5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe
Size

4.1MB
MD5

f7a6e8b52783d562ede808feff502dbe
SHA1

5c9b367dbd9e126011bc04cc78e12ebbb236c2df
SHA256

5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb
SHA512

09c7f17365370cfba4f7e02915d753e8d6a3a5feffae1c5574353024626c463f0ebd1eaa593267f59371676da2c14932fbfaa6035cc7cb814fd8e02e4776c0f7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpxbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe

Executes dropped EXE 2 IoCs

pid	Process
3820	sysxbod.exe
1188	abodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvXO\\abodec.exe"	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxL5\\optiaec.exe"	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4728	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe
4728	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe
4728	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe
4728	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe
3820	sysxbod.exe
3820	sysxbod.exe
1188	abodec.exe
1188	abodec.exe
3820	sysxbod.exe
3820	sysxbod.exe
1188	abodec.exe
1188	abodec.exe
3820	sysxbod.exe
3820	sysxbod.exe
1188	abodec.exe
1188	abodec.exe
3820	sysxbod.exe
3820	sysxbod.exe
1188	abodec.exe
1188	abodec.exe
3820	sysxbod.exe
3820	sysxbod.exe
1188	abodec.exe
1188	abodec.exe
3820	sysxbod.exe
3820	sysxbod.exe
1188	abodec.exe
1188	abodec.exe
3820	sysxbod.exe
3820	sysxbod.exe
1188	abodec.exe
1188	abodec.exe
3820	sysxbod.exe
3820	sysxbod.exe
1188	abodec.exe
1188	abodec.exe
3820	sysxbod.exe
3820	sysxbod.exe
1188	abodec.exe
1188	abodec.exe
3820	sysxbod.exe
3820	sysxbod.exe
1188	abodec.exe
1188	abodec.exe
3820	sysxbod.exe
3820	sysxbod.exe
1188	abodec.exe
1188	abodec.exe
3820	sysxbod.exe
3820	sysxbod.exe
1188	abodec.exe
1188	abodec.exe
3820	sysxbod.exe
3820	sysxbod.exe
1188	abodec.exe
1188	abodec.exe
3820	sysxbod.exe
3820	sysxbod.exe
1188	abodec.exe
1188	abodec.exe
3820	sysxbod.exe
3820	sysxbod.exe
1188	abodec.exe
1188	abodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 3820	4728	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe	86
PID 4728 wrote to memory of 3820	4728	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe	86
PID 4728 wrote to memory of 3820	4728	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe	86
PID 4728 wrote to memory of 1188	4728	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe	87
PID 4728 wrote to memory of 1188	4728	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe	87
PID 4728 wrote to memory of 1188	4728	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe	87

C:\Users\Admin\AppData\Local\Temp\5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe
"C:\Users\Admin\AppData\Local\Temp\5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3820
- C:\SysDrvXO\abodec.exe
  C:\SysDrvXO\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxL5\optiaec.exe

Filesize
679KB

MD5
462ed12851ab15f247443b82c2f203c3

SHA1
6b24826bb5ebcf316e8e720b3b64268a57d4289c

SHA256
98221eb7561187841a51d468fc07ad1dabab8970d8e70397647ddf60d6c73bc2

SHA512
a278efdc9be5a99d74aaf67fc2c75f9fe4e9f0d489202a0cc493a56d14c3cfb0c774b8a50dfb31f413de110d38f49fbaaba8cfa05b5b67bd327a04fdb0e3acdc

Download Submit
C:\GalaxL5\optiaec.exe

Filesize
4.1MB

MD5
881e85517dce636d759091ff6132112a

SHA1
ddb1b709e549d2a7263ea2114999c2669cbd7f14

SHA256
3fa99f32c3f5aebc0b7bca4e459d35cedfa229a447e7380ce0b7a54c1ced40d1

SHA512
2b565abfa615dd4a2ac230cbe855a40908bae290ce150b470b167f0e8d01b7b0a165eaf8b759dd6fb9b270487bbb1cbf371bbb2e0b2c78a2830f3131ee23fa84

Download Submit
C:\SysDrvXO\abodec.exe

Filesize
140KB

MD5
b5ed87cecd878cd0b274b8d2eb18cf5b

SHA1
46a0caba8d7c0b8b6db27ba51fb4f93679fbbc90

SHA256
985c078aa337de5ab9ab188959cee577218d583a1a12da8a082a39344350b7e8

SHA512
1d3617d8272d176e3690ae3130151fb694f90e7b2d99ed044de1b0775c1489a4a964fd10947c0ff2b177744fa6390711c34120bea6e3c02644ee5ce9d50e9416

Download Submit
C:\SysDrvXO\abodec.exe

Filesize
4.1MB

MD5
f216b13e53f3833b7d823093d5a1aeeb

SHA1
b159699c1f497467a3a89844cc68719ea58faddf

SHA256
bee2c1168d5b2ee6ad93c3ac2ef9f841d625a380f4136985d3ed939d4dfcf86e

SHA512
59903705e9af95e1fe46513886fb912f0af1bb4ef6bb13a803674626e1ee1a282f5f88fa87e98098ae14d304675081f0d33d5d375a1957e95d077fec5da80cf3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
ee2fe33cbb6eb8ac733a5bce69391027

SHA1
cd5f450156082649f07759572e06c27ef7420bba

SHA256
ee12067cad2178da77d86850a1ee74ce1ffc7569815d798e416101c8726ce9eb

SHA512
9424747890642c7dc8292596090526c4d0fedf43d1a5538e46457d41e377490d4337d419b217bc123d7c14c0f1eca6845de3c322447bf141c67294a282b56d10

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
3418ceaa6fcf1876e90e02c6712b970a

SHA1
8971596f48db1df6e297482c522be85bbb4554c8

SHA256
7e2bc3ee42e63e9c3dd060233f06546558249df09088596e1a693672ca232a04

SHA512
565db22c27daada65821963055d897b01a342fb00d6a802c45bff3e66b110e52f1a07801923556446725835d60557883d930ba70561fd541346889de6ffbb5ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
4.1MB

MD5
356957f8759c2e8a07c51bf85a66b4d0

SHA1
7d75fc1530cc6c5b7abca866b4cccce02372bf33

SHA256
aeb6fec2a18540ef78f51601c651af5fac727f9d3244754d58f944ab1f02237a

SHA512
e7a0b1e05a14bf44f3edc497e17f1b518061ad1f358f430421ea215827b78636dbe613b467c501a1f938b3176ccd2e022c2d42e37ff9547f10eee7e71eceb143

Download Submit