348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7

General

Target

348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe
Size

2.6MB
MD5

7bb120571c084e731f81c6dabc5e4dba
SHA1

0c23cb9cedec350ec95c55cddf203980f1b5238b
SHA256

348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7
SHA512

a2280ef1c989c2900f1822f6fcefb6691821016d03421dc00de4b246c870d3739fea2e0627ce91e14c253a3a3e69889e80ed731b69fcdd368ed463d97713c9f7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUprb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe

Executes dropped EXE 2 IoCs

Processes:

sysxdob.exeabodloc.exe

pid process

2380 sysxdob.exe
2876 abodloc.exe

pid	process
2380	sysxdob.exe
2876	abodloc.exe

Loads dropped DLL 2 IoCs

Processes:

348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe

pid	process
2792	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe
2792	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxEC\\optidevec.exe"	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files10\\abodloc.exe"	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exesysxdob.exeabodloc.exe

pid	process
2792	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe
2792	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe
2380	sysxdob.exe
2876	abodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe

description	pid	process	target process
PID 2792 wrote to memory of 2380	2792	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe	sysxdob.exe
PID 2792 wrote to memory of 2380	2792	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe	sysxdob.exe
PID 2792 wrote to memory of 2380	2792	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe	sysxdob.exe
PID 2792 wrote to memory of 2380	2792	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe	sysxdob.exe
PID 2792 wrote to memory of 2876	2792	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe	abodloc.exe
PID 2792 wrote to memory of 2876	2792	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe	abodloc.exe
PID 2792 wrote to memory of 2876	2792	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe	abodloc.exe
PID 2792 wrote to memory of 2876	2792	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe	abodloc.exe

C:\Users\Admin\AppData\Local\Temp\348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe
"C:\Users\Admin\AppData\Local\Temp\348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2380

C:\Files10\abodloc.exe
C:\Files10\abodloc.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files10\abodloc.exe

Filesize
6KB

MD5
eca5ea25f6a32a95c09d2d11f140c43b

SHA1
fc7c4ffc46b345747cc079073a62c80c129f2442

SHA256
7d956fbd2f73b9d56dbb1fa91bb438857ce1495cd868cdc6d6daea38edfcff17

SHA512
27d28a94c6c9d88714e07d1c5d856b348aaffe7164a680aa4aa760c4a738cf9fed9f373ea895b3dfa3e80ea1b8702679ff32bafeb7e84ada4fe30ff30b1add61

Download Submit
C:\GalaxEC\optidevec.exe

Filesize
7KB

MD5
ec404dc607a7bce365c371372c732d22

SHA1
4d3414b75d79d8d911c3947e95add02806762e93

SHA256
8f1145e98e4e5b5619503e16422f9cc17157101ff54ed5b081106ce4959f22e2

SHA512
25f87b1070bb1946e262d5ff4eaf91a6ff170c9987f970ecc4f02a7e9f7ef3b5355d6f693edce66f6085e5bd6279f612d457449cbae352b4654ace8c35e2c55a

Download Submit
C:\GalaxEC\optidevec.exe

Filesize
2.6MB

MD5
51e42b02dfbb0d69e1c053d563c3cdc0

SHA1
110103c44a02b3e50a96322983da947298da769a

SHA256
281811501110efd324c9b990bf54139a0f1204e57d097f42cfa8947da5224592

SHA512
b5f155effb0e7fe4c3a01837a19086c64e87fcf9f3aaa0148c247e5e45d1c9fb79b8093e280261cd7265d82c6d30a5be5cf885e0c0665eccd012dd69fd59747e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
911405a9e0ded55ba5f34a70280645e8

SHA1
f7c941c9e0ec1bb4a90aafc9fc81c15f582d25e1

SHA256
ef505cf10fcf220208ec61cba27dae5422d3a804f9336b51178e49813e0677e3

SHA512
f60218b0fbc3f12bb9fc55eb47cad18ad1af40b6c43e9620cacc37f557a571758ce44a11ee1cb9b08c92c537d63369524b778fedda516c56a0c672f1e2a22d4d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
611022b90cc23f789b7535e1dde1b60d

SHA1
8ce303e4c55fd8b1a75299cde4737b522c403984

SHA256
2f0113bf102e7609a8c58916bc13cdcc9eb56cd8149c72fa675b139b3d098b45

SHA512
5261b9cc76d4bc0f271e0a730a0a06bb13d5e0729fbd1704e28a443f5309ca3632a7296ae49d4191a7e2d09c8f19fe6e397c856c79440b6fa2ca7a16b34c557d

Download Submit
\Files10\abodloc.exe

Filesize
2.6MB

MD5
63ec31d56463b52bd2f5c3c4c7618fa6

SHA1
ef8e92fc006917ed9789236c3fab1f2652dc5122

SHA256
1830eae357e1ebf552727e51dcd2332194bc0dc6a4ed1d71a898bf6002deaef4

SHA512
f8f0849f6ad3872d42805faa54408f777dc3eae6ca2e44e5bf5605909a748da59dd15d6cc6240f84052444eda1e0c248022032efb2cdcf65dc27938940161833

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.6MB

MD5
16f1d63f1f58b4c4f68b5abb5bd024d1

SHA1
04fbf76bf0b91d6a957a229cafa8df5f476779c3

SHA256
42559ef4f937792b55552ffcb6ba063f2fea44a5518aa64be5fbfbf56d5c79fb

SHA512
88a9b2fb37ff2a1e73b04cee76b3cdf6e71ef29f03347fcd700eb6ae3bf7bcab90a878d49e71fcb32e17da05389cb01d20fa0a7858cde1ee9d50f561d32b4547

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads