1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe
Size

3.1MB
MD5

2ea85fda33ced70d1361dd6792a59921
SHA1

609d5b0d856588030255b546004e83f0814364a4
SHA256

1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b
SHA512

b668536d040d8ff17ea9b1e16d81cd93b6c23aada09d3399d0f6bfe2588e459972985361d117314b70671315c7996ac06d3c45d5e958a5186dff4b0bdf8e4645
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bSqz8:sxX7QnxrloE5dpUp/bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe

Executes dropped EXE 2 IoCs

pid	Process
1624	ecdevdob.exe
4852	abodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvGV\\abodloc.exe"	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxJA\\optialoc.exe"	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2460	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe
2460	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe
2460	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe
2460	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe
1624	ecdevdob.exe
1624	ecdevdob.exe
4852	abodloc.exe
4852	abodloc.exe
1624	ecdevdob.exe
1624	ecdevdob.exe
4852	abodloc.exe
4852	abodloc.exe
1624	ecdevdob.exe
1624	ecdevdob.exe
4852	abodloc.exe
4852	abodloc.exe
1624	ecdevdob.exe
1624	ecdevdob.exe
4852	abodloc.exe
4852	abodloc.exe
1624	ecdevdob.exe
1624	ecdevdob.exe
4852	abodloc.exe
4852	abodloc.exe
1624	ecdevdob.exe
1624	ecdevdob.exe
4852	abodloc.exe
4852	abodloc.exe
1624	ecdevdob.exe
1624	ecdevdob.exe
4852	abodloc.exe
4852	abodloc.exe
1624	ecdevdob.exe
1624	ecdevdob.exe
4852	abodloc.exe
4852	abodloc.exe
1624	ecdevdob.exe
1624	ecdevdob.exe
4852	abodloc.exe
4852	abodloc.exe
1624	ecdevdob.exe
1624	ecdevdob.exe
4852	abodloc.exe
4852	abodloc.exe
1624	ecdevdob.exe
1624	ecdevdob.exe
4852	abodloc.exe
4852	abodloc.exe
1624	ecdevdob.exe
1624	ecdevdob.exe
4852	abodloc.exe
4852	abodloc.exe
1624	ecdevdob.exe
1624	ecdevdob.exe
4852	abodloc.exe
4852	abodloc.exe
1624	ecdevdob.exe
1624	ecdevdob.exe
4852	abodloc.exe
4852	abodloc.exe
1624	ecdevdob.exe
1624	ecdevdob.exe
4852	abodloc.exe
4852	abodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 1624	2460	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe	85
PID 2460 wrote to memory of 1624	2460	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe	85
PID 2460 wrote to memory of 1624	2460	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe	85
PID 2460 wrote to memory of 4852	2460	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe	86
PID 2460 wrote to memory of 4852	2460	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe	86
PID 2460 wrote to memory of 4852	2460	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe	86

C:\Users\Admin\AppData\Local\Temp\1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe
"C:\Users\Admin\AppData\Local\Temp\1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1624
- C:\SysDrvGV\abodloc.exe
  C:\SysDrvGV\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxJA\optialoc.exe

Filesize
1.4MB

MD5
a53b80fec6857cacfe2b783197e3646e

SHA1
ac1809fb98810f6e93073715fc4e740176400098

SHA256
3b0de3b4625c2a95e97bec50c4163ec68d2f03a09bb3f7d6740c143e2067afc5

SHA512
711c8de7624e1bf69439abb51fc002cc458e7f3b229f7ad1918c9e03459c2d70a9be5b39cb4a5aed037e524bf53869bb0f45d56ddf8227dd592d597a11b5e63f

Download Submit
C:\GalaxJA\optialoc.exe

Filesize
856KB

MD5
15197d13f492d8b3fb03c9135799db28

SHA1
1061eded8781a55acffb6a20771c8aab2c5e5e8a

SHA256
fe97cbf95344dd4e1497abdaf17740d60676d12eb2117c184a636b8ed9b3ca9d

SHA512
24ae5d79184ab16713853868688b6f3f19639ced22c1c340c4343a1e11d5a4eb4d671a9ded5f9cd057965828c402025102277e07864be689fa928b064df78257

Download Submit
C:\SysDrvGV\abodloc.exe

Filesize
1.4MB

MD5
6c2387b9059399872231953a12d92032

SHA1
c898817bc6479c10828f7c83215d1c026311afb5

SHA256
930cc7def7c5acef55f98ddfc11c4764f69d82908ef5be0fad081df9aacc0dff

SHA512
42a4601b51deaafea57e806baa8472f3c903445ad82691ad1fefe4ec7624fe768a293c143f91c260f580ff2a5e5c8a3967cb09b70dc3bebee0f463e82912c674

Download Submit
C:\SysDrvGV\abodloc.exe

Filesize
3.1MB

MD5
8dfe3d546ac2f4a0b485d72d01745bdc

SHA1
81cae2e714b788fd10267fadf91165b4eb2885f8

SHA256
c3da718f5fa7d62ac0c4c8fa8aa9775e1f7281e92bdafb53584ac29f18b30ca3

SHA512
7cdeffbf238cc18bf236c481e6de1d75db9a5019ec25f2af6c4e81302a4c1aeec4d85480dfb358640abdc9fb59c6f2f7d219d27566afde8f6b4e14d23f1ec02c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
99877872ae9bcef3467f503ff2b20632

SHA1
60fcb2ed0a1a0f115441296915bd65bb28c972b1

SHA256
8e9771dee8d46a17d6dbe71450bf6168d8503fe5f323ef47ee11dbc3c82b3741

SHA512
d53f179c5f359dc89c8c14b25374e3236452a321b4c006d22a4ef6931094b91e792fe2f7c131545d1834a3196a1e7025d28cb8c9b1d81b0db452ca48943ca323

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
a98765215de510ead84a4afebc2fd8e7

SHA1
33ec00645aa2c11ad0d0cd0a21ecf7e9d43a1eb3

SHA256
4b1a7a62ad8440f46206832e0b0ec6e63c1ba2985590c352b13849ee924687e8

SHA512
b902bed8e2d991d0e93f0b8fc00ea9f56f09934caf17c41dece13340eacebee977cfea55401d75476fc474f82785d31e0f258d75b47d573daf225356a2c007fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
3.1MB

MD5
52eb13fe7ac7e601c95ab00e9f7e3930

SHA1
f9de090ec1a56f2bcaac74bb2b277ff0a15495db

SHA256
5265bbe597c6d60e9716170e523575782678784a583e6a315d0b687607177dba

SHA512
c38a53716c2cf627a2c246fd93cd12ac8126039260c7aedfb7af31d4c4568e869a1d345c0bec2547abcbae78fbe2386ca9b380ac033a02151ada34114d0a6561

Download Submit