c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe
Size

2.6MB
MD5

7b85aff2eabe47a3af5ecabbafd173d7
SHA1

ea0e78441c5cb5968b424d77aeb7c07dca43e4d9
SHA256

c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a
SHA512

5e58548bde67e8fb786c76c87e8b32f23db14300b4c8e746ad387e7e7f764ffd79197d46ddecf570ad4c75542aee70c8baff9438a1f903f47d2c819d00e7b13f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bS:sxX7QnxrloE5dpUpRb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe

Executes dropped EXE 2 IoCs

pid	Process
312	sysdevdob.exe
1164	abodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxZL\\bodasys.exe"	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvDR\\abodsys.exe"	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3624	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe
3624	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe
3624	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe
3624	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe
312	sysdevdob.exe
312	sysdevdob.exe
1164	abodsys.exe
1164	abodsys.exe
312	sysdevdob.exe
312	sysdevdob.exe
1164	abodsys.exe
1164	abodsys.exe
312	sysdevdob.exe
312	sysdevdob.exe
1164	abodsys.exe
1164	abodsys.exe
312	sysdevdob.exe
312	sysdevdob.exe
1164	abodsys.exe
1164	abodsys.exe
312	sysdevdob.exe
312	sysdevdob.exe
1164	abodsys.exe
1164	abodsys.exe
312	sysdevdob.exe
312	sysdevdob.exe
1164	abodsys.exe
1164	abodsys.exe
312	sysdevdob.exe
312	sysdevdob.exe
1164	abodsys.exe
1164	abodsys.exe
312	sysdevdob.exe
312	sysdevdob.exe
1164	abodsys.exe
1164	abodsys.exe
312	sysdevdob.exe
312	sysdevdob.exe
1164	abodsys.exe
1164	abodsys.exe
312	sysdevdob.exe
312	sysdevdob.exe
1164	abodsys.exe
1164	abodsys.exe
312	sysdevdob.exe
312	sysdevdob.exe
1164	abodsys.exe
1164	abodsys.exe
312	sysdevdob.exe
312	sysdevdob.exe
1164	abodsys.exe
1164	abodsys.exe
312	sysdevdob.exe
312	sysdevdob.exe
1164	abodsys.exe
1164	abodsys.exe
312	sysdevdob.exe
312	sysdevdob.exe
1164	abodsys.exe
1164	abodsys.exe
312	sysdevdob.exe
312	sysdevdob.exe
1164	abodsys.exe
1164	abodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 312	3624	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe	88
PID 3624 wrote to memory of 312	3624	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe	88
PID 3624 wrote to memory of 312	3624	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe	88
PID 3624 wrote to memory of 1164	3624	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe	91
PID 3624 wrote to memory of 1164	3624	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe	91
PID 3624 wrote to memory of 1164	3624	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe	91

C:\Users\Admin\AppData\Local\Temp\c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe
"C:\Users\Admin\AppData\Local\Temp\c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:312
- C:\SysDrvDR\abodsys.exe
  C:\SysDrvDR\abodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxZL\bodasys.exe

Filesize
512KB

MD5
b612536a69426c62f07a81d28343052a

SHA1
c8ddf174d82c2872ec7e36e7796ab4237b063b77

SHA256
201bf89286f5f1250edb9c59d040cfe8ea65588992d4a67d7fe63c78fb921959

SHA512
26b709a53db7e3e02dde2cd9338edcac9d67aa2212bb9f096be01f48a7e30d9a6788fc4915bb6d30e2a88b5cbc6fa86e85d9bfb1c0de9d078f09faf107643f22

Download Submit
C:\GalaxZL\bodasys.exe

Filesize
2.6MB

MD5
ce5925315f9c59d74279f594d2dca21a

SHA1
acc7d1d4ab72fee15d009f246415d01c5cee3bd6

SHA256
16d0220b6ab81e2e9ac3df602811e119aba57fe0bad4817fbc1831a99eb87206

SHA512
2ed2f3500168b0711256958b78989d476ab8365ac0b39d8786ba78a0a08bad0f93af98632136e0581362a854c998aa3d805aa61c68affb069805ef41b83876c9

Download Submit
C:\SysDrvDR\abodsys.exe

Filesize
993KB

MD5
8787b3079518903971ae689ce8a5da34

SHA1
b2907da6e184b14779581f6e9c865e0ccac677b3

SHA256
cb47d03ecf9ed5a014eb9d10453da7764e23eacd0dd79a11cfd36f3edf315a32

SHA512
b68be7af4df417252b182af7a80d7f13aa1c9bf88ff23e6c1df1adf3c84f5280fea610e342308b9a1c45c87dbd2d4739da0d0a5df321bbd5357e6e128c3df441

Download Submit
C:\SysDrvDR\abodsys.exe

Filesize
2.6MB

MD5
8ddeaea53586314793d0518cbfa3fc26

SHA1
da892bf2bcbc9c58efc346b2a3a37effb1871719

SHA256
91cd1e2acce6f2a1cc72747e527d788b41a73aaa61feec299230443e6ff5aa6f

SHA512
4ae6fce584ec1d3f419d90e23bb10e8e52fe6f20c22be929cd786a612c0c6ddb4fa36fc520651c2bcd8b20327448d7ce60b9a1425440260feb34718ff7a3519b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
7f5f02ac540d55a7033e95f6ed39b75d

SHA1
6fb8c9a1454a220468ca2006a0df69f88c907188

SHA256
26cdcb6e1688da49d7f69ce2a9aa85d3c69c0ac49300ff4755d2d319c529505a

SHA512
6adae7524b594e25a22a2d0227cf77be9032971006834f0d7d8649a2d330c183f0d1bd9d49ddeb5b55303a5b413e542d8adc703951bea9aeee5efe038ff8d64f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
bc4c287d7dc2c14c0c96d0892cfe73f9

SHA1
35c4da39ae727ffa54da9d387c464aa9780974e2

SHA256
e4675c8c8745793c779270d6aef01a53415776093066fb7dcedf3976dd9663d6

SHA512
13c8c0de7c042e3fd80c0b8e37788979cf57cc3337ae4b02bbb29b7af623498f82f439c4ad71918860173eb1b7d62a0e5aa9d7209399daeb2bd1d7889dc26c74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
2.6MB

MD5
1f24145eda5aa1d76519c87a061c7798

SHA1
c3814e768412e9efddd198702ccbd596cf4a6458

SHA256
88f415016a53bc051667cec6a4ef55137edc87d1007d20e3a86b97e129a7a5b1

SHA512
3cad7d3a56dffa261ad3a0944ebdb609e65a76e596d66ae3259568cc6acdccec8d8584514ca35be97cfd108b40f0d3480ce7f46288d24e44b353d6dac0ad2792

Download Submit