Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 14:16

General

  • Target

    3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe

  • Size

    2.6MB

  • MD5

    3e43ac79893671e60cb51956afb88c6c

  • SHA1

    a0d7cd7729b11903f090c6aef75e7d2dba4435a7

  • SHA256

    3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130

  • SHA512

    da1abc2d4b99707afdc13569ff02bcbb440dca4f8eff4b53c59edabd9beb48140ea80130e4d5302a8d678882a5ae69972b19774c3d41215c456ac494e2b0c360

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSG:sxX7QnxrloE5dpUp1bv

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe
    "C:\Users\Admin\AppData\Local\Temp\3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2052
    • C:\UserDot6R\devbodloc.exe
      C:\UserDot6R\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxIN\optixloc.exe

    Filesize

    2.6MB

    MD5

    461735ec337ef851d251acd66cf9098a

    SHA1

    2028ed86cc9ac77dc4d70636f56138a50cf3cab3

    SHA256

    faa4d3aa5d00b32f9b3c36d0e5b298fccd52b464d3402ade1c90e527b9c0cc45

    SHA512

    034d4179fd475cd43d71613d780bb55a1fb169a203cc26fb715f7d930c7628beb7e68ab32a1c80d8deda12f65285def623240120427a7b5f96b92ac619762fe8

  • C:\GalaxIN\optixloc.exe

    Filesize

    2.6MB

    MD5

    a03ec0745cbbf87b4b1c84d0d3384a5c

    SHA1

    5c230b4983a27b6c5ddbfe993dfec24a14a9d7ae

    SHA256

    19911e8025e3ab466c27a76521992e79a0f28ac56ff0089bcb31da397b748c7c

    SHA512

    3e3ba0e4f25e040df3b58871a30c9db170a8ea87bd600d68c226401fe8bc664896a3ddeda52fc04473c805f16a4a108d2af2de2a05965a9f2f99a7a769b85e0f

  • C:\UserDot6R\devbodloc.exe

    Filesize

    2.6MB

    MD5

    c443e1f50796bf14b7888622b1266cf9

    SHA1

    2f473d989f134edf868c9b660e6687bc71cf3a54

    SHA256

    0f4d59d4ce749c923bfcc83ceadfc7f14d9eb74f4665834e5adc596c406f1393

    SHA512

    7a2c295bfa8a8d31f2ba8c510cccc9f88fbc8b634c9f5d6b4da2b04f2840a98924c3a48c2f90cdfd05405ea1ba5c3f6d7ea4f304726d3880a4a3ff343d36b1dd

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    176B

    MD5

    62f3c5d569b3d35a5dad1c79887165a4

    SHA1

    b5b95e8f64794d6b19dc3260adf6f0aad05aedbc

    SHA256

    d7d50f02b8d873e56b25af5ed21ff198c107c3167d4c85712b7f5916a46a72cd

    SHA512

    142702403a175a65a674413f7c3263f699d67fd2f37d1575b4914e7ea7e68a5a7ca0ff9a8542f6bd0a53a1a6a711d9ab2843db150c560c351dad3c04409e5c0b

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    208B

    MD5

    e30433dc3e02c459bf4ea83f545b46ad

    SHA1

    bd80a5c9d507d114760d128b03766897b1c6be40

    SHA256

    9a86ae7ac5b712d915e2903b74bc48854f37691b425184faa4a25bd9585cf74b

    SHA512

    44da8e4d6ce0616680d2d5840d240180f4ee856d488d16134b7634069346e6b95d8fb2d1341dcffbdb2245a7c557b73790db3b58679ce8310d0e93b0dd2f6864

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

    Filesize

    2.6MB

    MD5

    7d9750054f64e1f72f58aea970b712b0

    SHA1

    1174d5c52e457834a6cad1522a714bcab1245d5f

    SHA256

    5af8e7af584d36c4a7b841f32428e83539008140aad0e5af10c2311cbcd758f5

    SHA512

    d089e014c20d8ed1edc615854cfd1475131059e1508d5a508dbc23d335363d222c7a7e9cccc9ec01417e6c838954989aade712a9675c7736caf2b7272ffa0906