ff55ed7f325774e23de32da446f4e479ba925fc5ab5020e9661c6694ab72c1d7

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79f52222b40053bfa4f2114578a2848c_JC.exe
Size

2.5MB
MD5

79f52222b40053bfa4f2114578a2848c
SHA1

986bb2b858d535bb51a48bfd69fadb28fb10b314
SHA256

ff55ed7f325774e23de32da446f4e479ba925fc5ab5020e9661c6694ab72c1d7
SHA512

b1337e9fddab7e290f4e08b2a6779c2a799c5bd407fa6c85cbd86b589a92c20872bbf81d493c3c379378a22cec84de10f83e2380432fdb13f3fae9d838f4bb68
SSDEEP

49152:ORw+fHVKnQnbcqnq5MkE4bOo4BkZHSjpjK3LBAgvLS:ORww3ba5MkE/DBpiL

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	79f52222b40053bfa4f2114578a2848c_JC.exe

Executes dropped EXE 2 IoCs

pid	Process
2756	locxbod.exe
2500	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2688	79f52222b40053bfa4f2114578a2848c_JC.exe
2688	79f52222b40053bfa4f2114578a2848c_JC.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe8V\\abodsys.exe"	79f52222b40053bfa4f2114578a2848c_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid1F\\optiasys.exe"	79f52222b40053bfa4f2114578a2848c_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2688	79f52222b40053bfa4f2114578a2848c_JC.exe
2688	79f52222b40053bfa4f2114578a2848c_JC.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe
2756	locxbod.exe
2500	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2756	2688	79f52222b40053bfa4f2114578a2848c_JC.exe	28
PID 2688 wrote to memory of 2756	2688	79f52222b40053bfa4f2114578a2848c_JC.exe	28
PID 2688 wrote to memory of 2756	2688	79f52222b40053bfa4f2114578a2848c_JC.exe	28
PID 2688 wrote to memory of 2756	2688	79f52222b40053bfa4f2114578a2848c_JC.exe	28
PID 2688 wrote to memory of 2500	2688	79f52222b40053bfa4f2114578a2848c_JC.exe	29
PID 2688 wrote to memory of 2500	2688	79f52222b40053bfa4f2114578a2848c_JC.exe	29
PID 2688 wrote to memory of 2500	2688	79f52222b40053bfa4f2114578a2848c_JC.exe	29
PID 2688 wrote to memory of 2500	2688	79f52222b40053bfa4f2114578a2848c_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\79f52222b40053bfa4f2114578a2848c_JC.exe
"C:\Users\Admin\AppData\Local\Temp\79f52222b40053bfa4f2114578a2848c_JC.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2756
- C:\Adobe8V\abodsys.exe
  "C:\Adobe8V\abodsys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe8V\abodsys.exe

Filesize
2.5MB

MD5
c8498fd8979a59d41d588789cab722ce

SHA1
202100be43aa07f9704799c8196d7134f611eb11

SHA256
584fae57078c02e669db18e6adeb4a7dca04cbf19879ff8884a1d2c9ec9b90c8

SHA512
d13110c1776567348bac27cbb4b45750544001b3b990a0d3ba9ba0c117e7a22026b89a75a9e290d13ffc5852799024de12829b8242e36e7c3e1fdfe481749576

Download Submit
C:\Adobe8V\abodsys.exe

Filesize
2.5MB

MD5
c8498fd8979a59d41d588789cab722ce

SHA1
202100be43aa07f9704799c8196d7134f611eb11

SHA256
584fae57078c02e669db18e6adeb4a7dca04cbf19879ff8884a1d2c9ec9b90c8

SHA512
d13110c1776567348bac27cbb4b45750544001b3b990a0d3ba9ba0c117e7a22026b89a75a9e290d13ffc5852799024de12829b8242e36e7c3e1fdfe481749576

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
189B

MD5
1e5bac47075359300d502be421bb6557

SHA1
fe7d146f077b4645e55d95c22da0f3a3e36d21ce

SHA256
3ffb611e9c23a3c794ff2f2e8b162bb00afebd9d0396cca1c3c55e3173309796

SHA512
9f37cfe999587aa19452a4d24a54602844c14026bbea385671d1777a1e6962669e4406a76658ffdaf1b725fc4441c1922304f99b2ff48a706f41e1af7808f6b0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
221B

