3e507aa859d8d9e9cb2b4076d721842aedf3f915a6e1a5c81885c38b567c86c9

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12-07-2024 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ce5851fbfb2ef9bec7d3a706f6fda20N.exe
Size

2.6MB
MD5

1ce5851fbfb2ef9bec7d3a706f6fda20
SHA1

cf109b892942fa1cd02cd29088f4a9beede8d6a1
SHA256

3e507aa859d8d9e9cb2b4076d721842aedf3f915a6e1a5c81885c38b567c86c9
SHA512

5a11212429b8a2371a6fafa2d20b33c7d80a4bd75a2fe3ddda2b7cdf05b5d20d58f89693187d9073822287ea6bcada495f0c700b9517615ad501ef93c134198c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpEb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe

Executes dropped EXE 2 IoCs

pid	Process
2256	sysxbod.exe
2220	abodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1948	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe
1948	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxPI\\boddevec.exe"	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesYN\\abodloc.exe"	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1948	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe
1948	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe
2256	sysxbod.exe
2220	abodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2256	1948	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe	30
PID 1948 wrote to memory of 2256	1948	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe	30
PID 1948 wrote to memory of 2256	1948	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe	30
PID 1948 wrote to memory of 2256	1948	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe	30
PID 1948 wrote to memory of 2220	1948	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe	31
PID 1948 wrote to memory of 2220	1948	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe	31
PID 1948 wrote to memory of 2220	1948	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe	31
PID 1948 wrote to memory of 2220	1948	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe	31

C:\Users\Admin\AppData\Local\Temp\1ce5851fbfb2ef9bec7d3a706f6fda20N.exe
"C:\Users\Admin\AppData\Local\Temp\1ce5851fbfb2ef9bec7d3a706f6fda20N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2256
- C:\FilesYN\abodloc.exe
  C:\FilesYN\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesYN\abodloc.exe

Filesize
14KB

MD5
9262cab29eba6c8ec58cf55dd510774f

SHA1
9c109088d1dc40745dede1654950cf3c14a07d0e

SHA256
e30f45b4f1ee5afde05ab748a8efaf1830710f480600bd9792e3a66ea5f9f945

SHA512
2241d5680489d6b0281a7b46d1c23f8106426f9078273c98fc99c381f0e3e738acc7e4684387d72ceb40a071fa85ba9a8df3e8edc6bb55c25a029dbebf437004

Download Submit
C:\FilesYN\abodloc.exe

Filesize
2.6MB

MD5
c7503d7a11549c3e73199126a0f0fa92

SHA1
48dda0d79cc22e2128b4d7471b0d9259076e631f

SHA256
b417c1df6bf3131c218bc96d920041e69481ee2fbfc79b8ff1367df6fc312230

SHA512
6e98d207291f3277a3e514907d7685a1a0d934e1644d8561855b33ac1c0a9df00740a0cf2938bdeb18bdbc49c8e786bc25283b98f7be8c571fee1f058367d9e8

Download Submit
C:\GalaxPI\boddevec.exe

Filesize
2.6MB

MD5
1b70af5d5bacaad1679512d8b67d8225

SHA1
864626c6b801a11e6be7a80106f7e7de75bf4f6a

SHA256
629dab7132bc56ec7eb3b090077edf826e25df349ceb97cfdad612d3d929dea4

SHA512
68c0166954ddce3daf4938710780f93d573153af9bf123c38d3852d21aeb555bc75ead2a9cd69032532c9605e6e8d11a2f4ef94243aa711ef0fa074b00c19286

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
c8b3ce761c08c02fdde289d54351330f

SHA1
fe9cb9b640fb449301111913aea83d8db5132737

SHA256
7729ea3dd22c830333e14ed9483065387877f8e2694945bd6bd834fd3e9dfb73

SHA512
e9c05113c1d18245b30eeb5483216fab4cb1ad1abfb90777aa8a9788834fc649ba36038bc292358c31b06d36253346c79928b43b1a74303c910e90e2d2dc7e10

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
f894311608cd0e16bd6ad6daac0e7b5c

SHA1
48e6a479f64e620b94acaa68e7b8f7e0ad05cef0

SHA256
fb1c764cebbf55fe1aadff6c672dc6ff55a6c201d6f5bc2f4b695101cd3c8a1d

SHA512
aaf7a5da3fa861f56f3d90f6306fedd57a4e98703cd7d9cb61b892b7100ed3460afa92e26e97a7a4dbe86be918ccd8be155cfe4d9cc35bf5128e38ed74318b64

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
2.6MB

MD5
88183fa938ad20bca5aa1934162a50e0

SHA1
fc91c3a647f908cd769781fffad48915a9486023

SHA256
ec472764c6622af1abb87c6010e0b80c83f93e2b3ae184eba3b6a23589f0d21a

SHA512
b6ab6bc760bf5c03ef0f61f3768d932b1c0be321ea1b12b0b77be62b40fd81397b5ca8ca0ffa23f817658012e593f699a6ca34e88f318f50d3dae8248a19d83d

Download Submit