1218159171e8b1be069c538486ec224e3bca76d7e396d4123a95074424f0e62f

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe
Size

2.6MB
MD5

dea34826f04f9e0e2843331b3a4fd645
SHA1

9acb4e68c30db027e55f134d41e145aef6a1b135
SHA256

1218159171e8b1be069c538486ec224e3bca76d7e396d4123a95074424f0e62f
SHA512

506c90e4a638942ca496f21608ebc96ca62011903d2fa5177fd3423714c20bb2b2671fe858b54f1a43859cb1d32d0f86f188e08db9d7ad4b8a63f129e2b44754
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUpLb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe

Executes dropped EXE 2 IoCs

pid	Process
2520	sysabod.exe
1344	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1800	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe
1800	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvKQ\\abodsys.exe"	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintSH\\bodxsys.exe"	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1800	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe
1800	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe
2520	sysabod.exe
1344	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2520	1800	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe	30
PID 1800 wrote to memory of 2520	1800	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe	30
PID 1800 wrote to memory of 2520	1800	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe	30
PID 1800 wrote to memory of 2520	1800	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe	30
PID 1800 wrote to memory of 1344	1800	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe	31
PID 1800 wrote to memory of 1344	1800	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe	31
PID 1800 wrote to memory of 1344	1800	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe	31
PID 1800 wrote to memory of 1344	1800	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe	31

C:\Users\Admin\AppData\Local\Temp\Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2520
- C:\SysDrvKQ\abodsys.exe
  C:\SysDrvKQ\abodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintSH\bodxsys.exe

Filesize
2.6MB

MD5
10833e5c0042be6021a4658c2244970d

SHA1
9756a7f286168e0b7afc32322562ac6c56e72058

SHA256
38344588bd81dc94aaf55b34c54987942a5113de9f3786ea5277afa79b74796d

SHA512
a038a76120c8c63620cdce91f131709e661b307e0c9ee8fd8e803a6b93b5473871d2ede4b0db1332112cb190515de1e231dffeaf716b378b7d6f3bcd895ecb76

Download Submit
C:\MintSH\bodxsys.exe

Filesize
2.6MB

MD5
2517ec7d3575aa693477714e6454912c

SHA1
b76c387e22646cc44b8993f07a5f6306e76df01a

SHA256
ef30a468a461f9b18adef4014db5bddd60f1774567049f1521cbdb042ed9cd3e

SHA512
7e280e956be53ceee3be8f3bd6719224c02650bc9ee83fd040e968167f0f87af03f0bbef6489135fbb3845aed7a22ad3911af7c1a400fe0361d72f21dc259c1f

Download Submit
C:\SysDrvKQ\abodsys.exe

Filesize
2.6MB

MD5
7d05d15bcba69cbba6e5eed34c5f15ac

SHA1
29d9e327f9e8bd1159278cf9a3c9f03a64883f65

SHA256
bea0263bc31261450e8a959f5bbd930a8fbf2a0aa670402bbe241a46643dc060

SHA512
6381af220601be0ea39d80c91d06e18d05b502e692ddf1c0bf1478b5c4983877ff20272909e568605bc1d2bedf6e0bbc51e04d5b1b28f83d6053f823b4ad0397

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
cd056d39e9b59c66d0ae6ddacc4a613c

SHA1
2b9eaea012ed4b6bffa97b0d71d0c8ff523c0888

SHA256
bb2690ed89aa5ae572cf37aabad388683152ea174c76ce38a308e5f5f941c646

SHA512
01bdf1da4b890b0c46cad091dc9e68c490c5adbee543d7d2eae41cfe620dabf5bafbbfa5f2fce4fbc5ac51476037344517c9ff0bcc4f8a8ffabe514a82b40923

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
88842d94f8f93ade8d88da13b58d8b3e

SHA1
3afa4f330c5c992aff8fc9e9aecea166f5ddb74b

SHA256
7b4e08493a1c379ce154bf66a24886201e3b68b0928b598a5e1a410766af2e4d

SHA512
be1a3d0b1021462c072ccb1afe7e79728fa4c12de5860c6c891c6fad9564c752e4127f2609fefc62bd212865fc38d363b071e98517f4ae5cf7685fb6e4e19419

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
2.6MB

MD5
f73a5d24ed5b2e01101b585c9bc907ea

SHA1
63181e8cfc9a8aaea2b0bac99301b4660edecab9

SHA256
e7931f85fd753d7943fc803d319804c634d33e24b672cab15f55272cd9e46fd3

SHA512
01f74e9a28a9c04e8bc8a2f3bec8a72c5f3ae81a58ed38e1ff001f98d50e69708b2be5823eccf14f74bf0a4a09efb3e01b690cb88b2e9c3fdf78bd9ca7230d6b

Download Submit