Analysis

  • max time kernel
    120s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 20:06

General

  • Target

    423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe

  • Size

    2.6MB

  • MD5

    cbfa0825412a6ad9f76f895b18c4f320

  • SHA1

    5f2d2327b8cf845bad200996b915ed10445834a2

  • SHA256

    423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5

  • SHA512

    22302470b7583aea038d0c24406155167b04d02802b5fc162997033ebc12a5ba714e42392285fe770daa074641a3ea65786bafb9c997c4ed2cc6b755740bac93

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSq:sxX7QnxrloE5dpUpmbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe
    "C:\Users\Admin\AppData\Local\Temp\423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2768
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2904
    • C:\SysDrv61\devoptisys.exe
      C:\SysDrv61\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxCN\dobdevloc.exe

    Filesize

    301KB

    MD5

    fcfd4110e9ff4ac46089874d92e190da

    SHA1

    a9c5414eeaddc052bab47a17e6bf2728c0e27a73

    SHA256

    474ec594f6750ec293c5581b1e9ab829a97247805fd547c287e0bbbb9e1f57ca

    SHA512

    f397338328046e24f8293fc15d11558741ff43e3a00bb7a37e35f4e0e45590cf4fd44a40880fdac4391a56d8e7db98281d81ab3ecc486884ae8f01e8932e561d

  • C:\GalaxCN\dobdevloc.exe

    Filesize

    2.6MB

    MD5

    fcfb6dafd0a9ed5def05bf9afdd436c1

    SHA1

    ddf8550483498366dec53ebb6057514de974ad1a

    SHA256

    96c1352cd4087983e6e0979d6602024f2ca3cc1b80c7e2f0d05bd57f0e40df6a

    SHA512

    f9dbf0f62bf32a046645b01182615666a4902352a6ed7d8a59510b39da15a2d37e88706ed9d4545502a09cb82e82e4b36cb0170f957acdaee1331fb87b5fa7fa

  • C:\SysDrv61\devoptisys.exe

    Filesize

    186KB

    MD5

    0730d054b9e665df59fcd0f4f8845f72

    SHA1

    ef7bbf9868204465717ddbaffd27685f56b9ce01

    SHA256

    9c570128f3ab5000bfc9f15516103221ddce99cdd2f3e23a293570778353f774

    SHA512

    d14da7e99d002eb57d4bd8eb930c38f94c075b9705af293b27572d978284da49dd0987d4206fb94dffb76c7a7ec7a91feff9ba30d13d4b2c0f0957c4487a3d8d

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    174B

    MD5

    b032f9094a666454d2ec4e0379d384f5

    SHA1

    bb2242f7c82cf43b24265ebd127abcfbbdb8f04f

    SHA256

    35e7930ff50d14d595531ebe6baa6f6304898ff90151b0320da224e45fbb0cab

    SHA512

    74646fd681bae7301cbf2268dcf6727187e68084813297f335a035433ce08f579098e38aa69e1823744342fe0313816b7d22fcfa9c8ab145e4eb05fdefca2424

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    206B

    MD5

    70293277c3c8127a71cb4898ef8607e0

    SHA1

    183b9108d4928922e9cc7de80bcc09e0879eaa21

    SHA256

    e66ea5148541f0658e23497db37b905fd80d58fd8e88a1973761aaa3dc6ec20d

    SHA512

    341748bea5cf4be2d68e644c8483240509e8478c094d709229a1a7c84801d8c6eda82f1eb2f7430843fe25d4e06c3f8d79f365e15f269d6dc0b103780d4f5422

  • \SysDrv61\devoptisys.exe

    Filesize

    2.6MB

    MD5

    3536501d662bf382bab1aace8f3d3b01

    SHA1

    8566e77fdbce0631bf75fef8ceb075643873c879

    SHA256

    9be5c8cbaea51dc9a273cb0ca8963210e21eb42b438763a3de72d8857ec5f3b8

    SHA512

    8a0d12497954dad5dd92c085b8d9ef57e4cf6cf6b66b3a1c6e31c9a65eb1ed06c67ceacae931a51028aecb8f41146d63145a1732657d98c10ca43a2975159a01

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

    Filesize

    2.6MB

    MD5

    06549e39218ef7ca5692fd6f9cd0e522

    SHA1

    5c607d1be281f4a10d0d0a7984a1c6d148b5e410

    SHA256

    2c3e89be0926c91909521a8dbe398957aaf9b857a99dfe79e7930d2aaf92f5f5

    SHA512

    131562045462f5b27bdb1b871c6fabeee05b1fffc41b445409607c5617af8084c076717629b1ae45c5e250b8b23e864e45280d279cf3a0b37b62753df92eb1a2