Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 19:48

General

  • Target

    57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe

  • Size

    2.6MB

  • MD5

    e1555873a42a82d6f39b1081fb561cef

  • SHA1

    e993f5ef7cd73bc52cc4be8d25a012e06a552f17

  • SHA256

    57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8

  • SHA512

    71c0f07368d1a06f026c9ceb58c85a3cbe0f1743665041b0a58545486f85d72095df10d6e61c149d008edcb379fe0975391ab3d71eee1fdc24ad3762e986718b

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSqv:sxX7QnxrloE5dpUphbVv

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe
    "C:\Users\Admin\AppData\Local\Temp\57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1684
    • C:\IntelprocZ6\xbodloc.exe
      C:\IntelprocZ6\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxAH\bodasys.exe

    Filesize

    2.6MB

    MD5

    4a98f28708d3b69fdba2ca1820cda614

    SHA1

    c4abf96ac618b923c0204eb9777c83d5e7794817

    SHA256

    21705ad76cea6bb93cbebe83333d4bebb4950f6ddd80a4d878997b2229f06f7e

    SHA512

    3603079eae5ecf203489ddff84b1dec20c50ed56951f420917f8d27a31d4e31b9dd076dc1e2362401fadb678613b9176c9f931ff0b16fdb70cdfb09f6872f313

  • C:\GalaxAH\bodasys.exe

    Filesize

    73KB

    MD5

    dc15e86e319ef185540511b77b43aa8f

    SHA1

    8a43b3cafc32391559f9308331f6eeb2dc06f750

    SHA256

    511c0ba1c55934b3abb666a5d065ba70ec22b6f46bcd10f359acf311132fb4e6

    SHA512

    c2c2794a0105d7e9a74f5ba6beb99c6e6fab698f142944719234ee326b39f342b36164b40a802c4d2352002fc8aa637a11ef4632c81ab1cad3cc933d6142a667

  • C:\IntelprocZ6\xbodloc.exe

    Filesize

    2.6MB

    MD5

    c63623d7d58f5985f5af1d647fe48af2

    SHA1

    502f2fe423a9e727ee91f3310b6dcacbd8897fc6

    SHA256

    19999e66557bd54152a8ed7b7b95d66bdcd4a3947eeb7407d731ab6c968767cd

    SHA512

    b6bde127ff85b0addb5a039591fbeb4172fe7582f4243a8bfcbb209dd337ef718be579d533b6dc9ecdde52f266fa9cf20065ac67735977be4714e1d9c4e6137f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    175B

    MD5

    3311d824d5b2c425559a6b6cb02e8531

    SHA1

    351518052ea3f92dd0059667b65a0146dc2ebf89

    SHA256

    dff2eed3eed9529f1070ef2ef4abd48217672eb0c9f9a94bbaa9b4073800c1ec

    SHA512

    e1c12d477271d5cfd6a7d25b6f9bb42645304186d4d541851b2cbecf8a323b0641c9ac9719849b3fa7969db76157f321da06e8d89e43184f4ba999835a2f1402

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    207B

    MD5

    a561986076a98ec2699d986e70254643

    SHA1

    4eb20f47f9f3205d143801a325f07c00784a83a9

    SHA256

    7a1ae1610cd149c3fc346c6697e30e9a20bb72af9b6e03418e803e68b916491a

    SHA512

    90567f0061d05b03dcd5f65c8ac71e1937a487b9a20d433badab5bca403238c28613aa3ddd03488ac16064127987cf09e1a7fe61667113c9e198b550c258e3c1

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

    Filesize

    2.6MB

    MD5

    5063d8562e42e3f6ea51dfa0df6cec2c

    SHA1

    d617c2bea44b07707e27b3b2f724f5de1b5cc17d

    SHA256

    6f7758eb0c085f21dff1c2d27405a3adf12953a36448ffe4c9b38dec5a990379

    SHA512

    d9b32593973f85b027ac691964de3af4e7fb59a61328cfa2697571c3ea84335309342f11e158f94891829774de0a6d6694e2c8c88b3dba11410432b31abff8fe