Overview

overview

7

Static

static

3

015c43a631...2a.exe

windows7-x64

7

015c43a631...2a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    20/11/2024, 03:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    015c43a631c8c9e838a19fa3011344160636652e6aaac6e102e9f157f78d772a.exe

  • Size

    2.6MB

  • MD5

    6f9d64e55076b08fbc816c60b8ecf3bc

  • SHA1

    6a6bfd4c89ca2527a223570a56362cff40071f5e

  • SHA256

    015c43a631c8c9e838a19fa3011344160636652e6aaac6e102e9f157f78d772a

  • SHA512

    fbf3a000b7995ef29ce533f642af017c5b3d8a27a614166a7ac16d5e36aed5eed5b6a0d608da991c552b4df01f1560aff7f24d5e318cb967a69acef3cd1934eb

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bSC:sxX7QnxrloE5dpUpCbF

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\015c43a631c8c9e838a19fa3011344160636652e6aaac6e102e9f157f78d772a.exe
    "C:\Users\Admin\AppData\Local\Temp\015c43a631c8c9e838a19fa3011344160636652e6aaac6e102e9f157f78d772a.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2164
    • C:\AdobeI6\adobec.exe
      C:\AdobeI6\adobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeI6\adobec.exe
    Filesize

    2.6MB

    MD5

    25dab74e8a494faa158477a9c51d58ba

    SHA1

    544e8370cb04dd6d02ae853eef8fa8924e321213

    SHA256

    da225f00feaee25ae2df31e9259bf17cdb1747e3164050dafcf71fa1066a4965

    SHA512

    d108e12c470cdfd75aa6499f8a0464e48f4d4f5af81715b380220da264d62b25242d9ccca0159fa1aacd40e6a5eefb418d0b900ce7d0c4a590901b511e194549

    Download Submit

  • C:\Galax3U\dobxec.exe
    Filesize

    2.6MB

    MD5

    a9a7c3336b14cd795ffc8f6b6266bfd3

    SHA1

    f987d6e8a617761aa72abd64c0cff51b0d9cac6e

    SHA256

    f3e6c0df3ed8b300b15fb0429465d4e8c25b55543c3f739107547fa30921e661

    SHA512

    b38cdef84b8570911a9205e506d1d02b71ec4f9cb3a0b68ea106ae016591aa38404d702350924bd6eb91f4cb4da4e82bcba5c2bfc6845aa7ec9a812822267bbb

    Download Submit

  • C:\Galax3U\dobxec.exe
    Filesize

    2.6MB

    MD5

    d2fbacdb78afb2dcb460d0c7e18b96e2

    SHA1

    5354c87abd2886d6eefa48b21cf59dd231d33ff1

    SHA256

    c1c3671690dc1c734102ef42c265e75138662a086a6a6b6c1af00a9e5d1aa054

    SHA512

    45de36d2e1b781640dc766cc700616fec9feff7370ea8cf1f60f558d3769cdfc0bacf6bbb05270edc3072cf5938c05f1c99bcf9adfa5df12887a29b567341d5d

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    167B

    MD5

    2938ff0c021bbf8b8a831b82d45a4c77

    SHA1

    8fff61575f235440c96d492b51d71cc9f44cb802

    SHA256

    979ad828ded4f68a6f9539500420ad9b3baca6a56f87401c87bbac528846149d

    SHA512

    d2926f4391b34281d865114edcfccba5c27fba73e88499b169741e72cd3a8619d3b4851fb1f1283c5604f76fe089d655f3250cc009fe69bf8a5ccd91e29c6794

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    199B

    MD5

    263c43d2e6d86267625aa6117b2b4c6e

    SHA1

    324e6bcea2de2eff672b13b05d2c026cf8707157

    SHA256

    0c27215eea764ea23233912d560ca60112c338172c9b38b202cdeccf29d88c36

    SHA512

    19912d8a326070b944b6fce5ce7a232be7b57a383a94eb6ac28b6dcc9b1743309e12db2b2f60fc26f97279f9d30c8e74151707dd1f018ccc3ae0ed686e1c94b5

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
    Filesize

    2.6MB

    MD5

    2ad9271edcd6f419dbf804d32cfe0ca7

    SHA1

    64a9fe508fa4761bd9a2761830b89feda4696b2a

    SHA256

    03bff27e2bfac7e8824c3a4c466c7135d1252b7dec2d1f50962e8bb2645ac2be

    SHA512

    bf28c3919f7fe4a9b2aa4b5b0e9ca6394064d9dfb5661bfa02f1ace63f6dda4651b042998f924744d46a32d8a27195da637a807426641daa5e88f53c60051532

    Download Submit