8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe
Size

3.6MB
MD5

5b14a42052f3e376c2f498cc11548d97
SHA1

051fbb7a841ce597da0470fce93f318c49c90961
SHA256

8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3
SHA512

0c0a9eb4a701710e1238652383bf409ba9f0226915d1f6a66fbe601b4bf90acc4d9c9baee77c7850ea60d520203ce0582e94910caf2e79c4522be464a886a615
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpJbVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe

Executes dropped EXE 2 IoCs

pid	Process
1960	sysabod.exe
5012	abodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeKE\\abodec.exe"	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxK2\\optiasys.exe"	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4972	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe
4972	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe
4972	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe
4972	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe
1960	sysabod.exe
1960	sysabod.exe
5012	abodec.exe
5012	abodec.exe
1960	sysabod.exe
1960	sysabod.exe
5012	abodec.exe
5012	abodec.exe
1960	sysabod.exe
1960	sysabod.exe
5012	abodec.exe
5012	abodec.exe
1960	sysabod.exe
1960	sysabod.exe
5012	abodec.exe
5012	abodec.exe
1960	sysabod.exe
1960	sysabod.exe
5012	abodec.exe
5012	abodec.exe
1960	sysabod.exe
1960	sysabod.exe
5012	abodec.exe
5012	abodec.exe
1960	sysabod.exe
1960	sysabod.exe
5012	abodec.exe
5012	abodec.exe
1960	sysabod.exe
1960	sysabod.exe
5012	abodec.exe
5012	abodec.exe
1960	sysabod.exe
1960	sysabod.exe
5012	abodec.exe
5012	abodec.exe
1960	sysabod.exe
1960	sysabod.exe
5012	abodec.exe
5012	abodec.exe
1960	sysabod.exe
1960	sysabod.exe
5012	abodec.exe
5012	abodec.exe
1960	sysabod.exe
1960	sysabod.exe
5012	abodec.exe
5012	abodec.exe
1960	sysabod.exe
1960	sysabod.exe
5012	abodec.exe
5012	abodec.exe
1960	sysabod.exe
1960	sysabod.exe
5012	abodec.exe
5012	abodec.exe
1960	sysabod.exe
1960	sysabod.exe
5012	abodec.exe
5012	abodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 1960	4972	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe	87
PID 4972 wrote to memory of 1960	4972	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe	87
PID 4972 wrote to memory of 1960	4972	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe	87
PID 4972 wrote to memory of 5012	4972	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe	90
PID 4972 wrote to memory of 5012	4972	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe	90
PID 4972 wrote to memory of 5012	4972	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe	90

C:\Users\Admin\AppData\Local\Temp\8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe
"C:\Users\Admin\AppData\Local\Temp\8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1960
- C:\AdobeKE\abodec.exe
  C:\AdobeKE\abodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeKE\abodec.exe

Filesize
3.6MB

MD5
b6bf5083b29db479b4a69f9f26c5bb7c

SHA1
f790d14c0fb046ffa383ecbb76877ba5afeb0e36

SHA256
13fb94c13d32e0ee7232d32ce1a18357cbf7c29c6b5b9e8f9465977fb10d7fe9

SHA512
7378cc38a9890212bd6df405ebfc008c2991b9207aa8f2315c63eb25b2b2c8c55d6abe3def4a43f11a13e248808ce97b1c6e592d23702b2f9a697e55ab694d23

Download Submit
C:\GalaxK2\optiasys.exe

Filesize
359KB

MD5
c057983625e9b39ecdf46bbd24bc4531

SHA1
a4e584b53854d3b397181365b864298b2f8e97a2

SHA256
151739623234ff03e35677bbb2bf4e940c8670cc4133ee896c64809cf858c30f

SHA512
24835e9b5485b6a6acdea0e10c77c29085127c6d4fc56294003852e4f617c45761ea85625645d663893f06917bc7fca3b076b1af3243cc3b7e7e804e97ebc70d

Download Submit
C:\GalaxK2\optiasys.exe

Filesize
253KB

MD5
aa74e49f2edd064f6235a02786563d7c

SHA1
7ebe451ae09a82c37597f209aec002aa547b2622

SHA256
748a5bfc821bf3fc45d71b61478dc431fcfe28eaf95bf87d2dd9a36a82b833b0

SHA512
3c4cc1406fafff17cb080e124a3c2261bc728d9f04257425440eb92bf19386cdd2bb5d7e64a950c00786d4ecc196b1e28931701719d7e2313f7cf559eb65c454

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
b8313712adf9c353a9faa35e16a4716b

SHA1
2b8f71a321e05ac39169966c5d93056c79140ef1

SHA256
7ab62abe65f8105fe34ba0b7edc77b5384da7b42c5a945bbe969d13fed91f8e4

SHA512
c663e34c450930b5d7c42ae8173032f07d98e893b78b8ee25e01f81e2b0b9216ee6982a9957d89b964d01cca264955f8c209e96f0a55f8c9c71cd72ae25ce23c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
ca72aaeb1c2791b46837f2dbca9ccc2d

SHA1
6a2ff772ebdc7c9b21deafbb70c6aaa72a3be3ae

SHA256
ee065e5d18735c6306d5822952f54a4111a217080ad18999ed631f13fbec0e6f

SHA512
d036e783fbfad58d795a489b99bc6394357dbd0bb506c0e281680a8bc71f15aba33a19447032ca773ec63b52be367405a46de0ce75dfa29e2f2a95f53badff61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
3.6MB

MD5
94acf8768a31d3cae1136744eecb7e91

SHA1
67f963c34bfd5a0a00c21cc6fb3f8d5738ca67af

SHA256
f42dd4f33aca43fc18e3f2883ecd37e316124ad21bd101828560185d7a3b253a

SHA512
dae35a764c897ef8f2dae2c8ac6a2d1275a391af1353e6505c9297a8463f76ab757c8afd78f88270921e3490bc354a7418ac3e2f0719cae688edad93b76f6cc2

Download Submit