aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe
Size

2.6MB
MD5

98615eb3bdf077c6d2fd904ab9345bd9
SHA1

ad29b0a62a148fa6921494a207cbe1911fa8b838
SHA256

aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47
SHA512

3364f34bab6483d7d30e16ac867c0cf71f6f658d9759c6fb2276f04298b018ca13ff75c8b554bbba0fa890d7ff6a743ca39ff38e5b27ed5eb71a166ac8d48a78
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUp3b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe

Executes dropped EXE 2 IoCs

pid	Process
2256	sysxbod.exe
2696	abodec.exe

Loads dropped DLL 2 IoCs

pid	Process
1956	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe
1956	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesW6\\abodec.exe"	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxIZ\\dobdevloc.exe"	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1956	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe
1956	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe
2256	sysxbod.exe
2696	abodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2256	1956	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe	30
PID 1956 wrote to memory of 2256	1956	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe	30
PID 1956 wrote to memory of 2256	1956	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe	30
PID 1956 wrote to memory of 2256	1956	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe	30
PID 1956 wrote to memory of 2696	1956	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe	31
PID 1956 wrote to memory of 2696	1956	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe	31
PID 1956 wrote to memory of 2696	1956	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe	31
PID 1956 wrote to memory of 2696	1956	aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe	31

C:\Users\Admin\AppData\Local\Temp\aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe
"C:\Users\Admin\AppData\Local\Temp\aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2256
- C:\FilesW6\abodec.exe
  C:\FilesW6\abodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesW6\abodec.exe

Filesize
2.6MB

MD5
c9a4ce62409e3491edd05ae60a89d835

SHA1
014312cb9b448bf772d95b6a4db202e398f7ebc4

SHA256
d1c53642431b3e4940e9cef6b48b8384c16e23338eca0196c8b540a67dfa66aa

SHA512
3ab10388a44ed91a64a400e7024db3a6d0ac4213402445161218d58ca2d560bd41f28a79be2e19946f1e1a8c030c4f5fdc9091ebfd7b39684068f2c828f1b080

Download Submit
C:\GalaxIZ\dobdevloc.exe

Filesize
2.6MB

MD5
a2afaa04e0cf85a7029453f1dbc6e715

SHA1
2ad9eebda7dbb07730fe4a4b19673f1136fe9414

SHA256
e9f6aff9dd3ba9d8c6dadd34b693d5ffa74f788b6437030552520e89cff82130

SHA512
632e258ad818a800c5ec711448c8115bee1e6558c317b57032429b601e6a6007db3a753128502ae3919647507cf364f6c4128dded7b5a95b01adb503333f3fb3

Download Submit
C:\GalaxIZ\dobdevloc.exe

Filesize
2.6MB

MD5
53625deec37b51f54932ddc274764e1c

SHA1
e9038f012e90d1b888defdbc8256e2ed0aa1cf94

SHA256
46de67406c8d5a509bb7781282f5494d79c1933e4aba28990da499c256ea057e

SHA512
f50eb7414e9cd9ea41ca6ebb5f72256642c8b0006d8f4761e93dd8bf9551f61466ff4fb89fff59070289d01be4c53785c9d26ca1f6b755ed401e232bc2389aba

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
1aced9cb0a1e0d28f504f2d7ce539f2a

SHA1
18506c5c1c6f2c8abc740ec7fc22a013dce361de

SHA256
bea35b27475a1a24fb3d886ac9fb9f23c6aed42d2bef1207e9a28ae6ea084094

SHA512
cd91ec1940cd123f700527fd70a908474f8e8ea9e6e295879320b541654a24ad90b344a8ab29025b4a3e9ba03ee82743b9ba796ae3a4d56705bdcf39f837ea45

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
b53478b894f2dcf42795956136ab88e3

SHA1
83620760fdd426ff6b779542385a7ee5c7ed5404

SHA256
0380cb0e98b33c3ad23a1d4e50de976c50b63c202e8a3057c69aee72f76bbb0a

SHA512
4f0019cc054f1fbf016e4d1d797c64ff9314e799293840c0cb3635c72f4cea7faad00a7bd1cb34abba20ed71fb93958bf63cf6028570065e6476d1e4ec99f6d6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
2.6MB

MD5
b34b95259f0ead4a6e19faa8abd03a13

SHA1
4dac14411bba3e64d4bf681cd76c6d6ba3010a0c

SHA256
54b91e7977148f012ae14da41c1bd89e0eb73d26d5ce30124271f49a9cccc398

SHA512
b27d8763be2a8e8f3944072eec7e80613ce4385cdc7149cc983adb15ca235589e47c1fcdb4b85df568d42d74cd5e358d9cab58d2d49e06f8201440039941f7e5

Download Submit