Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 21:06
Static task
static1
Behavioral task
behavioral1
Sample
348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe
Resource
win10v2004-20240709-en
General
-
Target
348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe
-
Size
2.6MB
-
MD5
7bb120571c084e731f81c6dabc5e4dba
-
SHA1
0c23cb9cedec350ec95c55cddf203980f1b5238b
-
SHA256
348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7
-
SHA512
a2280ef1c989c2900f1822f6fcefb6691821016d03421dc00de4b246c870d3739fea2e0627ce91e14c253a3a3e69889e80ed731b69fcdd368ed463d97713c9f7
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUprb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe -
Executes dropped EXE 2 IoCs
Processes:
sysxdob.exeabodloc.exepid process 2380 sysxdob.exe 2876 abodloc.exe -
Loads dropped DLL 2 IoCs
Processes:
348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exepid process 2792 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe 2792 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxEC\\optidevec.exe" 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files10\\abodloc.exe" 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exesysxdob.exeabodloc.exepid process 2792 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe 2792 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe 2380 sysxdob.exe 2876 abodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exedescription pid process target process PID 2792 wrote to memory of 2380 2792 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe sysxdob.exe PID 2792 wrote to memory of 2380 2792 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe sysxdob.exe PID 2792 wrote to memory of 2380 2792 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe sysxdob.exe PID 2792 wrote to memory of 2380 2792 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe sysxdob.exe PID 2792 wrote to memory of 2876 2792 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe abodloc.exe PID 2792 wrote to memory of 2876 2792 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe abodloc.exe PID 2792 wrote to memory of 2876 2792 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe abodloc.exe PID 2792 wrote to memory of 2876 2792 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe abodloc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe"C:\Users\Admin\AppData\Local\Temp\348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2380 -
C:\Files10\abodloc.exeC:\Files10\abodloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5eca5ea25f6a32a95c09d2d11f140c43b
SHA1fc7c4ffc46b345747cc079073a62c80c129f2442
SHA2567d956fbd2f73b9d56dbb1fa91bb438857ce1495cd868cdc6d6daea38edfcff17
SHA51227d28a94c6c9d88714e07d1c5d856b348aaffe7164a680aa4aa760c4a738cf9fed9f373ea895b3dfa3e80ea1b8702679ff32bafeb7e84ada4fe30ff30b1add61
-
Filesize
7KB
MD5ec404dc607a7bce365c371372c732d22
SHA14d3414b75d79d8d911c3947e95add02806762e93
SHA2568f1145e98e4e5b5619503e16422f9cc17157101ff54ed5b081106ce4959f22e2
SHA51225f87b1070bb1946e262d5ff4eaf91a6ff170c9987f970ecc4f02a7e9f7ef3b5355d6f693edce66f6085e5bd6279f612d457449cbae352b4654ace8c35e2c55a
-
Filesize
2.6MB
MD551e42b02dfbb0d69e1c053d563c3cdc0
SHA1110103c44a02b3e50a96322983da947298da769a
SHA256281811501110efd324c9b990bf54139a0f1204e57d097f42cfa8947da5224592
SHA512b5f155effb0e7fe4c3a01837a19086c64e87fcf9f3aaa0148c247e5e45d1c9fb79b8093e280261cd7265d82c6d30a5be5cf885e0c0665eccd012dd69fd59747e
-
Filesize
171B
MD5911405a9e0ded55ba5f34a70280645e8
SHA1f7c941c9e0ec1bb4a90aafc9fc81c15f582d25e1
SHA256ef505cf10fcf220208ec61cba27dae5422d3a804f9336b51178e49813e0677e3
SHA512f60218b0fbc3f12bb9fc55eb47cad18ad1af40b6c43e9620cacc37f557a571758ce44a11ee1cb9b08c92c537d63369524b778fedda516c56a0c672f1e2a22d4d
-
Filesize
203B
MD5611022b90cc23f789b7535e1dde1b60d
SHA18ce303e4c55fd8b1a75299cde4737b522c403984
SHA2562f0113bf102e7609a8c58916bc13cdcc9eb56cd8149c72fa675b139b3d098b45
SHA5125261b9cc76d4bc0f271e0a730a0a06bb13d5e0729fbd1704e28a443f5309ca3632a7296ae49d4191a7e2d09c8f19fe6e397c856c79440b6fa2ca7a16b34c557d
-
Filesize
2.6MB
MD563ec31d56463b52bd2f5c3c4c7618fa6
SHA1ef8e92fc006917ed9789236c3fab1f2652dc5122
SHA2561830eae357e1ebf552727e51dcd2332194bc0dc6a4ed1d71a898bf6002deaef4
SHA512f8f0849f6ad3872d42805faa54408f777dc3eae6ca2e44e5bf5605909a748da59dd15d6cc6240f84052444eda1e0c248022032efb2cdcf65dc27938940161833
-
Filesize
2.6MB
MD516f1d63f1f58b4c4f68b5abb5bd024d1
SHA104fbf76bf0b91d6a957a229cafa8df5f476779c3
SHA25642559ef4f937792b55552ffcb6ba063f2fea44a5518aa64be5fbfbf56d5c79fb
SHA51288a9b2fb37ff2a1e73b04cee76b3cdf6e71ef29f03347fcd700eb6ae3bf7bcab90a878d49e71fcb32e17da05389cb01d20fa0a7858cde1ee9d50f561d32b4547