4d8d24f39d1527a4660fb3530c5853e36e35ef90b9c1bd72b7c64a592956d7a4

Analysis

max time kernel
119s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

935e8330a277f53f5ae26a2cd6c7c9a0N.exe
Size

2.6MB
MD5

935e8330a277f53f5ae26a2cd6c7c9a0
SHA1

59c92a2554fb4d11c71d9bfbb4dc72e828d63db6
SHA256

4d8d24f39d1527a4660fb3530c5853e36e35ef90b9c1bd72b7c64a592956d7a4
SHA512

416356bc4eb73f0cd4ff43a4ee39e461b931a62d42ebb6361cf96fd0d11096fdf47e602b75571217421ab8d93ebb6e483c0806ca64b3f765ed286f8bf0e88f52
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUpxb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	935e8330a277f53f5ae26a2cd6c7c9a0N.exe

Executes dropped EXE 2 IoCs

pid	Process
1216	locxdob.exe
1396	abodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc6F\\abodsys.exe"	935e8330a277f53f5ae26a2cd6c7c9a0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxO6\\optialoc.exe"	935e8330a277f53f5ae26a2cd6c7c9a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	935e8330a277f53f5ae26a2cd6c7c9a0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1304	935e8330a277f53f5ae26a2cd6c7c9a0N.exe
1304	935e8330a277f53f5ae26a2cd6c7c9a0N.exe
1304	935e8330a277f53f5ae26a2cd6c7c9a0N.exe
1304	935e8330a277f53f5ae26a2cd6c7c9a0N.exe
1216	locxdob.exe
1216	locxdob.exe
1396	abodsys.exe
1396	abodsys.exe
1216	locxdob.exe
1216	locxdob.exe
1396	abodsys.exe
1396	abodsys.exe
1216	locxdob.exe
1216	locxdob.exe
1396	abodsys.exe
1396	abodsys.exe
1216	locxdob.exe
1216	locxdob.exe
1396	abodsys.exe
1396	abodsys.exe
1216	locxdob.exe
1216	locxdob.exe
1396	abodsys.exe
1396	abodsys.exe
1216	locxdob.exe
1216	locxdob.exe
1396	abodsys.exe
1396	abodsys.exe
1216	locxdob.exe
1216	locxdob.exe
1396	abodsys.exe
1396	abodsys.exe
1216	locxdob.exe
1216	locxdob.exe
1396	abodsys.exe
1396	abodsys.exe
1216	locxdob.exe
1216	locxdob.exe
1396	abodsys.exe
1396	abodsys.exe
1216	locxdob.exe
1216	locxdob.exe
1396	abodsys.exe
1396	abodsys.exe
1216	locxdob.exe
1216	locxdob.exe
1396	abodsys.exe
1396	abodsys.exe
1216	locxdob.exe
1216	locxdob.exe
1396	abodsys.exe
1396	abodsys.exe
1216	locxdob.exe
1216	locxdob.exe
1396	abodsys.exe
1396	abodsys.exe
1216	locxdob.exe
1216	locxdob.exe
1396	abodsys.exe
1396	abodsys.exe
1216	locxdob.exe
1216	locxdob.exe
1396	abodsys.exe
1396	abodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1216	1304	935e8330a277f53f5ae26a2cd6c7c9a0N.exe	90
PID 1304 wrote to memory of 1216	1304	935e8330a277f53f5ae26a2cd6c7c9a0N.exe	90
PID 1304 wrote to memory of 1216	1304	935e8330a277f53f5ae26a2cd6c7c9a0N.exe	90
PID 1304 wrote to memory of 1396	1304	935e8330a277f53f5ae26a2cd6c7c9a0N.exe	93
PID 1304 wrote to memory of 1396	1304	935e8330a277f53f5ae26a2cd6c7c9a0N.exe	93
PID 1304 wrote to memory of 1396	1304	935e8330a277f53f5ae26a2cd6c7c9a0N.exe	93

