ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe
Size

2.6MB
MD5

3e38cc57d56864db00de4ffed702c1a0
SHA1

5e8faf9126e8570be101fcfacb4d3e36e864b2ae
SHA256

ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27
SHA512

90688a4095a636cf9b7eddecef000e32061f1afd19f44e706db99000152b243b4e477400ed0b271b45741488872cf1c57f16abf712b66e3e8f71980af8bac4f2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bS:sxX7QnxrloE5dpUpJb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe

Executes dropped EXE 2 IoCs

pid	Process
2712	sysdevopti.exe
4160	abodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files44\\abodec.exe"	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax9H\\dobxec.exe"	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3056	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe
3056	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe
3056	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe
3056	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe
2712	sysdevopti.exe
2712	sysdevopti.exe
4160	abodec.exe
4160	abodec.exe
2712	sysdevopti.exe
2712	sysdevopti.exe
4160	abodec.exe
4160	abodec.exe
2712	sysdevopti.exe
2712	sysdevopti.exe
4160	abodec.exe
4160	abodec.exe
2712	sysdevopti.exe
2712	sysdevopti.exe
4160	abodec.exe
4160	abodec.exe
2712	sysdevopti.exe
2712	sysdevopti.exe
4160	abodec.exe
4160	abodec.exe
2712	sysdevopti.exe
2712	sysdevopti.exe
4160	abodec.exe
4160	abodec.exe
2712	sysdevopti.exe
2712	sysdevopti.exe
4160	abodec.exe
4160	abodec.exe
2712	sysdevopti.exe
2712	sysdevopti.exe
4160	abodec.exe
4160	abodec.exe
2712	sysdevopti.exe
2712	sysdevopti.exe
4160	abodec.exe
4160	abodec.exe
2712	sysdevopti.exe
2712	sysdevopti.exe
4160	abodec.exe
4160	abodec.exe
2712	sysdevopti.exe
2712	sysdevopti.exe
4160	abodec.exe
4160	abodec.exe
2712	sysdevopti.exe
2712	sysdevopti.exe
4160	abodec.exe
4160	abodec.exe
2712	sysdevopti.exe
2712	sysdevopti.exe
4160	abodec.exe
4160	abodec.exe
2712	sysdevopti.exe
2712	sysdevopti.exe
4160	abodec.exe
4160	abodec.exe
2712	sysdevopti.exe
2712	sysdevopti.exe
4160	abodec.exe
4160	abodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2712	3056	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe	82
PID 3056 wrote to memory of 2712	3056	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe	82
PID 3056 wrote to memory of 2712	3056	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe	82
PID 3056 wrote to memory of 4160	3056	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe	83
PID 3056 wrote to memory of 4160	3056	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe	83
PID 3056 wrote to memory of 4160	3056	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe	83

C:\Users\Admin\AppData\Local\Temp\ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe
"C:\Users\Admin\AppData\Local\Temp\ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2712
- C:\Files44\abodec.exe
  C:\Files44\abodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files44\abodec.exe

Filesize
16KB

MD5
7194af4ca8b5784e038c373119d798e5

SHA1
9c114add88126c1358d7020ca7697c5b0528ea2d

SHA256
f49a5b25906bde4ad4744acd2ddf6b578eb40dcaee1e76a6cce91e836ac9e050

SHA512
dea51aa435f72ea947472a3d1ccdf8ab4c514fe964d86c9fdfb0484772ee56ab728d2b0ca997da1d392b38e9abbc4526ec702dbc83c527a01e04264766012992

Download Submit
C:\Files44\abodec.exe

Filesize
2.6MB

MD5
b2ac43ff5c48f74ac267471bc2711898

SHA1
afc967a7723aa09f4a5cebf2e3d455d18117c357

SHA256
b68097b77247e8a9f984e611f68c75641cc530e5d3071ace36f06d2d2be3f514

SHA512
945d70b213f9a7975e41c37d6da58eee8d92524108ae9515daadad98d8f3690e8e005280643055aa3bc30fe4b8732498143833d806a6e1accd844b32d9f46670

Download Submit
C:\Galax9H\dobxec.exe

Filesize
419KB

MD5
30043b238ff989119758c2fd8c3318e2

SHA1
22c867abb59781c07135ae6614d6b891965b70a8

SHA256
acc02cf71a7a76752f9121949636551080e899415c810435066a6ba3e82ab7f1

SHA512
4d5e76c29cc406f64a05cfd3a5b96eef460553bbccfd5565c0033ad458f945f2070241b63d4f1350372fa7e31c2caaa6a666eae36a5fd9ca0898324ac393e903

Download Submit
C:\Galax9H\dobxec.exe

Filesize
1.0MB

MD5
9f1eb1f16835d880796ecdf33db02569

SHA1
229e102e13ded9df6fdd885e49296ff77f4052d9

SHA256
a7324774e259cdeb1544da84fbceb6e27a6206bec929aebbdc8d0f1e9da2a96b

SHA512
27c7d23c15a4491f283b3270a492a1004de25f8289d25c56781633b34010b7ada1e28707d34b7041e8bf2f89a95e75e328c63fd78077ec9264ba834154db81f7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
acf6774d07be31dfa24dba0d94538507

SHA1
7dc6025eb304369d3b7a1f3767d6cae45d90452b

SHA256
1874b810f92213759352dc33b242288d7fee7bbc08b06ab5eb2fdb21aa0c22fe

SHA512
2050cf8ff39f1b595a0e48cb4a97fcea02f37fcaaedd8993a8b21b48bb0621a5ef75c00484156c0f3e08359e92cd69e7e9c2b78b3dfe1b320992946beda9d093

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
2b3cf905ddda55d1ba75d810e87a19c0

SHA1
8e5255cdf54d403f091ed73f1da27b92001aa06a

SHA256
8091a831d5a0c21e1d44ec601f7f3d0fc24428bf4cfd2c507c56f874d1f78154

SHA512
29b643d480c863c56e6068195e12828ab0f69f062bcef5ac052209daae0b3622669b1489b6b655cd4afca233427e26ae715fe8c7e2036ccc3f4d18d19149bf50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
2.6MB

MD5
7bef4cd0fa3bcaf6ba00dacdcf3f8f19

SHA1
641d8fe8cc6991b21807d9846be07b32d04e9b19

SHA256
87c4ad8d4c301e14eec5f87b2f908faa2ebf3051c15f2959fd729bc7652b0747

SHA512
de3ede2bf500a6bc63b0ad73de1d27c5d4a0705b49d74c3b32885ac010c4c2185ccf822b5360de48fef06fd237da45541d5410a2f9f3cdc330eb3c063072c7eb

Download Submit