6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 23:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe
Size

3.6MB
MD5

c2e13e5c8ce944a26ae0283f83643209
SHA1

bd4b3aabcc644c6d0f071804c6c6bc0dbd6578de
SHA256

6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4
SHA512

b927035f5c3653ac01e1f5625db3b43936cf35d96801a95262b2df8409c84e996bddaf7df10333d2fc87ac97527834b9560ee721960b805b6e54b5d8f81bb251
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bSqz8:sxX7QnxrloE5dpUpgbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe

Executes dropped EXE 2 IoCs

pid	Process
2928	locdevbod.exe
2520	abodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2292	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe
2292	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc5V\\abodec.exe"	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax0G\\dobdevsys.exe"	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2292	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe
2292	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe
2928	locdevbod.exe
2520	abodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2928	2292	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe	28
PID 2292 wrote to memory of 2928	2292	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe	28
PID 2292 wrote to memory of 2928	2292	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe	28
PID 2292 wrote to memory of 2928	2292	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe	28
PID 2292 wrote to memory of 2520	2292	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe	29
PID 2292 wrote to memory of 2520	2292	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe	29
PID 2292 wrote to memory of 2520	2292	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe	29
PID 2292 wrote to memory of 2520	2292	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe	29

C:\Users\Admin\AppData\Local\Temp\6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe
"C:\Users\Admin\AppData\Local\Temp\6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2928
- C:\Intelproc5V\abodec.exe
  C:\Intelproc5V\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax0G\dobdevsys.exe

Filesize
1.8MB

MD5
3199623e3218c862b78c9e32cb073d70

SHA1
b751ee1e4be1f9732725cdc87edf9de9be6cde5e

SHA256
7c70f03cd74ed6c689267aab8e4117a9b0728e7df26cf3cef343f344fdfdff7c

SHA512
20f172f180bf7bb9622743f3c2808615e2d5eb3fd05d00504da8c29e12ce89e693136ab123360a33926a8037003c4057df3a094f7421ffafe0e162386eac798c

Download Submit
C:\Galax0G\dobdevsys.exe

Filesize
3.6MB

MD5
843c20bba36e95abafa1af204910451b

SHA1
5ddbdff48ba5aa3a33fb80e093eba806d7627762

SHA256
15cd3bad64a572db39d74dafa55a407731a1e781054d5c764b165b03941ec697

SHA512
3c9c1767f2919905310fd108fe7611aa90f188ccf218237d8a8060271a3abc0fc862c7050f6e1aad19b51a46c9e2028a20e51291f39d37dd0d2ecfe0af839033

Download Submit
C:\Intelproc5V\abodec.exe

Filesize
3.6MB

MD5
c58d4af5341e73887a5c5b891e26be44

SHA1
8577c650e573b81d928473cc764fefb8cc012c1b

SHA256
a34061af11950e69132882c397b17467993ccdc6937d8ed54e4e26c0e72f1b0c

SHA512
6cddaf88635e8870029efa2b1a32b1627eb5375dcbae13d60c54448eaa60a4edf8a9d16d18870c8028753f7b74fb904d4468630f23556c04a725dc91f416286c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
0bab846e313217a04bfc0fba9fe981f9

SHA1
070ee2b809947c92dfed59269d4c4845b8bc0306

SHA256
160f95fb112f9917b2fe2885ef0539ff97e914bb5705c48cbef63de12432e3b4

SHA512
f1b5d887fa7473422ababf99da996f97e3fafcc4db1b828dba671abe81b40711461d13d8eeb7b0570d1e77c8c190e6f7d06870ed415fac4ab5146054fbf01259

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
df69540fedab0e7099c74e7713c6eac6

SHA1
a843362e27d9da63b742cf55bddf560b85ee057d

SHA256
b63cdbd6fc715691e9141cbeeb272cc535c66c26f72010de2c9c8fd163e76f49

SHA512
3ff0b27233f68461ff1302d75956454513c41d0a15b4168887d37e469651ef71ab191c8c86c06509162fab155c0f7dd2c43fa4672403ca752e659c7b1c13bcba

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
3.6MB

MD5
e37b613d8c995c50af18d25c0704b2b0

SHA1
1f13cf8a5783b11aa38c4de9b0f853d6d2236e35

SHA256
7b7bcb4359558485a7e93f93bc822a67b1597c1bfd465216bbab4d461c43b41a

SHA512
88666c333cc09be096846571a50d9ad251914d579e4dc35982d675f9ba687a647a49b68530c2a34594affa133a3fa8f132f15173acef09db5658e62a9c4b3451

Download Submit