ebaa2ee442985be1f86ce0177910dfa98ddd7b08808219382801785acccaf39a

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03/08/2024, 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3abda73cd97e4ecd2c15acd7b4b18df0N.exe
Size

2.6MB
MD5

3abda73cd97e4ecd2c15acd7b4b18df0
SHA1

c84fad2ca4ea6f2b8f9363cfab09e35d694c4c72
SHA256

ebaa2ee442985be1f86ce0177910dfa98ddd7b08808219382801785acccaf39a
SHA512

26092fa90df86d5beda8a7a7e244461ac41a5d860dafe76e2df2c781f0b4cce21fb414fe8f5926632dc0ec641ad5c34809df11985ee2451d64cf9a7ab8e3528d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bS:sxX7QnxrloE5dpUp/b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe	3abda73cd97e4ecd2c15acd7b4b18df0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2288	sysxopti.exe
2876	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2608	3abda73cd97e4ecd2c15acd7b4b18df0N.exe
2608	3abda73cd97e4ecd2c15acd7b4b18df0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax1Y\\optiaec.exe"	3abda73cd97e4ecd2c15acd7b4b18df0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesNP\\abodsys.exe"	3abda73cd97e4ecd2c15acd7b4b18df0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3abda73cd97e4ecd2c15acd7b4b18df0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2608	3abda73cd97e4ecd2c15acd7b4b18df0N.exe
2608	3abda73cd97e4ecd2c15acd7b4b18df0N.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe
2288	sysxopti.exe
2876	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 2288	2608	3abda73cd97e4ecd2c15acd7b4b18df0N.exe	31
PID 2608 wrote to memory of 2288	2608	3abda73cd97e4ecd2c15acd7b4b18df0N.exe	31
PID 2608 wrote to memory of 2288	2608	3abda73cd97e4ecd2c15acd7b4b18df0N.exe	31
PID 2608 wrote to memory of 2288	2608	3abda73cd97e4ecd2c15acd7b4b18df0N.exe	31
PID 2608 wrote to memory of 2876	2608	3abda73cd97e4ecd2c15acd7b4b18df0N.exe	32
PID 2608 wrote to memory of 2876	2608	3abda73cd97e4ecd2c15acd7b4b18df0N.exe	32
PID 2608 wrote to memory of 2876	2608	3abda73cd97e4ecd2c15acd7b4b18df0N.exe	32
PID 2608 wrote to memory of 2876	2608	3abda73cd97e4ecd2c15acd7b4b18df0N.exe	32

C:\Users\Admin\AppData\Local\Temp\3abda73cd97e4ecd2c15acd7b4b18df0N.exe
"C:\Users\Admin\AppData\Local\Temp\3abda73cd97e4ecd2c15acd7b4b18df0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2288
- C:\FilesNP\abodsys.exe
  C:\FilesNP\abodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesNP\abodsys.exe

Filesize
2.6MB

MD5
59a347eef4a4f081f4012f0c199ecbde

SHA1
e92595ff20721db1a4cad2c88015db3b97401c96

SHA256
a758de7f8dc0c32f8cb3c39fad1718b42db913f814ebeb3be8ab321891ff75e6

SHA512
10b398649a39cdc7a8a81315160c736a5dfec1bfbce5abcdd4c3d75ca08839ab95a0b84cb49c7532c8f939dceddae4fd807521f23dc4e79708150183f7679179

Download Submit
C:\Galax1Y\optiaec.exe

Filesize
2.6MB

MD5
be09e77e57728e7dfaa30f18e32fa9c6

SHA1
3c9d0eb6abc613e87536ad823eec3ff74bb5fef2

SHA256
4c5dd8a7defd143a9e7ae46a91cd5dc73769b64c95c501a42de68248acd27435

SHA512
6447d04744d7eb84e3eb14c8de2f7203c713c543a4a1a97ad6abb405b4cbd066e2f9cf9608739d9d04850f6312243bc8a7d7665e3a6d6182556ec23bfcdb23fa

Download Submit
C:\Galax1Y\optiaec.exe

Filesize
9KB

MD5
069c7d5ebc20ead441519fc2807acdfc

SHA1
94eb49acfddc6450c4810d85271299b49f964a2a

SHA256
af2d7152258913747132a41b113c445005357f268ca6a717b1a8a42c3ac7052f

SHA512
91dd10db98a2c08140dabc8a5cbe76768d1878b4cbf579f7f2c7fc0466e81b35f6a33d4dc31c97b393de15d2bb730f141974d3a6784c8f6a2748d67bc75433e9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
d984bbac39cddd307e3e0319e5a50d26

SHA1
3b317b89dea46e1057bee2dd61028fd26071c04a

SHA256
02a83429c67baf882a82a7fcbe2d7011271bf903c3d430d23b3a0f1b9dff53c0

SHA512
537bf3e3ba8e2963447847240c4fac540816bd9bdf75fd9c08778980f7fba62225e034cfe88bac0feef357f29b5f759e5e8dd4de1beeb425c411ad6c44c8c7b7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
8f982404510baaf043dfee339363fde8

SHA1
2c9e5487a5e876625e50d45aabfe9232c3192c22

SHA256
948b1e2c810468fbd526c484f0f1cf32c77e17dab5cf722105545e625a46c591

SHA512
209d0d0f401d78a6058997e1965f13abd0c3a47426ca86e9e29d4bcc43e9792fe7eb72e7b2b44c344e71f239c73e7bb551456aed2ce09ea9d32077b7040116eb

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

Filesize
2.6MB

MD5
1f888a567a477c9f3b50c9980a4042e5

SHA1
423e189e5dec0a93110248ef172d444ad72a79ae

SHA256
d8c35b442730b81e69fc4d209bcf93cb00b4f849bb1108ee2ce8956c0020bc0f

SHA512
67179a48f995f3e5612d2f6ab0bad0e32b318d01e182b0e1038b3b21dcc2402a586ee3b3d52743cbed9af3918a04c5087fd8a662a311d8748b4c0b402848a57c

Download Submit