Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 20:13

General

  • Target

    1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe

  • Size

    2.6MB

  • MD5

    62790805093f2630379ad1c157760e60

  • SHA1

    0a13f012cc8f0a233235607ddbc3852f10ddcab0

  • SHA256

    1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9

  • SHA512

    bdcd535c45b69db4a4774cde6ede93db6c575ae1349fe1482c748eab4430509171139edcc06e37e89e349d2df2df30a19f119188d2e1326fb8e57fe6bbce774a

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bS:sxX7QnxrloE5dpUpqb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe
    "C:\Users\Admin\AppData\Local\Temp\1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2748
    • C:\IntelprocP1\adobec.exe
      C:\IntelprocP1\adobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxQU\optidevec.exe

    Filesize

    13KB

    MD5

    8c3627c138b69a29f1f3e7743c377ac9

    SHA1

    38d00db20d4ccba9fef285bc5b2c50eb73f352a7

    SHA256

    2d835e282b9a7e65559019000af2d36aea1151090066ff801f25da276c99e627

    SHA512

    0e81b2f188fef8742620e583da5a47aa6eae70cf24a798f64d916f01fad49d5ad6f3e883deed9cc6b3dbd7301c28e483ebcc324d83c8a63b41ef839432ef7a21

  • C:\GalaxQU\optidevec.exe

    Filesize

    2.6MB

    MD5

    c69ee011a781b6455abad3435e01a4c8

    SHA1

    8513c927d7132e0bf31c904e70a286a038394765

    SHA256

    71c1b4731c1cd67ab838beb313dbbf44da94a3513f5cb5d04e5dcd71635466d1

    SHA512

    495e994d1a8bd2cea3271bc70d33e75ecc1d8751574da642cdfe7d824909fc737e862cf80ca0bf83e1418def9a3b1a417437afdcc24aac861fb61bcfd959aeb2

  • C:\IntelprocP1\adobec.exe

    Filesize

    6KB

    MD5

    b646265f07f9f16a9eedf6d5027f9e3c

    SHA1

    a47300f0e83643f499e1b7c1be83a375a1293ac7

    SHA256

    d9d3e8602e7f445e99a6594bba9d12ffef0a099ea168321e788dbde80f1fe025

    SHA512

    403b6c7a5606ac30e67478febf3210fc1d0e88e15fcc0544f80a00e2249b9fcf6ec71a25f5e36eaa2528ba1ab9c016dc5269cd1fe3a9758317b2abf1d8553f67

  • C:\IntelprocP1\adobec.exe

    Filesize

    2.6MB

    MD5

    e8b0e855d64d7010d47a21d001937569

    SHA1

    6719d6ac4c67ae201dd346e4112717c4814f49ce

    SHA256

    9a19286b5c6f6544dfc0f93bbb9f566adc9a51e25f1e7c737e1363224d718d6a

    SHA512

    b1d07c57ef30c62c461cc68fc111ddcca7e85d8de2a5077131800b8bd370c1910f72a1c2f9db850baff27e2810983ac07568ea00f78b8269a0606e860214a113

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    174B

    MD5

    b91f602c7281229450a3bc247fe89049

    SHA1

    fa808a8828609ff28930a4c46230b333511d79bc

    SHA256

    7f9af52ae69c2f2c7528c95d25e10d0629b470a5cf059c81a2ec96cc4cd5ab20

    SHA512

    896d4f43870b90483298c327f07b28b79ade7c2aa69a97c53fdaf20ad67e931678d5cc81a5bc7fc1157aba7b38113164414bc0a21cabd3494ab9722a6bbfe445

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    206B

    MD5

    729794b044e400273060ec28859027df

    SHA1

    8bb1ac2b9032bc35116d026932eb9f6cfb3a2ecc

    SHA256

    eff42782d9d1f21b1dbf2f60ae6ffd2bb5a23d6f7fa11ece0d1cdb66aee0d7db

    SHA512

    d8c236f50688e445b974a98fc863debd6d60a8c43ba11497b22970cdc06056fd14a57eefc80da4b021ab722fca3f8b3735f1ffe218bd6c831a52cd1d19a18789

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

    Filesize

    2.6MB

    MD5

    f29c484136ce356cb679f7dca022d5b7

    SHA1

    05991d49fcc6800690ef7863ab2e5674ce4a3f69

    SHA256

    73c2e0c185ef2076adef07ed62b2718676abdcf3d92ace4843a87ae1460acf45

    SHA512

    cc360975e5f9d3b056d1ba7c3d9c920f630a40f264e100260b86b6b59ea8a19ed5e4c5dd90bd4fe28149f2967e5d8f7918d5565953ea85ecbe5406de8af5c435