1691d9d351aaeea5df4434c7805b2e5b91f0108c8ce722f574dfddfc540db8b1

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a399bf085ba899304ca6d071cfeb0f0N.exe
Size

2.6MB
MD5

7a399bf085ba899304ca6d071cfeb0f0
SHA1

cbc930c6db05c712a9d0959cf0d0a1f5d836c295
SHA256

1691d9d351aaeea5df4434c7805b2e5b91f0108c8ce722f574dfddfc540db8b1
SHA512

10a3b3c8c9c1e0268ac61d858e6dce47c7232d9fd34d0e477ccdf592c3472d007794f146a46b210bc427d4b612802745d59e09bccb75ae10f3f88bb7098de7f4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUpLb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	7a399bf085ba899304ca6d071cfeb0f0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2348	sysdevdob.exe
2836	abodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2480	7a399bf085ba899304ca6d071cfeb0f0N.exe
2480	7a399bf085ba899304ca6d071cfeb0f0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvE3\\abodec.exe"	7a399bf085ba899304ca6d071cfeb0f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxYW\\optiaec.exe"	7a399bf085ba899304ca6d071cfeb0f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a399bf085ba899304ca6d071cfeb0f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2480	7a399bf085ba899304ca6d071cfeb0f0N.exe
2480	7a399bf085ba899304ca6d071cfeb0f0N.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe
2348	sysdevdob.exe
2836	abodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2348	2480	7a399bf085ba899304ca6d071cfeb0f0N.exe	30
PID 2480 wrote to memory of 2348	2480	7a399bf085ba899304ca6d071cfeb0f0N.exe	30
PID 2480 wrote to memory of 2348	2480	7a399bf085ba899304ca6d071cfeb0f0N.exe	30
PID 2480 wrote to memory of 2348	2480	7a399bf085ba899304ca6d071cfeb0f0N.exe	30
PID 2480 wrote to memory of 2836	2480	7a399bf085ba899304ca6d071cfeb0f0N.exe	31
PID 2480 wrote to memory of 2836	2480	7a399bf085ba899304ca6d071cfeb0f0N.exe	31
PID 2480 wrote to memory of 2836	2480	7a399bf085ba899304ca6d071cfeb0f0N.exe	31
PID 2480 wrote to memory of 2836	2480	7a399bf085ba899304ca6d071cfeb0f0N.exe	31

C:\Users\Admin\AppData\Local\Temp\7a399bf085ba899304ca6d071cfeb0f0N.exe
"C:\Users\Admin\AppData\Local\Temp\7a399bf085ba899304ca6d071cfeb0f0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2348
- C:\SysDrvE3\abodec.exe
  C:\SysDrvE3\abodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxYW\optiaec.exe

Filesize
2.6MB

MD5
c0f5b08c4037d7fbd4ba0e3b08eab3c4

SHA1
5a910c33df515dd81d2b75116437c79cda0aa720

SHA256
2d6d04a73968a391d95982c271ab8663aa7befe5db229b9e2eb3b2a6c9bb77d8

SHA512
f17374e53a538f2388ebff5ee42bfcf774e79c1ea947658347b8457f6d01d7ff9c182d4cb18ab72a63af42c8c112ccf018f6028acae5dfc594e11fa93dcee63f

Download Submit
C:\GalaxYW\optiaec.exe

Filesize
2.6MB

MD5
61197333b84667c385706dc8340f2344

SHA1
6f3c0adda0c90fce48b711237a9ff35e03c873c4

SHA256
86724fc860f9b37c5c1acdfd3110a23f3b8d10ead530cac72ae1c5fae0e9de56

SHA512
b299f88a926e596f804914b487bb9ad2d31cad575b232cbc229d8481598af2f074202fa7de4da16c16c3a0a67fc9c71d3e2759d6744e89484f0dd069fe5743e2

Download Submit
C:\SysDrvE3\abodec.exe

Filesize
956KB

MD5
419954aa0316c84df43cfc1ef76c5f44

SHA1
0e5157b6ee60544336ce1628a9669f1fecb4600e

SHA256
068770695f3dcec24a9298d430cf412271da98efcfb152fdb2cf1268fef233ee

SHA512
4b021b59cb4d62b343b5b83b665c8f3d7be4b2aa5f45083333719240f3b99efd77ad3bc4625d04b9b909d1202541e0a210c3fbf931889662b71bb3abc8e58f9c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
df2092db4ac43f469e882ab6bc302a7b

SHA1
433791a794fccbec958a3c3e4f009c248c72002a

SHA256
11bf115523362beb3085d4d30b984a2847bc2c08b67b2c2dfe6447187ed30b88

SHA512
a1d913f14b35e12c16b955d3b8d6abb56fd0afe2a632f1e0c9bedd18e2002a3241c5a44d0f8b4917e62803ade265ba46069e82cc8fd923ea36b8a8c73c7c7cf3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
fcff130fc8d5af1c65699a261992fcae

SHA1
62de0784f2d9e9489b5275dbe8389fafd410be9a

SHA256
ec697805e60c589a04133539730fc05460221ccf8455845e57404057c4971d41

SHA512
138088d7460e931e5d6892573721bd5e11cc5872b2a0d2a925ebfa162caeb8b90cbae0959e16875222e339294f8b6f22aec6aa7fa1fed99e13042d7225bb5350

Download Submit
\SysDrvE3\abodec.exe

Filesize
2.6MB

MD5
c80c4a0eb06e7aff2d7ed5e40f202728

SHA1
fe08bf040d3fe45100af8fa8772d5707cac741f8

SHA256
4d9dada26a77d226581d5128eb8110f5c88ca0c56256ce80546087f61f37656d

SHA512
1acc11656fa655aedf83db6ed78986353300fdf5949d63a8b4095f6d9b85d34c3d9f0fd266b94df7e17441d4a5bf4d12db6dad20046545729a3d8140fe4de691

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
2.6MB

MD5
61daa37483fdac3e87d647e297c99917

SHA1
2fe94660ce29457a35d838ea0e3a159ce916e6f8

SHA256
72a12c5bd5ab21741e4dfbead2943d4ea24fc753e9277a457e90bf15ea326441

SHA512
1dd392d7d9f9613701ba6ca0f7936d8599fd12a995b0cdbc9b01ebe8bab78ff13d107ccee5f5afca78c53e78695e18d2a91047b14d6bce33eaded4b0ea43a24f

Download Submit