7f80dda94740a41b51e64d5102fd6e7502479d795e9793cac555122f4253ff69

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f80dda94740a41b51e64d5102fd6e7502479d795e9793cac555122f4253ff69.exe
Size

2.7MB
MD5

e682c272d79d31837cf70564cd0656be
SHA1

bbbe02bc1ac0ae1643542b5aa0f1aebdfb9ce69e
SHA256

7f80dda94740a41b51e64d5102fd6e7502479d795e9793cac555122f4253ff69
SHA512

4096199720ab8a46a3b6de927d06bbb5126689f408b9250fbb6002d8e8643cb4df618877c1e2594f27b40eb8da0ed1e6b02785ca221ea8cb73be70a2cc4416af
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSq:sxX7QnxrloE5dpUpmbV

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	7f80dda94740a41b51e64d5102fd6e7502479d795e9793cac555122f4253ff69.exe

Executes dropped EXE 2 IoCs

pid	Process
1532	ecxdob.exe
2912	adobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv6V\\adobsys.exe"	7f80dda94740a41b51e64d5102fd6e7502479d795e9793cac555122f4253ff69.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxYB\\bodaec.exe"	7f80dda94740a41b51e64d5102fd6e7502479d795e9793cac555122f4253ff69.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f80dda94740a41b51e64d5102fd6e7502479d795e9793cac555122f4253ff69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
392	7f80dda94740a41b51e64d5102fd6e7502479d795e9793cac555122f4253ff69.exe
392	7f80dda94740a41b51e64d5102fd6e7502479d795e9793cac555122f4253ff69.exe
392	7f80dda94740a41b51e64d5102fd6e7502479d795e9793cac555122f4253ff69.exe
392	7f80dda94740a41b51e64d5102fd6e7502479d795e9793cac555122f4253ff69.exe
1532	ecxdob.exe
1532	ecxdob.exe
2912	adobsys.exe
2912	adobsys.exe
1532	ecxdob.exe
1532	ecxdob.exe
2912	adobsys.exe
2912	adobsys.exe
1532	ecxdob.exe
1532	ecxdob.exe
2912	adobsys.exe
2912	adobsys.exe
1532	ecxdob.exe
1532	ecxdob.exe
2912	adobsys.exe
2912	adobsys.exe
1532	ecxdob.exe
1532	ecxdob.exe
2912	adobsys.exe
2912	adobsys.exe
1532	ecxdob.exe
1532	ecxdob.exe
2912	adobsys.exe
2912	adobsys.exe
1532	ecxdob.exe
1532	ecxdob.exe
2912	adobsys.exe
2912	adobsys.exe
1532	ecxdob.exe
1532	ecxdob.exe
2912	adobsys.exe
2912	adobsys.exe
1532	ecxdob.exe
1532	ecxdob.exe
2912	adobsys.exe
2912	adobsys.exe
1532	ecxdob.exe
1532	ecxdob.exe
2912	adobsys.exe
2912	adobsys.exe
1532	ecxdob.exe
1532	ecxdob.exe
2912	adobsys.exe
2912	adobsys.exe
1532	ecxdob.exe
1532	ecxdob.exe
2912	adobsys.exe
2912	adobsys.exe
1532	ecxdob.exe
1532	ecxdob.exe
2912	adobsys.exe
2912	adobsys.exe
1532	ecxdob.exe
1532	ecxdob.exe
2912	adobsys.exe
2912	adobsys.exe
1532	ecxdob.exe
1532	ecxdob.exe
2912	adobsys.exe
2912	adobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 1532	392	7f80dda94740a41b51e64d5102fd6e7502479d795e9793cac555122f4253ff69.exe	89
PID 392 wrote to memory of 1532	392	7f80dda94740a41b51e64d5102fd6e7502479d795e9793cac555122f4253ff69.exe	89
PID 392 wrote to memory of 1532	392	7f80dda94740a41b51e64d5102fd6e7502479d795e9793cac555122f4253ff69.exe	89
PID 392 wrote to memory of 2912	392	7f80dda94740a41b51e64d5102fd6e7502479d795e9793cac555122f4253ff69.exe	90
PID 392 wrote to memory of 2912	392	7f80dda94740a41b51e64d5102fd6e7502479d795e9793cac555122f4253ff69.exe	90
PID 392 wrote to memory of 2912	392	7f80dda94740a41b51e64d5102fd6e7502479d795e9793cac555122f4253ff69.exe	90

