9e3f8ed25e8caaab516a552f782f7da668620792db0f6ac3439896a5ffa06f04

Analysis

max time kernel
118s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 15:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2370533992d66b2c64e9ee89d2757000N.exe
Size

2.6MB
MD5

2370533992d66b2c64e9ee89d2757000
SHA1

27cb790bcaf7c8f9b42f238e76310922146a3a58
SHA256

9e3f8ed25e8caaab516a552f782f7da668620792db0f6ac3439896a5ffa06f04
SHA512

0fa4faa9f42cfbecdca252a36fb491f48662d22ebe08e8c6b9d2c9ad86621100e4061c827682724dc513eacf839233f74809128599f0413ce0c27dddaca92540
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bS:sxX7QnxrloE5dpUpcb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	2370533992d66b2c64e9ee89d2757000N.exe

Executes dropped EXE 2 IoCs

pid	Process
4452	sysxbod.exe
1580	abodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeEA\\abodloc.exe"	2370533992d66b2c64e9ee89d2757000N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxC9\\bodxloc.exe"	2370533992d66b2c64e9ee89d2757000N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2370533992d66b2c64e9ee89d2757000N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3500	2370533992d66b2c64e9ee89d2757000N.exe
3500	2370533992d66b2c64e9ee89d2757000N.exe
3500	2370533992d66b2c64e9ee89d2757000N.exe
3500	2370533992d66b2c64e9ee89d2757000N.exe
4452	sysxbod.exe
4452	sysxbod.exe
1580	abodloc.exe
1580	abodloc.exe
4452	sysxbod.exe
4452	sysxbod.exe
1580	abodloc.exe
1580	abodloc.exe
4452	sysxbod.exe
4452	sysxbod.exe
1580	abodloc.exe
1580	abodloc.exe
4452	sysxbod.exe
4452	sysxbod.exe
1580	abodloc.exe
1580	abodloc.exe
4452	sysxbod.exe
4452	sysxbod.exe
1580	abodloc.exe
1580	abodloc.exe
4452	sysxbod.exe
4452	sysxbod.exe
1580	abodloc.exe
1580	abodloc.exe
4452	sysxbod.exe
4452	sysxbod.exe
1580	abodloc.exe
1580	abodloc.exe
4452	sysxbod.exe
4452	sysxbod.exe
1580	abodloc.exe
1580	abodloc.exe
4452	sysxbod.exe
4452	sysxbod.exe
1580	abodloc.exe
1580	abodloc.exe
4452	sysxbod.exe
4452	sysxbod.exe
1580	abodloc.exe
1580	abodloc.exe
4452	sysxbod.exe
4452	sysxbod.exe
1580	abodloc.exe
1580	abodloc.exe
4452	sysxbod.exe
4452	sysxbod.exe
1580	abodloc.exe
1580	abodloc.exe
4452	sysxbod.exe
4452	sysxbod.exe
1580	abodloc.exe
1580	abodloc.exe
4452	sysxbod.exe
4452	sysxbod.exe
1580	abodloc.exe
1580	abodloc.exe
4452	sysxbod.exe
4452	sysxbod.exe
1580	abodloc.exe
1580	abodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 4452	3500	2370533992d66b2c64e9ee89d2757000N.exe	87
PID 3500 wrote to memory of 4452	3500	2370533992d66b2c64e9ee89d2757000N.exe	87
PID 3500 wrote to memory of 4452	3500	2370533992d66b2c64e9ee89d2757000N.exe	87
PID 3500 wrote to memory of 1580	3500	2370533992d66b2c64e9ee89d2757000N.exe	88
PID 3500 wrote to memory of 1580	3500	2370533992d66b2c64e9ee89d2757000N.exe	88
PID 3500 wrote to memory of 1580	3500	2370533992d66b2c64e9ee89d2757000N.exe	88