C:\Users\Admin\AppData\Local\Temp\935e8330a277f53f5ae26a2cd6c7c9a0N.exe
"C:\Users\Admin\AppData\Local\Temp\935e8330a277f53f5ae26a2cd6c7c9a0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1216
- C:\Intelproc6F\abodsys.exe
  C:\Intelproc6F\abodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxO6\optialoc.exe

Filesize
2.6MB

MD5
e42256a7c1542cf110ea4d190bb87969

SHA1
06647557326faa6e7a21bba345defa28566dbe60

SHA256
80dc4dce689aaf104e2dc5243c3d48073cc55f54acf0a076b23df15ffb23f4e9

SHA512
7dd9a86c09c03d2fbbf2f9921124b6d991ce5d61836a5f58e2a0f3d0d108f2cf8ce6ed11ddf06a9d806c6f6a36a6390944c395c01300f69171490d904e7af0ec

Download Submit
C:\GalaxO6\optialoc.exe

Filesize
2.6MB

MD5
174577bb0315d7a637f1324c6172cb1b

SHA1
e263d6c8c7e00190ada27ded3fb6e39f8221c33d

SHA256
170e54dae6d1368b552bac18db1de0c44bad9f1eccc4cb6d07525ee17a738b56

SHA512
001188a0316e2617a2b6d5ef54d35895c0d1fe2fac76a87e56b3f15c34e7c686dd46d8d2f057de19033623e7730cbfef770636e3bd8345df3a948c09a3f7345f

Download Submit
C:\Intelproc6F\abodsys.exe

Filesize
1.9MB

MD5
fb235ebfcad0427c4d8ab592cf891544

SHA1
e1748ba3ffdc1c647bd772ecbbc96cc4bb7193c3

SHA256
10ced1e4b019e3ef4f5a8e7cd397e9ab33dbeedec004b3fc4c71cb7c063de62e

SHA512
e4291cd7cf6c7ee58277984dcdeed1dfdf78e044e58f1779a8e9f45c226b2130cf3b2103b77c2510e45bcd0baaf32d8dbc742a603664217e52aaf75c48db820c

Download Submit
C:\Intelproc6F\abodsys.exe

Filesize
2.6MB

MD5
e13e2ef7df10a1de649e254df8e8289b

SHA1
a717e1a9c9f31f365ea41c6fb68683b1fcfd5f36

SHA256
58b4008a1f2c1d0151cf6a0c199caedd344ada5fa628da4e7989341cc1a1679e

SHA512
5d4dbc750f10cba5c8c070f537c3099eb12b11aa1d8222306e6a1d991c4c2b0685fd470fc723cfb5207c91bad91d8b6e6710ab75765312f4e32a4a006ef60f79

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
f590c73fb279c28e8ef82048b51fa852

SHA1
61fe0eaf47e3b1de85efb4e8aa9938aaae260969

SHA256
64dcea4999bda9d10f13d0da481a3635da967a2f8d81ca3384838fa85112f0fb

SHA512
e3950c2f732cc3374fdc0c67d5febd85782c5c20aa83fee16154b2aef03f8460beb9f3fcb0dae14bc130f5f27c4038544d6ddd387c5449165f21b30c66dff0d3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
6e90186e2a46baa37ca921248faf5e10

SHA1
e02a6cece8c487d5ca355358d2eac170de0606bc

SHA256
5105d422c7645dcf85af3e0d5ad89c9ba2baad9653aa93cff9e260c9a2b5e169

SHA512
788d1397439e4c56d7a8ed58515fbcb504211863e733a596a2c0c287bf6cd2e3e132a5fa04b760bd530649f8bf554fa215ca15aec96dda743cb225da5b6ca8de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
2.6MB

MD5
60acbda6a434f9e25e280d11d62b765d

SHA1
46d9fa6ca248e320701b250e14440f115c64b525

SHA256
1cb130db18cef74932c55e1d03f6840a220def0306879be4577750ec120a2375

SHA512
88c674f2599f4be7d0857230342cb4fbad85de7859a0b157a9f4cc7bb222c45bb23e62ebafed5c9be9cb02616522fa86f38a086083ae1accf6b17b8880623224

Download Submit