef5a9e3159

  • C:\GalaxQK\bodaloc.exe

    Filesize

    2.6MB

    MD5

    fb05ad35baacd24ff2c69af6bcdd205b

    SHA1

    4c43407152bd8b2b20dff1de1139c456a2af7158

    SHA256

    7030d9f75461b52f8cdb8a9079a8dd7fd2d62451495d784f30adc999bfcb9383

    SHA512

    c02eb2fa5400dc1390b98459b7ebcf6a5005952aa9f2cab50fc5f51350072964ae067051aed998cc715150102f93c0e5f04938c25e6c9dc543f742bbdf5ab002

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    053c7eb006e637de7ca7e1812a81490f

    SHA1

    af01e4525d0acbe5bcc0be6a10fc3c7e02695469

    SHA256

    1f3a19f4de5bbf1cb484b74a317705409d86a7ff35e268628beff421f173c210

    SHA512

    49037b4fb93c308ba930c6e8229b8bdc407183e2ab4f53501fa794b809a48b7d9557dabd2ce9b62be4e652245fbdfcffa2f3443e54113cbc0610b08b01eebcd1

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    35850a19561a67cbc2c21fb681222323

    SHA1

    55a32c6ca3defb8232e6693990df501a2f7bfd3e

    SHA256

    b7cc7aa0dfa8909d122098a0f57e4a1cb1cb280a28e8c6c089c8fcfdfe970f95

    SHA512

    6f22b70fd8177dc7bb9169599ddbfb4c7025354300e75fbda81b3e359417ddbeffb33b62500dd7de2e0ccadab7ddc14b36050d7e6528fcae0ccc79ec20656665

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

    Filesize

    2.6MB

    MD5

    df7ea60151ffb997804aafa2d4cd5dbd

    SHA1

    fe1ed8cbf7649f15adc7bdd4f7ea70c6a59eb569

    SHA256

    1d92d03ed553156e530edee2930507da91a4e94c98e8a80eef5e7d81e91e56c3

    SHA512

    a548a33a79c1300cd5a10d73a9fabffdceeab5df07f7119108dfe664a2ceb7e9e1d875e703003bf5ad458dfb2edfddc56c761dd61c73bb2d1666a11941439526