8b9d6e01ed14e6dbc555f8156ed337df2decc760b1a0a92b97ae3dc1e7547987

Analysis

max time kernel
119s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1811ff8e09ca8a0caa777852400ea8e0N.exe
Size

2.6MB
MD5

1811ff8e09ca8a0caa777852400ea8e0
SHA1

d2794f6208b655058eaea704a37e688f6c98607f
SHA256

8b9d6e01ed14e6dbc555f8156ed337df2decc760b1a0a92b97ae3dc1e7547987
SHA512

5abceb5b58a06aaa12dd7c3d066d667cb4f0484d7de5a21d5942f380679ff0c56de254c5bce4c6bd9b6292e803af5fe857178551c06db08e2ab4967ecea0e250
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bS:sxX7QnxrloE5dpUpnb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	1811ff8e09ca8a0caa777852400ea8e0N.exe

Executes dropped EXE 2 IoCs

pid	Process
1428	sysabod.exe
1616	abodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeKE\\abodec.exe"	1811ff8e09ca8a0caa777852400ea8e0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxK2\\optiasys.exe"	1811ff8e09ca8a0caa777852400ea8e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1811ff8e09ca8a0caa777852400ea8e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4860	1811ff8e09ca8a0caa777852400ea8e0N.exe
4860	1811ff8e09ca8a0caa777852400ea8e0N.exe
4860	1811ff8e09ca8a0caa777852400ea8e0N.exe
4860	1811ff8e09ca8a0caa777852400ea8e0N.exe
1428	sysabod.exe
1428	sysabod.exe
1616	abodec.exe
1616	abodec.exe
1428	sysabod.exe
1428	sysabod.exe
1616	abodec.exe
1616	abodec.exe
1428	sysabod.exe
1428	sysabod.exe
1616	abodec.exe
1616	abodec.exe
1428	sysabod.exe
1428	sysabod.exe
1616	abodec.exe
1616	abodec.exe
1428	sysabod.exe
1428	sysabod.exe
1616	abodec.exe
1616	abodec.exe
1428	sysabod.exe
1428	sysabod.exe
1616	abodec.exe
1616	abodec.exe
1428	sysabod.exe
1428	sysabod.exe
1616	abodec.exe
1616	abodec.exe
1428	sysabod.exe
1428	sysabod.exe
1616	abodec.exe
1616	abodec.exe
1428	sysabod.exe
1428	sysabod.exe
1616	abodec.exe
1616	abodec.exe
1428	sysabod.exe
1428	sysabod.exe
1616	abodec.exe
1616	abodec.exe
1428	sysabod.exe
1428	sysabod.exe
1616	abodec.exe
1616	abodec.exe
1428	sysabod.exe
1428	sysabod.exe
1616	abodec.exe
1616	abodec.exe
1428	sysabod.exe
1428	sysabod.exe
1616	abodec.exe
1616	abodec.exe
1428	sysabod.exe
1428	sysabod.exe
1616	abodec.exe
1616	abodec.exe
1428	sysabod.exe
1428	sysabod.exe
1616	abodec.exe
1616	abodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 1428	4860	1811ff8e09ca8a0caa777852400ea8e0N.exe	91
PID 4860 wrote to memory of 1428	4860	1811ff8e09ca8a0caa777852400ea8e0N.exe	91
PID 4860 wrote to memory of 1428	4860	1811ff8e09ca8a0caa777852400ea8e0N.exe	91
PID 4860 wrote to memory of 1616	4860	1811ff8e09ca8a0caa777852400ea8e0N.exe	92
PID 4860 wrote to memory of 1616	4860	1811ff8e09ca8a0caa777852400ea8e0N.exe	92
PID 4860 wrote to memory of 1616	4860	1811ff8e09ca8a0caa777852400ea8e0N.exe	92