C:\Users\Admin\AppData\Local\Temp\2370533992d66b2c64e9ee89d2757000N.exe
"C:\Users\Admin\AppData\Local\Temp\2370533992d66b2c64e9ee89d2757000N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4452
- C:\AdobeEA\abodloc.exe
  C:\AdobeEA\abodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeEA\abodloc.exe

Filesize
385KB

MD5
48efd265ecee62bae1f0205e972ec216

SHA1
c7988f628af87bff2f6054dff60407d7e5c34a1f

SHA256
6514afdd6419305afc2f46d3bdbca3898b63414540e71a0da8f8ef90bf3aed33

SHA512
35a7bbb37186a2442fdeacb8e7a2fb8e57d7ca0b2b0ec4a52b5096704c0b00de002d8df1b1c4bc61f0a6d983ccaae791e253b7bb6e1bdab1b8baf0d458306958

Download Submit
C:\AdobeEA\abodloc.exe

Filesize
2.6MB

MD5
38113a18da534434afd243fe60bcf253

SHA1
c1a156953eb54b5fbeb2fbde9da4af5749aae33c

SHA256
352a305745ce54b9308906254b1d2364eb2bed138ec93aefa4738cbead4f8935

SHA512
c07cc970949827d33b922067fe385884cf46e0fe568d322eb3268c0cb8464b873760cca9091fd5231f43166f3be7514a305644ad620b3e87f570275bb2ec2277

Download Submit
C:\GalaxC9\bodxloc.exe

Filesize
1.5MB

MD5
e7a99338e2909a7e6888a8b7efaca591

SHA1
f754fdba8d60d12f43cdeee82818bdd093b3bf34

SHA256
09439f1a95482ed86bd7351ce38db2374fbc911f1dfe5b1cba30f3e069eab4b9

SHA512
6bd44e1bd3ac989a7adad48c88f63c3a0dbd175dc7fd3614b4543557e1515ac78c256b51b54d8ef3fae656052ec26793b3dbcdd72d2d371cbbbb4dc5ed7cbe44

Download Submit
C:\GalaxC9\bodxloc.exe

Filesize
2.6MB

MD5
6f2ebf25242981b282493eb874eeac3b

SHA1
09dc6ce828376da507558e75c6920991e2b03936

SHA256
21027a11cc195d95867ebc2322889e9165da9d47f9ea59b7b98f5534e89c1a39

SHA512
3fcfd86c12f607e97ee2a75bcbfe97bb1cf20696da197aa0fb81244b70c6d4a4e72c6422277d9462afdeb206152b3aa090e844ff40b21f3cfa2fb036f8d11141

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
511192299ed31d66017a5c98adee59d1

SHA1
30578ec761be97b247c2d0cb20414d92c6c58d68

SHA256
061e747a719a62490065732369b13fb034286bbebe284979788e89991e726df8

SHA512
a2f577cef77032b710975c2f828ed473c7cf21005918b698c6487fcf33db1f2f8402421e7404f38fc5f938f67867276e8692b5d08191e749e070528da01065f1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
b72f1fee4609fdb96255e787c35b6d1c

SHA1
11de4c1349747f1c0bc5aabbe110f6b42fdcb498

SHA256
72e13b6e50d4c46ecd9a3aa51b9a8b4d9ebc241d5493430d2eb3473521b7b382

SHA512
25c091705bd2327d3224e2ad146810d6aadb9d3d029020d27977e72adacd2dc90ae35030102290a1e0fbbea6b5b237b56b4032f537680e52e0d79bbcd2ab38c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
2.6MB

MD5
c02f67dbf6d5637bb04093c4cfbd4b5b

SHA1
1ef0f3490032f939bb31c4ddf6e4b608b5207aa9

SHA256
04ee11c0f44244c69d6d2fce234f76aa0bb768e977b8e38c607b8ac7513c588e

SHA512
fcc9fd0197ee44b6a17c741b9dacfa99d223aaa2d8723ee72a0b7a0bb5dfdb5a4672b12b3a658437c360da0e2f4cce3001dbe67c34956fed1388e24152b9f768

Download Submit