e2c493b65359a28006d6fadde427a182caf5d4f07e0b034fae57fcab71dad342

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2c493b65359a28006d6fadde427a182caf5d4f07e0b034fae57fcab71dad342.exe
Size

2.6MB
MD5

1d6c11ec7dcc2a8be3ea0efe31061d40
SHA1

9e5678ec7a2286eeeb10b2a2fa0c96895f9c7620
SHA256

e2c493b65359a28006d6fadde427a182caf5d4f07e0b034fae57fcab71dad342
SHA512

bb389a68720b589aafe021fb7f35acb82ce644b10275ec7857e7ffc0e3fccddb59ba8690facc9a8ae63b84ab892e58e091bb672ebece8b94a75fbc9914b0de71
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bS:sxX7QnxrloE5dpUpLb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	e2c493b65359a28006d6fadde427a182caf5d4f07e0b034fae57fcab71dad342.exe

Executes dropped EXE 2 IoCs

pid	Process
2260	sysabod.exe
2296	abodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1732	e2c493b65359a28006d6fadde427a182caf5d4f07e0b034fae57fcab71dad342.exe
1732	e2c493b65359a28006d6fadde427a182caf5d4f07e0b034fae57fcab71dad342.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesJL\\abodloc.exe"	e2c493b65359a28006d6fadde427a182caf5d4f07e0b034fae57fcab71dad342.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZRL\\optixsys.exe"	e2c493b65359a28006d6fadde427a182caf5d4f07e0b034fae57fcab71dad342.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2c493b65359a28006d6fadde427a182caf5d4f07e0b034fae57fcab71dad342.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1732	e2c493b65359a28006d6fadde427a182caf5d4f07e0b034fae57fcab71dad342.exe
1732	e2c493b65359a28006d6fadde427a182caf5d4f07e0b034fae57fcab71dad342.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe
2260	sysabod.exe
2296	abodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2260	1732	e2c493b65359a28006d6fadde427a182caf5d4f07e0b034fae57fcab71dad342.exe	30
PID 1732 wrote to memory of 2260	1732	e2c493b65359a28006d6fadde427a182caf5d4f07e0b034fae57fcab71dad342.exe	30
PID 1732 wrote to memory of 2260	1732	e2c493b65359a28006d6fadde427a182caf5d4f07e0b034fae57fcab71dad342.exe	30
PID 1732 wrote to memory of 2260	1732	e2c493b65359a28006d6fadde427a182caf5d4f07e0b034fae57fcab71dad342.exe	30
PID 1732 wrote to memory of 2296	1732	e2c493b65359a28006d6fadde427a182caf5d4f07e0b034fae57fcab71dad342.exe	31
PID 1732 wrote to memory of 2296	1732	e2c493b65359a28006d6fadde427a182caf5d4f07e0b034fae57fcab71dad342.exe	31
PID 1732 wrote to memory of 2296	1732	e2c493b65359a28006d6fadde427a182caf5d4f07e0b034fae57fcab71dad342.exe	31
PID 1732 wrote to memory of 2296	1732	e2c493b65359a28006d6fadde427a182caf5d4f07e0b034fae57fcab71dad342.exe	31

C:\Users\Admin\AppData\Local\Temp\e2c493b65359a28006d6fadde427a182caf5d4f07e0b034fae57fcab71dad342.exe
"C:\Users\Admin\AppData\Local\Temp\e2c493b65359a28006d6fadde427a182caf5d4f07e0b034fae57fcab71dad342.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2260
- C:\FilesJL\abodloc.exe
  C:\FilesJL\abodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesJL\abodloc.exe

Filesize
2.6MB

MD5
9a12ee1e9347c157d2a6e48125054fc8

SHA1
59652b7b66466f487086126a3259dec00b1f8ca5

SHA256
5a347692adef60babf175e487987f2cbfa773728f7cf564bc569aa68e772f052

SHA512
3c05fbb14600b8f4118c00ba4c77ab26bb7861a6ead086bffbf7079953364f6388810152f4df9715a89e44593c8ef8b337d57e4764ec0e17d67d3a9f3de9fe36

Download Submit
C:\LabZRL\optixsys.exe

Filesize
2.6MB

MD5
eff6b2bf9d23f03a654f92e41ba00096

SHA1
e19eab4f19f6797e513fb9fc62fb47570a70e871

SHA256
b37327ce5897eb45b82059885c10ad70bbd221a7f9ccca32428d68f2b401a5c6

SHA512
f884cdb8a7c45203424abd3817e77701dddbde5d13e9fcbce6e69c409c484e6184863a94a3072f1a3a32a5d11b00fef2b16d1736d6d883ef0f763980f15d6cea

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
89ddbde42baa89e6b73a46c5a9dba384

SHA1
d005bdeff73e24acd99c46defb0aa304f918bb84

SHA256
dd0f43d3f10fdced0149e42aec5dfb65db7da35eb2049d3df1c9e08941040a57

SHA512
aa1570bf0ed025555cce3b15d73648ef45c1c1fe98c4fc67a33a87c57d61d08dfc76bdfb57d8f6876ecbab6526729358df30ef672b5582aa150d07ab9e47fe08

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
f60c1af432c1e51cf7f76804ddc84407

SHA1
3b5e3f90f3e9fc3e2453c5d32880fc548b13cf73

SHA256
f9ac4ddb9bf3c5fdcc16aab8a32930ffc2d3c12d94a8e1abbb5e81bd3a795ca6

SHA512
9ec9297577983551d424dc37f760ee341cfca66105eaeaedb5e90d2b70d107ba71b9c90013a76b4eb982f6a17dc5d287daf0089d79a391eab8336aeb73e2d7f8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
2.6MB

MD5
d3b42ba234b0134e7f79a8cf3e251290

SHA1
f133732bc0eece27559de81bc59874067411efb8

SHA256
7dce2cff89f5ef1974939bfbac3dbb6e50d6c3321c53b6f491a463a4a7548b0d

SHA512
7c2d7566418a0f332d8fdbe626a908fce02c68c71c3b7b62114455114b89ef86175e0dfdc60c7b4c62bfd56310d40e1d2a76008d83d94006ce1acd5f81e8c68e

Download Submit