39586ec3d0ac7905f6efdc22a48dc97825d665fa23bd736ca67d02be2c2307c3

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4c9da8e9c193c266bb3bc2183852e60N.exe
Size

2.6MB
MD5

c4c9da8e9c193c266bb3bc2183852e60
SHA1

796ccbe796a3c93db3267d85ba0e45c70263263c
SHA256

39586ec3d0ac7905f6efdc22a48dc97825d665fa23bd736ca67d02be2c2307c3
SHA512

65e30ab5b575cc816bec19ef6a74728ce0853b8d1b8f109f5e1f21d5ad354958d6becc949bff989ac824a9bddfa141d8ec311b459c1901f3ff19d1140ee23335
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bS:sxX7QnxrloE5dpUpnb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	c4c9da8e9c193c266bb3bc2183852e60N.exe

Executes dropped EXE 2 IoCs

pid	Process
896	sysxbod.exe
428	abodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc0C\\abodec.exe"	c4c9da8e9c193c266bb3bc2183852e60N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFJ\\optidevloc.exe"	c4c9da8e9c193c266bb3bc2183852e60N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4c9da8e9c193c266bb3bc2183852e60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4396	c4c9da8e9c193c266bb3bc2183852e60N.exe
4396	c4c9da8e9c193c266bb3bc2183852e60N.exe
4396	c4c9da8e9c193c266bb3bc2183852e60N.exe
4396	c4c9da8e9c193c266bb3bc2183852e60N.exe
896	sysxbod.exe
896	sysxbod.exe
428	abodec.exe
428	abodec.exe
896	sysxbod.exe
896	sysxbod.exe
428	abodec.exe
428	abodec.exe
896	sysxbod.exe
896	sysxbod.exe
428	abodec.exe
428	abodec.exe
896	sysxbod.exe
896	sysxbod.exe
428	abodec.exe
428	abodec.exe
896	sysxbod.exe
896	sysxbod.exe
428	abodec.exe
428	abodec.exe
896	sysxbod.exe
896	sysxbod.exe
428	abodec.exe
428	abodec.exe
896	sysxbod.exe
896	sysxbod.exe
428	abodec.exe
428	abodec.exe
896	sysxbod.exe
896	sysxbod.exe
428	abodec.exe
428	abodec.exe
896	sysxbod.exe
896	sysxbod.exe
428	abodec.exe
428	abodec.exe
896	sysxbod.exe
896	sysxbod.exe
428	abodec.exe
428	abodec.exe
896	sysxbod.exe
896	sysxbod.exe
428	abodec.exe
428	abodec.exe
896	sysxbod.exe
896	sysxbod.exe
428	abodec.exe
428	abodec.exe
896	sysxbod.exe
896	sysxbod.exe
428	abodec.exe
428	abodec.exe
896	sysxbod.exe
896	sysxbod.exe
428	abodec.exe
428	abodec.exe
896	sysxbod.exe
896	sysxbod.exe
428	abodec.exe
428	abodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 896	4396	c4c9da8e9c193c266bb3bc2183852e60N.exe	89
PID 4396 wrote to memory of 896	4396	c4c9da8e9c193c266bb3bc2183852e60N.exe	89
PID 4396 wrote to memory of 896	4396	c4c9da8e9c193c266bb3bc2183852e60N.exe	89
PID 4396 wrote to memory of 428	4396	c4c9da8e9c193c266bb3bc2183852e60N.exe	92
PID 4396 wrote to memory of 428	4396	c4c9da8e9c193c266bb3bc2183852e60N.exe	92
PID 4396 wrote to memory of 428	4396	c4c9da8e9c193c266bb3bc2183852e60N.exe	92

C:\Users\Admin\AppData\Local\Temp\c4c9da8e9c193c266bb3bc2183852e60N.exe
"C:\Users\Admin\AppData\Local\Temp\c4c9da8e9c193c266bb3bc2183852e60N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:896
- C:\Intelproc0C\abodec.exe
  C:\Intelproc0C\abodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc0C\abodec.exe

Filesize
2.6MB

MD5
dbf383da2462904e5fd42b85e34c53f5

SHA1
30e5bfe9332d6604954114f99710c0e30d4d511c

SHA256
18be29d6583f5b278ed44f3eab49eeaddc64fcc411349bc1e3073e0cab779ea5

SHA512
51af03930914a4769d8c215ade09ff4758e80f15ca36382f26b4275602fd9f614433528851d5e8a32d6b64ec6099ff978863ff15c1207f280704403768c730f0

Download Submit
C:\MintFJ\optidevloc.exe

Filesize
726KB

MD5
edc97c2344b7f68ab263297aa009f564

SHA1
e348b51b23a890742f5ea9bb9765bcf4276d7dbe

SHA256
83d1b6a703d096d8146ed38ef64750f10698cd2731abef7251044a0ad278c60b

SHA512
651eae68c3e00b44200bc22e4e962940a8d4d1d5ecdae5214c80cd9dc1bf41c5e102fa904c73b3fe9acfdadc4964404d65ed17e048b770ef44356a7ab7a99b44

Download Submit
C:\MintFJ\optidevloc.exe

Filesize
2.6MB

MD5
c581cfd71338b3af5a3958894fa9b5da

SHA1
79b43f9cfac6300b803850c7992f030519d50ab3

SHA256
cadcac27feeaa3d683c82c59e88371edd430fc5c1ff3bfcdd2a2358c559950b0

SHA512
ecfbaa55044869f02ed537bf8ad8a5e81bb3c8bc73a3f3b31f8c49923cd66ad283109d5ba763a861957780a7b3c1de2a0fa1ce1ce6d1043eae2c96104d41a58f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
bfbb71807b5bad38b008c7ebb86a71b6

SHA1
32f34ba35eb9080094844aa25711a1e9ff5b3fac

SHA256
14060741eb5c18868a90e178fcfb3b5786dd458c8f7f03663b5445872a8fc80e

SHA512
599c2592f5b47c6c2dee40228c67506b0d1df9879cd65e7e35d5a20e4a3a8a81861fcf3668130bd0aa2b83ad4bd2f647c03922a9302968aad0afed0fa4bc00af

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
39713eacbc2efe14b982ea95702aac13

SHA1
b0a2aa2abe2f00b9613c28e857359586d835b8da

SHA256
57d91939662c0feba409b5a61e5e24058410b8acb53cc928b6e6a90f2fd536d4

SHA512
22ff16f2c4212742f7019f1f80adc49e06c727fea730f615bf26a6aa706f998500cea9d2acb25e85c2d1efac0fa6193b7b8c8746d2c1f2f326be6fbc23e580df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
2.6MB

MD5
370de986bc1c15d1f49eb7f1b48a365f

SHA1
69ee9466b6b93bb206cb7347802b7a8804bc6c70

SHA256
f383929d8aac7cf9d772d16fd2c6008260bbcd1dd8e0b6dafd59ea7eb775e029

SHA512
aa9f90dcb42c8116209c15f53058ee583d6fac3ea66ab81b508fbf1a100e107bf4132ea92c39256ea60649e8b1500ec4d91d4011ecd28fa3544fdc3cdfdcf255

Download Submit