3a2751531804c6a9506569a90a8abeb3f0901b40b9bd66494fea135df8cefeba

Analysis

max time kernel
119s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

005c8eecb10f6067072a3076b25c40f0N.exe
Size

2.6MB
MD5

005c8eecb10f6067072a3076b25c40f0
SHA1

d0e3aa65b7e10d5bc8886457a0a5d535e96c5289
SHA256

3a2751531804c6a9506569a90a8abeb3f0901b40b9bd66494fea135df8cefeba
SHA512

03c76d936b7e66a13a917cfa8a62a68ec75d657f0a0ac4df6869651d22304ea6ebb36a2957890cfa3deca153c802f4b04c026427e8c20e7372908b4f94ce2bdb
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bS:sxX7QnxrloE5dpUpBb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	005c8eecb10f6067072a3076b25c40f0N.exe

Executes dropped EXE 2 IoCs

pid	Process
3136	sysabod.exe
2260	abodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeKE\\abodec.exe"	005c8eecb10f6067072a3076b25c40f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxK2\\optiasys.exe"	005c8eecb10f6067072a3076b25c40f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	005c8eecb10f6067072a3076b25c40f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1152	005c8eecb10f6067072a3076b25c40f0N.exe
1152	005c8eecb10f6067072a3076b25c40f0N.exe
1152	005c8eecb10f6067072a3076b25c40f0N.exe
1152	005c8eecb10f6067072a3076b25c40f0N.exe
3136	sysabod.exe
3136	sysabod.exe
2260	abodec.exe
2260	abodec.exe
3136	sysabod.exe
3136	sysabod.exe
2260	abodec.exe
2260	abodec.exe
3136	sysabod.exe
3136	sysabod.exe
2260	abodec.exe
2260	abodec.exe
3136	sysabod.exe
3136	sysabod.exe
2260	abodec.exe
2260	abodec.exe
3136	sysabod.exe
3136	sysabod.exe
2260	abodec.exe
2260	abodec.exe
3136	sysabod.exe
3136	sysabod.exe
2260	abodec.exe
2260	abodec.exe
3136	sysabod.exe
3136	sysabod.exe
2260	abodec.exe
2260	abodec.exe
3136	sysabod.exe
3136	sysabod.exe
2260	abodec.exe
2260	abodec.exe
3136	sysabod.exe
3136	sysabod.exe
2260	abodec.exe
2260	abodec.exe
3136	sysabod.exe
3136	sysabod.exe
2260	abodec.exe
2260	abodec.exe
3136	sysabod.exe
3136	sysabod.exe
2260	abodec.exe
2260	abodec.exe
3136	sysabod.exe
3136	sysabod.exe
2260	abodec.exe
2260	abodec.exe
3136	sysabod.exe
3136	sysabod.exe
2260	abodec.exe
2260	abodec.exe
3136	sysabod.exe
3136	sysabod.exe
2260	abodec.exe
2260	abodec.exe
3136	sysabod.exe
3136	sysabod.exe
2260	abodec.exe
2260	abodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 3136	1152	005c8eecb10f6067072a3076b25c40f0N.exe	87
PID 1152 wrote to memory of 3136	1152	005c8eecb10f6067072a3076b25c40f0N.exe	87
PID 1152 wrote to memory of 3136	1152	005c8eecb10f6067072a3076b25c40f0N.exe	87
PID 1152 wrote to memory of 2260	1152	005c8eecb10f6067072a3076b25c40f0N.exe	88
PID 1152 wrote to memory of 2260	1152	005c8eecb10f6067072a3076b25c40f0N.exe	88
PID 1152 wrote to memory of 2260	1152	005c8eecb10f6067072a3076b25c40f0N.exe	88

C:\Users\Admin\AppData\Local\Temp\005c8eecb10f6067072a3076b25c40f0N.exe
"C:\Users\Admin\AppData\Local\Temp\005c8eecb10f6067072a3076b25c40f0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3136
- C:\AdobeKE\abodec.exe
  C:\AdobeKE\abodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeKE\abodec.exe

