f86a92ea33162946b7b5ef25c95e1534a84b9ed9a64b94507dd11aab9dcc4f9f

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f86a92ea33162946b7b5ef25c95e1534a84b9ed9a64b94507dd11aab9dcc4f9f.exe
Size

2.6MB
MD5

da7357080a48912241f2e0f1ae7907df
SHA1

a5a2562f25b886324bfa83be2d03bde60906fb65
SHA256

f86a92ea33162946b7b5ef25c95e1534a84b9ed9a64b94507dd11aab9dcc4f9f
SHA512

0de4f257c532dcbc30774801eaf089d41a62ae6d9b925e858a894a33f5399b22842380250e86016474dd4aae5de0d8ab1c17e17e127413d24b28899e70c2d2c9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpyb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	f86a92ea33162946b7b5ef25c95e1534a84b9ed9a64b94507dd11aab9dcc4f9f.exe

Executes dropped EXE 2 IoCs

pid	Process
3012	locxdob.exe
2732	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1876	f86a92ea33162946b7b5ef25c95e1534a84b9ed9a64b94507dd11aab9dcc4f9f.exe
1876	f86a92ea33162946b7b5ef25c95e1534a84b9ed9a64b94507dd11aab9dcc4f9f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files0S\\abodsys.exe"	f86a92ea33162946b7b5ef25c95e1534a84b9ed9a64b94507dd11aab9dcc4f9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxOQ\\dobxec.exe"	f86a92ea33162946b7b5ef25c95e1534a84b9ed9a64b94507dd11aab9dcc4f9f.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f86a92ea33162946b7b5ef25c95e1534a84b9ed9a64b94507dd11aab9dcc4f9f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1876	f86a92ea33162946b7b5ef25c95e1534a84b9ed9a64b94507dd11aab9dcc4f9f.exe
1876	f86a92ea33162946b7b5ef25c95e1534a84b9ed9a64b94507dd11aab9dcc4f9f.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe
3012	locxdob.exe
2732	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 3012	1876	f86a92ea33162946b7b5ef25c95e1534a84b9ed9a64b94507dd11aab9dcc4f9f.exe	31
PID 1876 wrote to memory of 3012	1876	f86a92ea33162946b7b5ef25c95e1534a84b9ed9a64b94507dd11aab9dcc4f9f.exe	31
PID 1876 wrote to memory of 3012	1876	f86a92ea33162946b7b5ef25c95e1534a84b9ed9a64b94507dd11aab9dcc4f9f.exe	31
PID 1876 wrote to memory of 3012	1876	f86a92ea33162946b7b5ef25c95e1534a84b9ed9a64b94507dd11aab9dcc4f9f.exe	31
PID 1876 wrote to memory of 2732	1876	f86a92ea33162946b7b5ef25c95e1534a84b9ed9a64b94507dd11aab9dcc4f9f.exe	32
PID 1876 wrote to memory of 2732	1876	f86a92ea33162946b7b5ef25c95e1534a84b9ed9a64b94507dd11aab9dcc4f9f.exe	32
PID 1876 wrote to memory of 2732	1876	f86a92ea33162946b7b5ef25c95e1534a84b9ed9a64b94507dd11aab9dcc4f9f.exe	32
PID 1876 wrote to memory of 2732	1876	f86a92ea33162946b7b5ef25c95e1534a84b9ed9a64b94507dd11aab9dcc4f9f.exe	32

C:\Users\Admin\AppData\Local\Temp\f86a92ea33162946b7b5ef25c95e1534a84b9ed9a64b94507dd11aab9dcc4f9f.exe
"C:\Users\Admin\AppData\Local\Temp\f86a92ea33162946b7b5ef25c95e1534a84b9ed9a64b94507dd11aab9dcc4f9f.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3012
- C:\Files0S\abodsys.exe
  C:\Files0S\abodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files0S\abodsys.exe

Filesize
2.6MB

MD5
78e3a462065e0dc91a6d860fa61de2b5

SHA1
ed4fcab0aa4cc22e02f7869eac9842934e280ea4

SHA256
632621b2f74879d575d63a42f91a0515f3f67bd9e966c4848dc825866f91516e

SHA512
3ed98f8c4636481d39944ef0373d99ede3263ccf0db87cf6febd624ec7aa400e544bd0d524db98adc19daf8ec55dfc7c33f0c7715b8d0610833632c2e16cf887

Download Submit
C:\GalaxOQ\dobxec.exe

Filesize
1.3MB

MD5
7949c0629c25a72a12d3865576eb04cc

SHA1
1c007fd7cdc095db238029afd3130a6d8aa9ecbb

SHA256
43ef24f0edaaef3b9a39ac61880314c07b3ca7c7aec273927b5ce4c720135ff8

SHA512
ce194f64ea9749f7fee8e65729002f8b729e723b29a1d0c9b51e2cf5d7279abaf9333e141fc63757d5c79cf72cd69e10f742dcc1a8e8121e675774a2f705df15

Download Submit
C:\GalaxOQ\dobxec.exe

Filesize
2.6MB

MD5
3ed8ae1921c4bf68c472085b783d49e9

SHA1
0a7584c89ee497c53e1894731f575124f0759b79

SHA256
c61ccc8cd9e82820a434d7add0b6a5ec74e4d504b6e10a2d15ca337296cf821f

SHA512
a26892486e3c99e213ebd40fe9586242def714c8f9c0ead502e2597e165b46c4d7e9280dc9a9b5e217df29b65ad1f3ecf81a55fd3d36fa4649be369142edda0e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
0cb987c3ef595f87e84ab56e66931b38

SHA1
a4a117f7c9257a894e6674742ac1f892cc972b82

SHA256
f1e7e865829282146288354d527f58906f5984e39100a961d2d0580e669cb41b

SHA512
4fdf7ddd9f65ab0b07fa3cb67d8422b15614ee41b2a61d95801ffd6757353f154cc4e6095046345ceaaf6c73dc08b2688b901d24d988c08e67aa726c69530cee

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
ee659c187bf9c0a7d8d2f1215148149d

SHA1
94b4f9a22559db43025a585c2258ef33f93ff09e

SHA256
14d787ff6a6d8222fff30d9aa8933db99fc518badc13cda11d1d13e1e71524b2

SHA512
67a4697bf54d743dc4eccd627e55d3893ccc36471d0c876f5f99f04004775b32f43fab16934dee491130840469e40f10c4956d0b56c83ddf61afec28cbe455fe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
2.6MB

MD5
67dd53c43183f10ed5c9d2db12a062fd

SHA1
eca92bda42e430ba01c310516bceeb942ca68af3

SHA256
53e77dc81401f3d36226ec49d28b6a9709c3176a237cca4f852ff10c7e77c090

SHA512
71be2ad65eb3e87e9cac77a3bf5f35a33c72ab49659695a72b28cced017e620956cce209edc67874207d005e7c4329434dca11f1ea6e5b20e5ed71c9bb01b6b8

Download Submit