C:\Users\Admin\AppData\Local\Temp\1811ff8e09ca8a0caa777852400ea8e0N.exe
"C:\Users\Admin\AppData\Local\Temp\1811ff8e09ca8a0caa777852400ea8e0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1428
- C:\AdobeKE\abodec.exe
  C:\AdobeKE\abodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeKE\abodec.exe

Filesize
1.6MB

MD5
a7175fdcff2ef4b322c963705805acbd

SHA1
9604ff9d443a1d53349886abfc9e2b529b588240

SHA256
f170289a93b5bacaef3f47df2d7e5a1d736f48df9a704697bca48187a17c12d1

SHA512
504b9a002aecda4128163f8158b862e33e29c2b44a3db91fc03dfce12be6061808f946127e8f50d312dd699a0b843dbceb8b2cdf1a19722fe76d14f22800e389

Download Submit
C:\AdobeKE\abodec.exe

Filesize
2.6MB

MD5
000ff0f3cf6b4ece1394782358d65092

SHA1
524ae30cda0dea8bad37535777408beba27d963c

SHA256
d1797b17fbc7ea3720dc7211b44b2df4808367952cde393bc137464fcd9800b9

SHA512
967a5677a9c53073a5373b39ca2b4fc0dbee4d70ba9e6c57587c83e115ca90da284c467d5603c05543eb04f3cb7d9b3de2f4af72399f90ce353c23b810a56783

Download Submit
C:\GalaxK2\optiasys.exe

Filesize
24KB

MD5
541fec65455d5b34bd07a7b314994d2c

SHA1
55079bcde6bbc149b17389609709433e60bfb3d4

SHA256
a426abba53e984d2d5760dc5deb76e09ebbb0d0d03e5cd262861f7afb8f71d4c

SHA512
da54133de62360679354767fa7c44ea7c6e60cadc731344357b797e71a220936653e216b468a97b415fa4082ee2e3120ff9ebb80aac7b9a7238c6b8da7769b1e

Download Submit
C:\GalaxK2\optiasys.exe

Filesize
330KB

MD5
223b818179288e3d74a49cb0ee3d0b05

SHA1
4caa7b70f2ac925d0ff72ff8fc66a015c1192385

SHA256
f4f49712d5ed7eae1f9c62b40855ee609a06d7aef40369fdf86393f5a4f422d7

SHA512
9acb57b2a0db5b2432a9d1d4183492777268a654864da301c48e519a7644c79c59492f3c27683547a92014281f59357617363994976c90436fed03ce0b98baa7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
b8313712adf9c353a9faa35e16a4716b

SHA1
2b8f71a321e05ac39169966c5d93056c79140ef1

SHA256
7ab62abe65f8105fe34ba0b7edc77b5384da7b42c5a945bbe969d13fed91f8e4

SHA512
c663e34c450930b5d7c42ae8173032f07d98e893b78b8ee25e01f81e2b0b9216ee6982a9957d89b964d01cca264955f8c209e96f0a55f8c9c71cd72ae25ce23c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
ca72aaeb1c2791b46837f2dbca9ccc2d

SHA1
6a2ff772ebdc7c9b21deafbb70c6aaa72a3be3ae

SHA256
ee065e5d18735c6306d5822952f54a4111a217080ad18999ed631f13fbec0e6f

SHA512
d036e783fbfad58d795a489b99bc6394357dbd0bb506c0e281680a8bc71f15aba33a19447032ca773ec63b52be367405a46de0ce75dfa29e2f2a95f53badff61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
2.6MB

MD5
24a4b2a1feff462ae43cd5e322c72d9e

SHA1
23c963876b6e82db59f3acce08cff1078d0961cf

SHA256
c298931d13d8a6733c9032d9b0dd03b55dd37425d2ffa072aed9306bf9ee47dc

SHA512
a009ca716309e70a6f851753c13fc0c1b07142dac4ee4aee81a2263ae2c837dd6daccd0bf99c0bffe8137e87df690771efb3c720913c34a4cbd97ec5787e1010

Download Submit