06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfca

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe
Size

2.6MB
MD5

be671e439fe8d78e3d53f488acdf2990
SHA1

c1e98eee250d1faac7d9b9c1047469ff1a1bded4
SHA256

06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfca
SHA512

c87d75d42c2c10cd34f7085c3813b8959040f8083cd5563e3f1fce5995dd6e32df89fdccfa08c37060d986b4159ad7ad0145ec6aa8de7416d02f9784907976e8
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bS:sxX7QnxrloE5dpUp5b

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe

Executes dropped EXE 2 IoCs

pid	Process
928	locxbod.exe
2648	abodec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7V\\abodec.exe"	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxT0\\optiasys.exe"	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2176	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe
2176	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe
2176	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe
2176	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe
928	locxbod.exe
928	locxbod.exe
2648	abodec.exe
2648	abodec.exe
928	locxbod.exe
928	locxbod.exe
2648	abodec.exe
2648	abodec.exe
928	locxbod.exe
928	locxbod.exe
2648	abodec.exe
2648	abodec.exe
928	locxbod.exe
928	locxbod.exe
2648	abodec.exe
2648	abodec.exe
928	locxbod.exe
928	locxbod.exe
2648	abodec.exe
2648	abodec.exe
928	locxbod.exe
928	locxbod.exe
2648	abodec.exe
2648	abodec.exe
928	locxbod.exe
928	locxbod.exe
2648	abodec.exe
2648	abodec.exe
928	locxbod.exe
928	locxbod.exe
2648	abodec.exe
2648	abodec.exe
928	locxbod.exe
928	locxbod.exe
2648	abodec.exe
2648	abodec.exe
928	locxbod.exe
928	locxbod.exe
2648	abodec.exe
2648	abodec.exe
928	locxbod.exe
928	locxbod.exe
2648	abodec.exe
2648	abodec.exe
928	locxbod.exe
928	locxbod.exe
2648	abodec.exe
2648	abodec.exe
928	locxbod.exe
928	locxbod.exe
2648	abodec.exe
2648	abodec.exe
928	locxbod.exe
928	locxbod.exe
2648	abodec.exe
2648	abodec.exe
928	locxbod.exe
928	locxbod.exe
2648	abodec.exe
2648	abodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 928	2176	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe	86
PID 2176 wrote to memory of 928	2176	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe	86
PID 2176 wrote to memory of 928	2176	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe	86
PID 2176 wrote to memory of 2648	2176	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe	87
PID 2176 wrote to memory of 2648	2176	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe	87
PID 2176 wrote to memory of 2648	2176	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe	87

C:\Users\Admin\AppData\Local\Temp\06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe
"C:\Users\Admin\AppData\Local\Temp\06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:928
- C:\Adobe7V\abodec.exe
  C:\Adobe7V\abodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe7V\abodec.exe

Filesize
12KB

MD5
0d80c026ff7217667d1758553c9b1b94

SHA1
14d1f220d41220a37e1c0a894bbcc390e238adac

SHA256
3e19dbc8a98353863030300221ed12d9467946007da720ddec917a2b170c54b8

SHA512
5668dc066d36fdac6fc594b3bd11041af417aa62285919777cfb3602fe018599d010c464467465c525804c7e0b501ae6ee2fc1bec049267f5e18bb39d0aae82a

Download Submit
C:\Adobe7V\abodec.exe

Filesize
2.6MB

MD5
7b92e897600bd39c323c6fb20e933e17

SHA1
27f6cd7ecef8beda1629e751c395a7f259d7149c

SHA256
c9616e02a7a9931146a3284a6e36d3d7566a6feeb51e1aaeb964362fe66c9bbd

SHA512
0b9aeb483b1940d412db3e794af05dbfb846761a75ae56e8f4ebb9fe590847b01cc5e7e9e6da2d4fefbf43c3293d61e937ea9b15eb3ffd03521d80d917268dee

Download Submit
C:\GalaxT0\optiasys.exe

Filesize
298KB

MD5
a326ebd55e915bea217f9ad731727434

SHA1
c2af53a1ecc3b8824fdf7abddee6cfed3c098a8b

SHA256
87a502e1c0a4a98fafb61b004a4153b5a7daaf920814768319c0aa1e7106517c

SHA512
6d970b8c1ab94905e03aaa2ee79c1eac3089bf1a16640701b85c2407647fd6d531781ccff988fc43eea7746d041acf1d548623b902345eda42568f59f3f38b07

Download Submit
C:\GalaxT0\optiasys.exe

Filesize
2.6MB

MD5
99427efa5a509ad58d17ecdde60de8ab

SHA1
de913a6a46719ad8ece007fcf8119ff8f4f8f5e8

SHA256
8948148e3e015be2c7916cf52270f8ccd8ca44e56f96f126e90d3eb132399229

SHA512
a20544b0c2b42b27501afa2975c9044b032d2787ace6e4260fcfa01f3e12944268eaf7aed3e73bebfd1b761e2069449a04dfb850d6e96c6a38819b1e3b7f0603

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
67813a4ff74ce45284ad48bd2cb45488

SHA1
ab774b427ab7074864b48966bc414ef8c3ff57a7

SHA256
4b5611a6d3975d1c57fe87a4f13c770abb6a7c2cc15cf81f84db57fa6bb5942b

SHA512
abf09f5e6f8170fb96372ced877c052c5e71abd043bdb7b35ec8b370053aac2ad1fee37c575016ce2d3b66abf109a20ee1e2fecd109b35e5a3f5453d2a6b1455

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
afef9ac3c749bdf9b2dd12988d0b55d4

SHA1
8fb0ecf2d36a61aba917cd609b1422ca99b75ed9

SHA256
12e6a002117887117d40c23940734df5a58e6c456c724dc38a32b762781953ac

SHA512
c5d163a765a2fddfe989286455dcb349cd7bab039bbbd33231a622c90eac772ab3c4ac75b0ba9086efca3c000fa5b06014806fed7daf4166c41bb16a5a0a3fc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.6MB

MD5
a252c96a55c0fa2997acaacbb5eb71d1

SHA1
d6b42754f6ac2180688dffd0bd47437815f542c4

SHA256
9a3161ca158eaf719914a66edd2a90058746ee6ccea997c593829c21b4d7d1c5

SHA512
23ae0532446a48b315857362688ff612d0de4813e4c7d0708a97f93dbc9d94bd2277149d1a4b641b111f1555f8255e9881397f0ea2ea98f00b5cc42e0cc856a6

Download Submit