0488cb13a4a71ab9c0313af80fd51886b618a1cfb8baeb0fe74f0bc55f3223c7

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

130a84e39f527ccc098fe180888fffe0N.exe
Size

3.0MB
MD5

130a84e39f527ccc098fe180888fffe0
SHA1

841d830070b179e4b64c1f4fd11a9cc2e98b5930
SHA256

0488cb13a4a71ab9c0313af80fd51886b618a1cfb8baeb0fe74f0bc55f3223c7
SHA512

09ad3ac741ca410068231380d21932f016d0df6369f994f9d27fa17b4be4fc796acf2ae73368a530a86f1945180ef2203c1ac7184f6752032b06fe44eb48c131
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSqz8b6LNX:sxX7QnxrloE5dpUpebVz8eLF

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	130a84e39f527ccc098fe180888fffe0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2780	sysadob.exe
2700	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2172	130a84e39f527ccc098fe180888fffe0N.exe
2172	130a84e39f527ccc098fe180888fffe0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocOD\\abodsys.exe"	130a84e39f527ccc098fe180888fffe0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidV6\\optidevsys.exe"	130a84e39f527ccc098fe180888fffe0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	130a84e39f527ccc098fe180888fffe0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2172	130a84e39f527ccc098fe180888fffe0N.exe
2172	130a84e39f527ccc098fe180888fffe0N.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe
2780	sysadob.exe
2700	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2780	2172	130a84e39f527ccc098fe180888fffe0N.exe	31
PID 2172 wrote to memory of 2780	2172	130a84e39f527ccc098fe180888fffe0N.exe	31
PID 2172 wrote to memory of 2780	2172	130a84e39f527ccc098fe180888fffe0N.exe	31
PID 2172 wrote to memory of 2780	2172	130a84e39f527ccc098fe180888fffe0N.exe	31
PID 2172 wrote to memory of 2700	2172	130a84e39f527ccc098fe180888fffe0N.exe	32
PID 2172 wrote to memory of 2700	2172	130a84e39f527ccc098fe180888fffe0N.exe	32
PID 2172 wrote to memory of 2700	2172	130a84e39f527ccc098fe180888fffe0N.exe	32
PID 2172 wrote to memory of 2700	2172	130a84e39f527ccc098fe180888fffe0N.exe	32

C:\Users\Admin\AppData\Local\Temp\130a84e39f527ccc098fe180888fffe0N.exe
"C:\Users\Admin\AppData\Local\Temp\130a84e39f527ccc098fe180888fffe0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2780
- C:\IntelprocOD\abodsys.exe
  C:\IntelprocOD\abodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocOD\abodsys.exe

Filesize
3.0MB

MD5
b53000a360328a9d7b301bdb3dc46784

SHA1
c627f72444af1d2fd75c031830af81061da37dcf

SHA256
2ef3d5877e180932bc99b30dc0e44694dd1680c87d6f44b605777538ea793e45

SHA512
5fc0bc06f28b013f0aa33fcb3d748b397e1f9da965e4e4bc36c4f1eb2fd3fc3fbdd4f803bb65b0038477a04deb05b8cf4d61ecf4e8b72d6c862f16af855dead2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
b6463893742f2d318ac23ed6b72b7805

SHA1
d627467189506d62fc30f574391f842ed3e35153

SHA256
75c82d234a637544a4b999efeafa92466432bbd9aab356ca2e36c0f81865669f

SHA512
de44bde297739bf6c82fbd974645193e832ad404a66a5229ff854c0249cc680353667609ff179615e5f9b8aae293ef64f85f4436a50f87bb720f79153c01f210

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
42dc24c12900632d178fff7fdc952b11

SHA1
2d5d22848303ba754ebde0d530ad089ee927edb9

SHA256
9e540d947c30fd42f88fdf7653e2f6f1592320fd7accee852abce4855567f75a

SHA512
b7de69f7d4604f5be40bf0023ad6e8626897ab6edbf3cc10c87561bce5243beebb723351f1b96ad7cc4324795fcbf9abaa6a6ce24b0f35127e41edc4b44f17f0

Download Submit
C:\VidV6\optidevsys.exe

Filesize
1.0MB

MD5
b5e101aba9aa6e8a09935c38292a604f

SHA1
237841e616408df2af91ec826d252cae466ba286

SHA256
b37d923c791d8640002311910286873a73e0a43660cded2722ceeb69b02227a5

SHA512
90fee53de965480702c3d1c515fc651830e96cbd15d2eb578177df88e6f98b2646d26b1dc281ea6484849742f6b647635f5d19e4dd3048395873abb8508513e0

Download Submit
C:\VidV6\optidevsys.exe

Filesize
3.0MB

MD5
b0bd1f656c86850a4ee72f762f6d02ec

SHA1
d32a75c8e82c871085fbbe8f8b1fcd4aa7928109

SHA256
ff70c49454fb996a6c93abc907548592e1f97fe619ebbfcd2919de5115d20bc8

SHA512
0b52687ebc267047b779cfcf63220ffed02fd894276bf7ab2ea3cf371daa75bb69bcd195ab7c5da631f90a52b96d96768d6cd89f3b906c3978316092af234f01

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
3.0MB

MD5
3c59b049d92dd1269465b91bedfc5c5e

SHA1
1b42fb735f982c6b217f299ac49c0452b16be5ae

SHA256
100e60baeb10ab233758af452b46252881f4378c8fc5ec118137ceb6691bbee7

SHA512
26d3e0466fadf7b16b15b06fb240765f073db8b25f2f656341db06caa4f759afcddade64986338be44592b2c3ca88a8f04e18d94997247f0ef2c64e67ec8c0b9

Download Submit