C:\Users\Admin\AppData\Local\Temp\7f80dda94740a41b51e64d5102fd6e7502479d795e9793cac555122f4253ff69.exe
"C:\Users\Admin\AppData\Local\Temp\7f80dda94740a41b51e64d5102fd6e7502479d795e9793cac555122f4253ff69.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1532
- C:\SysDrv6V\adobsys.exe
  C:\SysDrv6V\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxYB\bodaec.exe

Filesize
2.7MB

MD5
0c37ab957282d49c5780473bf71377d6

SHA1
afc920c034506ab97de763c76a65293ae8474e7d

SHA256
6fba58b4df5f61b0c1a6061e2afaf69c3c0fa2d1bf444ae1081ed6fa4eb1fef0

SHA512
6fb5ba2c1e83e6b0b90b029c871f4a1218120228a2167d140d6e201f54bc1d9042ea18a85064268739c0f637cb75c48987435c728348ef26792f5cd6777974ae

Download Submit
C:\GalaxYB\bodaec.exe

Filesize
1.1MB

MD5
2a6113963ed992842d704a43b404693e

SHA1
354372178ceccd5c583dd282905403231dda879b

SHA256
608ccbbe234db2ce6334f10cea64315c3e55dea7a28a6b0bec367e622e6b7a40

SHA512
c663456b61f858a70d2031d724c0d786397dd34afb383e94903dfa5c425423217b5bdce906b2891a76321a0385bb2bf92ceff5debc2f6acb3f9aa224f5767454

Download Submit
C:\SysDrv6V\adobsys.exe

Filesize
2.7MB

MD5
f8ce555da5c9d6bae20e001289a2cfb1

SHA1
848fb2b3adb9a124780c6f5c18bb7233b5235502

SHA256
b949e301b41661635264b92dde8056384b258dbe25a68a81927b56191a970c21

SHA512
f4697cb997ac3a951299a160341d9f8c9414f92fa6d62af91f870a0b0b0c4e7fa2115d86f9754db270cf9dc7e131d32b0c67d1b331e81f1daf39f4a336fe8c53

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
af5dc1915088acd1ec06ba00e69c8f9a

SHA1
1d37d21e4e5a9517b0d73f2d84546f9f83be204a

SHA256
f02870474bd3f3e9346386a2277527a4c8f9e3559749e804ad7e6cfd49094b33

SHA512
d30d7f2e02de0a96175f3217bb0a1c48c51af45fc56f28bd3b0d6b9ecd7958b1cb8baaf66b8dabe031331b6cc42a3729d79b52da1a0542c9a48bff344a541dcb

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
a3ac51a7759f43b1bf65c3a0f09d65dd

SHA1
2344f37800d66ccd1ee3ba9203ee3a7c866c89e2

SHA256
281596be9c48fcea2a5a096a0c9a7fc0ea04008167d7b25e439b336392929978

SHA512
4961dbd7af089eaa352ba998fa5cefcada007260e950394de1f63045423b37a51db100be23a489db701227a762d33c35369e714f70a58ff036e56d48a49f45e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
2.7MB

MD5
6458e875418b565991bbf1d47612ef0a

SHA1
095cf7ad529b57599c2e2950c1f4546f4c198fb2

SHA256
8416f3b7fbe2701d50401600eb3304cc1b3dd639addd4a9e381b619d24b8b702

SHA512
0d1ba525a97b222482565d870a73b9a897b91f23d9d190849656bc1370ff204a09c7949ac496d535040fefba076ce11459df144cd68c3b4bc6b54642c33fa54e

Download Submit