d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe
Size

4.0MB
MD5

3e79f0a808cddbac65d78fd138dc9887
SHA1

4127b5318fdf0f807e1b04bc6d47709f2bfe488c
SHA256

d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8
SHA512

c43feae9420d716b5fa291e92b0afd400d74a69e176c933b99301da3db0e525e8776b79d3181f4fe36e4a59b6a16847d476af4af1ca83967497c49daf18f47a6
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpQbVz8eLFcz

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe

Executes dropped EXE 2 IoCs

Processes:

sysaopti.exeabodloc.exe

pid	Process
676	sysaopti.exe
1920	abodloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxGH\\bodaloc.exe"	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe0Y\\abodloc.exe"	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exesysaopti.exeabodloc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exesysaopti.exeabodloc.exe

pid	Process
2844	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe
2844	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe
2844	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe
2844	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe
676	sysaopti.exe
676	sysaopti.exe
1920	abodloc.exe
1920	abodloc.exe
676	sysaopti.exe
676	sysaopti.exe
1920	abodloc.exe
1920	abodloc.exe
676	sysaopti.exe
676	sysaopti.exe
1920	abodloc.exe
1920	abodloc.exe
676	sysaopti.exe
676	sysaopti.exe
1920	abodloc.exe
1920	abodloc.exe
676	sysaopti.exe
676	sysaopti.exe
1920	abodloc.exe
1920	abodloc.exe
676	sysaopti.exe
676	sysaopti.exe
1920	abodloc.exe
1920	abodloc.exe
676	sysaopti.exe
676	sysaopti.exe
1920	abodloc.exe
1920	abodloc.exe
676	sysaopti.exe
676	sysaopti.exe
1920	abodloc.exe
1920	abodloc.exe
676	sysaopti.exe
676	sysaopti.exe
1920	abodloc.exe
1920	abodloc.exe
676	sysaopti.exe
676	sysaopti.exe
1920	abodloc.exe
1920	abodloc.exe
676	sysaopti.exe
676	sysaopti.exe
1920	abodloc.exe
1920	abodloc.exe
676	sysaopti.exe
676	sysaopti.exe
1920	abodloc.exe
1920	abodloc.exe
676	sysaopti.exe
676	sysaopti.exe
1920	abodloc.exe
1920	abodloc.exe
676	sysaopti.exe
676	sysaopti.exe
1920	abodloc.exe
1920	abodloc.exe
676	sysaopti.exe
676	sysaopti.exe
1920	abodloc.exe
1920	abodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe

description	pid	Process	procid_target
PID 2844 wrote to memory of 676	2844	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe	84
PID 2844 wrote to memory of 676	2844	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe	84
PID 2844 wrote to memory of 676	2844	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe	84
PID 2844 wrote to memory of 1920	2844	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe	85
PID 2844 wrote to memory of 1920	2844	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe	85
PID 2844 wrote to memory of 1920	2844	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe	85

C:\Users\Admin\AppData\Local\Temp\d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe
"C:\Users\Admin\AppData\Local\Temp\d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:676
- C:\Adobe0Y\abodloc.exe
  C:\Adobe0Y\abodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe0Y\abodloc.exe

Filesize
4.0MB

MD5
bbe262b1d81648586b683abb80f51ea5

SHA1
7ba5e3df2f59a51bb1b82d0c6b753b703bafc54c

SHA256
5c877901b81c4cc2635940dabdcbbc7a989cdb546a9ae18782380820ef676060

SHA512
2b37f6d9743299945193c9499f71060ea222ad2f978ae24bda1b4f82d2024fab332c26787ef76c669689b3c1e1985d36af6527c220d49a43ae1c3446144823a6

Download Submit
C:\GalaxGH\bodaloc.exe

Filesize
744KB

MD5
51ea65980bdcef15b7d6fb06cb4a33f0

SHA1
ad42db2a610c235ea186f49828aafc71a431ada4

SHA256
175b5ba676c379ad025bcfc3e712c00d6abd01e0d9405353533a0e049e730371

SHA512
6a276af2b9e36b489f7a2f2a4987a44606f7b7d74577db39fe6baa9635a35279f11f8b343bb01d707c55a9f3d63b2ec9fa3a6ed6c31363d91e80f1c7cc0c76da

Download Submit
C:\GalaxGH\bodaloc.exe

Filesize
4.0MB

MD5
3505950bebcc0faebc5438773722f1b3

SHA1
ac720c2131987c17ac1160c9f9a2b4e380f96c1f

SHA256
10c91be6d420a2325e1d1df0341ebf651dfd15a53e2edf4cf7f504b182709d8f

SHA512
cd00bcbfafa4f9f1dbf9332342cb4e7233f69e9d03e8e698f340307671145493f70fbc045e1e85e035711f4a494048d8a0d05bd448b4ff33d8b68a97ce041ef7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
767341e0bd492e052b81c6e6300f9fa9

SHA1
4b0da939a05d8e3d1f6b8679ed07a27b175c26a4

SHA256
770585356917142af7af0d43a6cd98be895d726169878c402686fcda268462ce

SHA512
7985dcbf8c7c78df2e42a27bc239cd5cabc38df96ef55b6232167fc2f99621c78ab22297807e1df036febb1e31a0f50c11f3951fe963f68a0bcef17e15bf8c24

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
b45eb6d020893e3712f470bd99921e3c

SHA1
1a2f326dc2b56579d8c7ba02016bafa55be0d598

SHA256
01f14c7fdbbccbbc53c933387dc07bb4da150285358919281383ec064b117292

SHA512
7b6e047cf9b3accf4e2daffea2024836521a8ceb353cb6c1a5dbb5ca50e524ac89027becf4e9ab082869627e91be4d4a22fb3eaa42b8150be8760cd6b536f4ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
4.0MB

MD5
51423f573e937ea70cefa8d7dfc60b6e

SHA1
14c630086268fd72acf3ac240250df86d6012e0e

SHA256
97b71d1be81903fd61126b536c75329be92442ea5e936673006a8c299dec2dde

SHA512
18505ac63dcdec73fed3dd9364a9c8827fe2d81d3d5fc1ba20fcd5008bd15282f0fe7c13d18a17fc5601fb1f4f35e5105a2b63438ab9b9ed3651af1f00570ea2

Download Submit