7618fb3f435767cb56c026743738f97d5f49a54143f646e85bd7d07d31eff542

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1800f45515ace051c9edd00016d42e90N.exe
Size

2.6MB
MD5

1800f45515ace051c9edd00016d42e90
SHA1

a2a2fce90739ffde8b1f23403d6567cfde15ef92
SHA256

7618fb3f435767cb56c026743738f97d5f49a54143f646e85bd7d07d31eff542
SHA512

4041e59ceaa3fe00175b5e798e0e2495cead8c8ee97d5d62b61ff17387834b09122041bac340e87f4d743f798ab840a0e45f447fd2d8d0e08ef41004307c71de
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUptb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	1800f45515ace051c9edd00016d42e90N.exe

Executes dropped EXE 2 IoCs

pid	Process
2412	sysabod.exe
2348	adobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2388	1800f45515ace051c9edd00016d42e90N.exe
2388	1800f45515ace051c9edd00016d42e90N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotO1\\adobec.exe"	1800f45515ace051c9edd00016d42e90N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid7I\\bodxloc.exe"	1800f45515ace051c9edd00016d42e90N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1800f45515ace051c9edd00016d42e90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysabod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2388	1800f45515ace051c9edd00016d42e90N.exe
2388	1800f45515ace051c9edd00016d42e90N.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe
2412	sysabod.exe
2348	adobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2412	2388	1800f45515ace051c9edd00016d42e90N.exe	30
PID 2388 wrote to memory of 2412	2388	1800f45515ace051c9edd00016d42e90N.exe	30
PID 2388 wrote to memory of 2412	2388	1800f45515ace051c9edd00016d42e90N.exe	30
PID 2388 wrote to memory of 2412	2388	1800f45515ace051c9edd00016d42e90N.exe	30
PID 2388 wrote to memory of 2348	2388	1800f45515ace051c9edd00016d42e90N.exe	31
PID 2388 wrote to memory of 2348	2388	1800f45515ace051c9edd00016d42e90N.exe	31
PID 2388 wrote to memory of 2348	2388	1800f45515ace051c9edd00016d42e90N.exe	31
PID 2388 wrote to memory of 2348	2388	1800f45515ace051c9edd00016d42e90N.exe	31

C:\Users\Admin\AppData\Local\Temp\1800f45515ace051c9edd00016d42e90N.exe
"C:\Users\Admin\AppData\Local\Temp\1800f45515ace051c9edd00016d42e90N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2412
- C:\UserDotO1\adobec.exe
  C:\UserDotO1\adobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotO1\adobec.exe

Filesize
498KB

MD5
f9ecd1aa2003d67c0272a65171a3579f

SHA1
7635feb779ba1987b8051131ea132653cfd57fd6

SHA256
abc8e1267b5536aeec00e1536e6e8a430ad9a918d0750d6226b982eda7d3ffbd

SHA512
d9dfaec5463111650eff8cc25bf3b4371b6d34126c52e8a71eb770e789ad202fef179c34a659a018f7e8eba935f2a346f69ebd5e92544590fd56c904cf7ea975

Download Submit
C:\UserDotO1\adobec.exe

Filesize
2.6MB

MD5
caebacaaafc918f7dee71cbeba9fd68c

SHA1
12cad7090c4773290af4157479be68307049e6cb

SHA256
9686166e24ead6f2e2fd4b8fb78f636f7d7755af88b6b4733b5f38646bf6daad

SHA512
d701bd354fa6cc08dbd9433ca03fcc42c3f2843a4e6b844c614a3a9a13134ffd312e6903ab3d3a13172eb05d9866335c732090972ac3a035d560dd8a4d8584fb

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
b51f2ad47b0eeb9fd83c1679ab854385

SHA1
414758b4de75fc30e90782228b9305095ffed86c

SHA256
06e4e7ad46e8643184669ca3308ccc673111fca7db2cfc0ca0e716781abc5c65

SHA512
a0bacc83e8bf3099c127502729a32165bf7e93210d227e8736f684b4b2cada8cd09acf75270e4204487651ff69507cdc11e967fe23e3bebabba3037d048b4ba3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
bb4c5b5062911c9d108487e3fe16c392

SHA1
7538b8b04fc7e33ff1bf3306ad0aa6afb5b6c2fa

SHA256
5df071508a2cda1b5130e7aa6b83f5fbd7cac9236049f93bc8e9d9dfefeaaa48

SHA512
c813a954f966ad89aa8ef98ed7fdfcd35767abcc92508badf0a12331c34fd4ea91ad35fa0b2f8d52a62ff7c797581671e6069b98be3109cd27d6582f2e3b1003

Download Submit
C:\Vid7I\bodxloc.exe

Filesize
19KB

MD5
d016b0ad254ae9664284c6bec29c5ba6

SHA1
7ae5e9559a1832a9fb2100c1032f300c8dc78e9e

SHA256
7c02f64b740ff9995b503e0f1e0c8c01d837aa4bd8585709cf0f8dfe61831374

SHA512
c22c1b33c86d3a40515e18681d66290f6976b7510b3d4fce432a93ed4220ed0ce1cc8d8f3ddbabfe38b8176b15e6f826172e59fc74b34f4e1ca4414306ea2430

Download Submit
C:\Vid7I\bodxloc.exe

Filesize
2.6MB

MD5
2e7984980aa814cfe71f06b57a054b35

SHA1
c4c945a0b939b9f7e0b868c1d5a2fd9c6712e65c

SHA256
eb44d12d1c6a4ed84340e0eb037e5470e319644eb15cc5960f1144125f8a6379

SHA512
e5c683dedbe3cca4eff0ed755f7ca40358f995a1fe5fc1d9d2cd3247ab585657242593d2faf55629ffba5115a83bffae55a527a45ab8f3b40d90e41b6873c2d4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
2.6MB

MD5
2cb3951a8070b3e691c50383e90b372f

SHA1
d7d7ccc12b19fc4f14d33065ab70bb35cb47c35a

SHA256
34db6d339bda58d2249efcad13a11ca515dde73800c251e051b971960774cf2f

SHA512
399f63a54b96b68644a3063bedd6d8a0a3d15afd64046458af15e16188e9cdee9fa8f4b1fdcebbbea7d768c3b089852e7bf6d0970a6684c483b17ca4ac8fd903

Download Submit