835de684255c31fb62160d82f1973e49f132a6f4476d055233356db3088aa73e

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 05:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

158356ef887e9e9901760c933cd85740N.exe
Size

2.6MB
MD5

158356ef887e9e9901760c933cd85740
SHA1

738d9d49671ca8e88cd4eb6ea2e3ff0b34b37769
SHA256

835de684255c31fb62160d82f1973e49f132a6f4476d055233356db3088aa73e
SHA512

ba11b8d3b1a42c0a5bda0894c7d5e620443eaff5a75497d2f712fa36dde878ba605e14a41404f1f6987d701cf4ebb6ced4de536caae0953f893ccf7ae98b2371
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bS:sxX7QnxrloE5dpUpBb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	158356ef887e9e9901760c933cd85740N.exe

Executes dropped EXE 2 IoCs

pid	Process
4060	sysxdob.exe
552	abodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotCX\\abodsys.exe"	158356ef887e9e9901760c933cd85740N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxEF\\optidevec.exe"	158356ef887e9e9901760c933cd85740N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	158356ef887e9e9901760c933cd85740N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1696	158356ef887e9e9901760c933cd85740N.exe
1696	158356ef887e9e9901760c933cd85740N.exe
1696	158356ef887e9e9901760c933cd85740N.exe
1696	158356ef887e9e9901760c933cd85740N.exe
4060	sysxdob.exe
4060	sysxdob.exe
552	abodsys.exe
552	abodsys.exe
4060	sysxdob.exe
4060	sysxdob.exe
552	abodsys.exe
552	abodsys.exe
4060	sysxdob.exe
4060	sysxdob.exe
552	abodsys.exe
552	abodsys.exe
4060	sysxdob.exe
4060	sysxdob.exe
552	abodsys.exe
552	abodsys.exe
4060	sysxdob.exe
4060	sysxdob.exe
552	abodsys.exe
552	abodsys.exe
4060	sysxdob.exe
4060	sysxdob.exe
552	abodsys.exe
552	abodsys.exe
4060	sysxdob.exe
4060	sysxdob.exe
552	abodsys.exe
552	abodsys.exe
4060	sysxdob.exe
4060	sysxdob.exe
552	abodsys.exe
552	abodsys.exe
4060	sysxdob.exe
4060	sysxdob.exe
552	abodsys.exe
552	abodsys.exe
4060	sysxdob.exe
4060	sysxdob.exe
552	abodsys.exe
552	abodsys.exe
4060	sysxdob.exe
4060	sysxdob.exe
552	abodsys.exe
552	abodsys.exe
4060	sysxdob.exe
4060	sysxdob.exe
552	abodsys.exe
552	abodsys.exe
4060	sysxdob.exe
4060	sysxdob.exe
552	abodsys.exe
552	abodsys.exe
4060	sysxdob.exe
4060	sysxdob.exe
552	abodsys.exe
552	abodsys.exe
4060	sysxdob.exe
4060	sysxdob.exe
552	abodsys.exe
552	abodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 4060	1696	158356ef887e9e9901760c933cd85740N.exe	87
PID 1696 wrote to memory of 4060	1696	158356ef887e9e9901760c933cd85740N.exe	87
PID 1696 wrote to memory of 4060	1696	158356ef887e9e9901760c933cd85740N.exe	87
PID 1696 wrote to memory of 552	1696	158356ef887e9e9901760c933cd85740N.exe	88
PID 1696 wrote to memory of 552	1696	158356ef887e9e9901760c933cd85740N.exe	88
PID 1696 wrote to memory of 552	1696	158356ef887e9e9901760c933cd85740N.exe	88

C:\Users\Admin\AppData\Local\Temp\158356ef887e9e9901760c933cd85740N.exe
"C:\Users\Admin\AppData\Local\Temp\158356ef887e9e9901760c933cd85740N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4060
- C:\UserDotCX\abodsys.exe
  C:\UserDotCX\abodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxEF\optidevec.exe

Filesize
2.6MB

MD5
25475ece93964c760d789b98b54f780d

SHA1
90ca28dc72f65bda9919b9f285bd002e9db8ab66

SHA256
812a676ecfc0bf4055a820c1d14886b402b9eea77986140af47c680806a7e3c3

SHA512
fa27c67c58e08ad9b1c9e50189d4842674934fcfc17355ccf8edf7737413ab15b891bf576191e905be1680e33fc331b0b7da6fdca4a6a1b4bc0f9987a11af148

Download Submit
C:\GalaxEF\optidevec.exe

Filesize
2.6MB

MD5
3d0359363343c1e48c78f9a01f86bcfe

SHA1
f9c4215fc916f49885aa7602bee073a61d93e01d

SHA256
57b136117bfa19659224f7e77408a2487aab3a8c0e76ae7029c7257be237dced

SHA512
1ba08b0301c16e9070cf6054f3417e5956f9676c5e07acd9f36d074a9779e417239134e4c49a9d2b90b3f2dc6911505a22d1174e2efcefe05b44207f78df353d

Download Submit
C:\UserDotCX\abodsys.exe

Filesize
987KB

MD5
aaa99fb767f59055899588f9f04fad5e

SHA1
719d21725a8b7448659c8683affaf94bf3cc0d1e

SHA256
381bc3421af97a8b1b680d5a2e5d94cb0713a5647c4738086f44b8e570dee94a

SHA512
e2742e517bebcfe80d2401505a0494531101761bdc06e184bf0173d24e3ab7e6cee823bfe1fd22b8eb431ae1a3b783387d1da427c9a672bee8e03e782302f92a

Download Submit
C:\UserDotCX\abodsys.exe

Filesize
2.6MB

MD5
a201f310df9f042736da545b2aa0598e

SHA1
ff67156f32d67bc9e8a1562b91a4e0cf3ad4d5aa

SHA256
0d3e6e144f8f42cf9ae83b0a280e7285f6d6dac61eebacbbcec8f01da061cd8b

SHA512
46ff4e28418d23440f47fe76d2606143dfc7303e247769778ff18b2a3d40f0d0b34709debd091ce86fe7be12e3a41b2d423880fc3fe3557ae06a78d5c7ad25be

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
9b6be05515d1ef63edcc6d9c87b2b868

SHA1
9ee6a6cab1e325c97ab3b532d1ace6b252a6fccb

SHA256
7b96723858f0772367e5ab93901a3b451ddc60f7e127294e06827c820a00825d

SHA512
79632b0043a045f1fd4cdd970d2d09230c18d0096b4c25c44839d6a26438a7fb727aff9b1e90002a0a9cf512a45e0cfa51d5aa603b248024dd02f8f932b94f2f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
58dba994fc3bb98fa1cb4e589f95a9f7

SHA1
7003b617d0c500cba795e84eae5ee41bbedbb6d4

SHA256
1b26509348fd1d7506de5bed0687f982bda5a91fed874d5eb94afbfa8e4b1824

SHA512
dd0ee08e04ddbef18c0df438054fcdcc783c722b3d4a6cade7cc4e721aee140c0ed6d47c2393f03bd72f437a3938c5fbfd6f6c6479450e807332e9d2d4f6b48e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.6MB

MD5
bba1b7f92f89e62c8246ed80a67da989

SHA1
4343795d63cbd5f33aa0c8b03a65089af7cee269

SHA256
446b9f353e4a953b2eba75a56614806e9193bc4c7e65e962b2becb88a5ffe946

SHA512
0ebc15138c322b33f1e75ff5bb589f4b300127b8f842b786d6c8cb74c0074c70ba2a9fdb1240266804e228605b8225ddb526f4ec392aeb762237f251fbc4d2e8

Download Submit