MD5
2d1b26ba2a625a1ddf530926ad73b93a

SHA1
b695b909a7f6329a720e5c3420da169f9d21abf0

SHA256
124ec019d073ff2f490a56cd8582a2542f2374a0dfde96f9dedfe53dd7d06c2a

SHA512
d2f2d4bc1d2e926de6b7bc68986de444045b77dcbc3953c6e605dfab7ac2db0adb70d367e575f2788ac2078afa7f7b2b2ba55303a5ad4fca8c70f34534bed43f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.5MB

MD5
d4223942b9ab7e71dc7f49b4b548802c

SHA1
3cf2afbfe3c39117cc7e3f0b6d091d7ece5bb822

SHA256
fe992906f65f7bd0c947bec1cdbedcefee798b1a3dac13ea7dd465418f6e099f

SHA512
31a55f8050bb3b23840c35aaf7ea44ed91fd9adcac9085cfdb5c2f6151188035a200f9845bf10a2f0bac14177a6caae82d76d4a28d1414ba271b01fe167b58b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.5MB

MD5
d4223942b9ab7e71dc7f49b4b548802c

SHA1
3cf2afbfe3c39117cc7e3f0b6d091d7ece5bb822

SHA256
fe992906f65f7bd0c947bec1cdbedcefee798b1a3dac13ea7dd465418f6e099f

SHA512
31a55f8050bb3b23840c35aaf7ea44ed91fd9adcac9085cfdb5c2f6151188035a200f9845bf10a2f0bac14177a6caae82d76d4a28d1414ba271b01fe167b58b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.5MB

MD5
d4223942b9ab7e71dc7f49b4b548802c

SHA1
3cf2afbfe3c39117cc7e3f0b6d091d7ece5bb822

SHA256
fe992906f65f7bd0c947bec1cdbedcefee798b1a3dac13ea7dd465418f6e099f

SHA512
31a55f8050bb3b23840c35aaf7ea44ed91fd9adcac9085cfdb5c2f6151188035a200f9845bf10a2f0bac14177a6caae82d76d4a28d1414ba271b01fe167b58b0

Download Submit
C:\Vid1F\optiasys.exe

Filesize
832KB

MD5
5e95ac04a36e81dbbf965f72095135fe

SHA1
8cd03ea5fe8fba400acba2be25b3c21a06eccc19

SHA256
2a4a052b7334eb9b55698ac789e64a95ae33c500380ee4f21373b8d0321f3e20

SHA512
efe7fca63de6e425a7919bfaf4dd9eede5bf7b404c62664f0303d91f4ece0cdd01594b8919836c4da2b6b79dc57489cf3d52cd97475d16f99fa1290d9f0fc9e7

Download Submit
C:\Vid1F\optiasys.exe

Filesize
2.5MB

MD5
b89f28d3e5b39bdc809bef2127ecd148

SHA1
bc1c1e9af49578a1045d0ee037514a264a8b4d58

SHA256
e93d37ed02d848b768cde805caa1b8f429b01a8261c77e64766d17c00fef47e5

SHA512
35e4fd2fea5d583a278a54b24ffe3875267a2428b01ac72699ed4e0a143c216572c3633596297fe1f0b3b296facd6a363a572fcb224f8a2d7e154cc1cee2b299

Download Submit
\Adobe8V\abodsys.exe

Filesize
2.5MB

MD5
c8498fd8979a59d41d588789cab722ce

SHA1
202100be43aa07f9704799c8196d7134f611eb11

SHA256
584fae57078c02e669db18e6adeb4a7dca04cbf19879ff8884a1d2c9ec9b90c8

SHA512
d13110c1776567348bac27cbb4b45750544001b3b990a0d3ba9ba0c117e7a22026b89a75a9e290d13ffc5852799024de12829b8242e36e7c3e1fdfe481749576

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.5MB

MD5
d4223942b9ab7e71dc7f49b4b548802c

SHA1
3cf2afbfe3c39117cc7e3f0b6d091d7ece5bb822

SHA256
fe992906f65f7bd0c947bec1cdbedcefee798b1a3dac13ea7dd465418f6e099f

SHA512
31a55f8050bb3b23840c35aaf7ea44ed91fd9adcac9085cfdb5c2f6151188035a200f9845bf10a2f0bac14177a6caae82d76d4a28d1414ba271b01fe167b58b0

Download Submit