Filesize
239KB

MD5
9c81c67603229ff58006299ad83bb567

SHA1
7cdde0a45ca928579fcd31325c779390cd254721

SHA256
9a6e2cd4d5505d3b9b6f23e02f0bd6b528b57ad0ca01e7aee7cfb83ac3d7c021

SHA512
dc6d543c6a8c831777ce5b19457882c3e37d9b6d67e30ff7f4f612f74074288efbf2c50b4461edeefdc16fbd3f7dbf440c415f5913cff7182c7bf13d52001bab

Download Submit
C:\AdobeKE\abodec.exe

Filesize
2.6MB

MD5
77d0d23ccefe9d47cd2f49932afab718

SHA1
022a7596c4a69497ce379b12c814ed1598b3cb2f

SHA256
ef2d6e18897c52c25089b75d2f1e664954954b71119775b98195fea7d3a117fc

SHA512
6c22c90766016d2678ddd049449ce2d7e0565d16b5dbf6e6c41573b1b554f8ecab2c39a9a3c59f13caf26e0041fb113b97d9f10cbeedafd3008211aa5766072d

Download Submit
C:\GalaxK2\optiasys.exe

Filesize
2.6MB

MD5
220f6394b3efa815c81a5ebbb3ff21a8

SHA1
528859b3ec83ef1af2f3f82c43579cbcd31017af

SHA256
292f94bb8b66f0b7297b7374f30c11dc2a66195675c7db448e3d72d866a96c1d

SHA512
549738334ade14f3203546b9e8928c73b2f4a1b537c3c869aa50a80e2aa62a4c860d694393691766fe86b20bc22f845da42e94b7cf798e1bece828964a239957

Download Submit
C:\GalaxK2\optiasys.exe

Filesize
37KB

MD5
9ba1f92f17320406dfe029e73132f1f8

SHA1
5178500c26e0bae7a24b5f6089f4efac6bd1c451

SHA256
e2bdabf6ea4b10b3bcdc7cc25b9413609a1f9f529940ba94824e408abb581504

SHA512
afcb08b444b349ced710fdcf62a34fe5d36f5ae3233e46e7dea8b228f13e34643000d248e3a4eb700d4def94bc096c9aa4988b02398441d2eb578682cd4eb835

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
b8313712adf9c353a9faa35e16a4716b

SHA1
2b8f71a321e05ac39169966c5d93056c79140ef1

SHA256
7ab62abe65f8105fe34ba0b7edc77b5384da7b42c5a945bbe969d13fed91f8e4

SHA512
c663e34c450930b5d7c42ae8173032f07d98e893b78b8ee25e01f81e2b0b9216ee6982a9957d89b964d01cca264955f8c209e96f0a55f8c9c71cd72ae25ce23c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
ca72aaeb1c2791b46837f2dbca9ccc2d

SHA1
6a2ff772ebdc7c9b21deafbb70c6aaa72a3be3ae

SHA256
ee065e5d18735c6306d5822952f54a4111a217080ad18999ed631f13fbec0e6f

SHA512
d036e783fbfad58d795a489b99bc6394357dbd0bb506c0e281680a8bc71f15aba33a19447032ca773ec63b52be367405a46de0ce75dfa29e2f2a95f53badff61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
2.6MB

MD5
d17f38302ec07b279e209c45268c23a8

SHA1
01186e4db9281f44853d118265d106b5600126a9

SHA256
7c351cff7bcb043dbeb981922e0594ee61e1a08929fb7466a2e4f59b5c2cb078

SHA512
03b4b053862cbbfcccd3d048bc1ff55542f22577e2521db1ef14cd2d95bf44929da30ef30a66c4ade26b21b8d6e49746da8e8b51d254916c54c04cdf82331532

Download Submit