2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-09-2024 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe
Size

2.6MB
MD5

b45ecefc0d06e241de6a6f2a8c84f879
SHA1

d7bfd988ff93092f8bfab8f2b59f5bc36b7367cc
SHA256

2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d
SHA512

fcada78bfe17eba7b69566ffe9c632d1d261fe4ebea18367189f87cfee6347ae37c0c6e7b0d65a75ac722e60862fcc9e5fead1476c12f3b79a709ba90402bea2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bS:sxX7QnxrloE5dpUpCb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe

Executes dropped EXE 2 IoCs

pid	Process
2124	locxopti.exe
2688	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2536	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe
2536	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvG5\\abodsys.exe"	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid10\\bodxsys.exe"	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2536	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe
2536	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe
2124	locxopti.exe
2688	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2124	2536	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe	30
PID 2536 wrote to memory of 2124	2536	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe	30
PID 2536 wrote to memory of 2124	2536	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe	30
PID 2536 wrote to memory of 2124	2536	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe	30
PID 2536 wrote to memory of 2688	2536	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe	31
PID 2536 wrote to memory of 2688	2536	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe	31
PID 2536 wrote to memory of 2688	2536	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe	31
PID 2536 wrote to memory of 2688	2536	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe	31

C:\Users\Admin\AppData\Local\Temp\2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe
"C:\Users\Admin\AppData\Local\Temp\2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2124
- C:\SysDrvG5\abodsys.exe
  C:\SysDrvG5\abodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvG5\abodsys.exe

Filesize
2.6MB

MD5
722b83ea8f07fbca8530f1cd316618be

SHA1
d43353ec5a9f192faec445a06a25c5135c643134

SHA256
bdc08d9edb43768add83f7efec3565f3023e115a1d6d396ba96de18d02bfc5ec

SHA512
54ee95595417792039c17df3424ed7e3fd307742d3109182b1bb362c5f858e5737f57c2325728924c856881614f9394a0eed1fb3dd403aa2e3d966aa0fdba1ac

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
f13fc04d77ac19a599d9d934ba281d0b

SHA1
72ed46723f2821ab3eb23dc693bdd005a832adb9

SHA256
a8fdec062d5bbb9bc57885428c9aa373594ab13fbf26e7a4f34da2eae37d64c5

SHA512
6a987c656cfebff831599d25418488f86d641cb8f35be6c8c91d6780ba9b5b7e2c915a8e34582c37fa106ec9e28daa809505d36c922c58399eae99fd0b245a43

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
66d6fa7dc1037e96481b5620b4e926bb

SHA1
0576773d7b9343efd3ee65b42927955cef0832f4

SHA256
9f18d2310f39f5fc82de0084931955cff172c4fef107b1cfd86c6ddc0df453cb

SHA512
5f2983f951d6ee453615fb28cb2cbf9950008af9f49435bc1c53dd05d5311dca0cb416a8d29c0e14ab267585d63531fc656e3182de8705b73e5a7b4331d916b3

Download Submit
C:\Vid10\bodxsys.exe

Filesize
2.6MB

MD5
779699954d773124561db86bdc06afe6

SHA1
a482219c53ce03c4efbf72ed71f5427d0d1866f8

SHA256
4dcdc21f6e34ccb02c50555a83729a861da12b1ca5c526c131e0d7c90cc99f1f

SHA512
e6c327af89823240607df20ac2adfb6f260cb40964e6f6ccb2799c9a34712da755f3d20e2dc966bdeeed698ed43d873aa5623e6a9f640f7043b14dda3b65268c

Download Submit
C:\Vid10\bodxsys.exe

Filesize
2.6MB

MD5
22bde7eaa5bdece7e20d89ee8db90d04

SHA1
680225c52c42857e3d15c1043e6baec0c4b593fc

SHA256
79cc2e6c5464efd2747aa725ccebc30e3d9d84e12073ad62f640de004dcf085d

SHA512
ab1f8b87e3523b1103729823a9d43be74e7aeab0a2dc5bcee0d9d3f510814b26f8ef8b98d4a40528054679400897c323c74a2471f919a02174b9ddb22dcb98c3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
2.6MB

MD5
282fb05bbe1d2b4264b0b879f1416ae6

SHA1
7c7315eb52c914772c11dddac1acc46763ac2973

SHA256
d23ba170b2228e022a368be6da156583306e6e5c025fd1560d249c11c575a5cd

SHA512
f733a10d1eaed016dde94867dbf91358bd184fddf6a021c09d71267b9863dfbb3396ad924cdccd7952f6794f00e7152bb2b21db1513dd9f1159dc73f8658c546

Download Submit