c99c30cdf00214ef2f6c64abb61dc510aec114b0ebb5e5adf0cb154a4dca0a43

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c99c30cdf00214ef2f6c64abb61dc510aec114b0ebb5e5adf0cb154a4dca0a43.exe
Size

3.0MB
MD5

1cb9a8abdaa6e1dc4adbf768fb79789f
SHA1

e8282f5c84989fc844f545f349142f9bf33cda0f
SHA256

c99c30cdf00214ef2f6c64abb61dc510aec114b0ebb5e5adf0cb154a4dca0a43
SHA512

2ba44bb4352b143445d994c5c0283392bc5617751d9456d4a94857fae2ef08c294a44c68fbf6dfda96bc35709db2da066e586b7a2bbc5e837327727534ca93a0
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSqz8:sxX7QnxrloE5dpUpybVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	c99c30cdf00214ef2f6c64abb61dc510aec114b0ebb5e5adf0cb154a4dca0a43.exe

Executes dropped EXE 2 IoCs

pid	Process
2660	locdevbod.exe
2496	abodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2952	c99c30cdf00214ef2f6c64abb61dc510aec114b0ebb5e5adf0cb154a4dca0a43.exe
2952	c99c30cdf00214ef2f6c64abb61dc510aec114b0ebb5e5adf0cb154a4dca0a43.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc5V\\abodec.exe"	c99c30cdf00214ef2f6c64abb61dc510aec114b0ebb5e5adf0cb154a4dca0a43.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax0G\\dobdevsys.exe"	c99c30cdf00214ef2f6c64abb61dc510aec114b0ebb5e5adf0cb154a4dca0a43.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2952	c99c30cdf00214ef2f6c64abb61dc510aec114b0ebb5e5adf0cb154a4dca0a43.exe
2952	c99c30cdf00214ef2f6c64abb61dc510aec114b0ebb5e5adf0cb154a4dca0a43.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe
2660	locdevbod.exe
2496	abodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2660	2952	c99c30cdf00214ef2f6c64abb61dc510aec114b0ebb5e5adf0cb154a4dca0a43.exe	28
PID 2952 wrote to memory of 2660	2952	c99c30cdf00214ef2f6c64abb61dc510aec114b0ebb5e5adf0cb154a4dca0a43.exe	28
PID 2952 wrote to memory of 2660	2952	c99c30cdf00214ef2f6c64abb61dc510aec114b0ebb5e5adf0cb154a4dca0a43.exe	28
PID 2952 wrote to memory of 2660	2952	c99c30cdf00214ef2f6c64abb61dc510aec114b0ebb5e5adf0cb154a4dca0a43.exe	28
PID 2952 wrote to memory of 2496	2952	c99c30cdf00214ef2f6c64abb61dc510aec114b0ebb5e5adf0cb154a4dca0a43.exe	29
PID 2952 wrote to memory of 2496	2952	c99c30cdf00214ef2f6c64abb61dc510aec114b0ebb5e5adf0cb154a4dca0a43.exe	29
PID 2952 wrote to memory of 2496	2952	c99c30cdf00214ef2f6c64abb61dc510aec114b0ebb5e5adf0cb154a4dca0a43.exe	29
PID 2952 wrote to memory of 2496	2952	c99c30cdf00214ef2f6c64abb61dc510aec114b0ebb5e5adf0cb154a4dca0a43.exe	29

C:\Users\Admin\AppData\Local\Temp\c99c30cdf00214ef2f6c64abb61dc510aec114b0ebb5e5adf0cb154a4dca0a43.exe
"C:\Users\Admin\AppData\Local\Temp\c99c30cdf00214ef2f6c64abb61dc510aec114b0ebb5e5adf0cb154a4dca0a43.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2660
- C:\Intelproc5V\abodec.exe
  C:\Intelproc5V\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax0G\dobdevsys.exe

Filesize
3.0MB

MD5
1e8f2794adad491136bb01a7ec77a6bb

SHA1
5629408c96db9891959f97a2d4ec2a39e3655231

SHA256
aababac0fcf13dc2e235a232b80d31dc533fd97a583797d3501396e480c2676c

SHA512
762c2e286d1abf21ed36f62584e90f8068c684da1353eb7ab17d0bc21069e37123973b115b06e189e0fb32ae9b5a940ba7f3e6124618b1ced8079447100f0ea3

Download Submit
C:\Intelproc5V\abodec.exe

Filesize
3.0MB

MD5
7f65ea140d30e2ba46599eab905c2f83

SHA1
8bfad31bdc8abd4f07c70f81ff8b1b772cc07ad0

SHA256
75d917b74ef1c45376526eb0f123dad20b22bad20e2a671dd54306a5cdb1f029

SHA512
8190dc0280a323ad276043ff1b623a82370512c250a0c347612ad747913cf10f3e8df402e6a875ca8157dc1425bf5f0b821ee17119f3a0db64e233601b86a115

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
0bab846e313217a04bfc0fba9fe981f9

SHA1
070ee2b809947c92dfed59269d4c4845b8bc0306

SHA256
160f95fb112f9917b2fe2885ef0539ff97e914bb5705c48cbef63de12432e3b4

SHA512
f1b5d887fa7473422ababf99da996f97e3fafcc4db1b828dba671abe81b40711461d13d8eeb7b0570d1e77c8c190e6f7d06870ed415fac4ab5146054fbf01259

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
df69540fedab0e7099c74e7713c6eac6

SHA1
a843362e27d9da63b742cf55bddf560b85ee057d

SHA256
b63cdbd6fc715691e9141cbeeb272cc535c66c26f72010de2c9c8fd163e76f49

SHA512
3ff0b27233f68461ff1302d75956454513c41d0a15b4168887d37e469651ef71ab191c8c86c06509162fab155c0f7dd2c43fa4672403ca752e659c7b1c13bcba

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
3.0MB

MD5
cde242d27ace9cb85fa0b710e3dbebd7

SHA1
e4078c023ee7aa2fa84fdc0b37cf951d6552891a

SHA256
e208b0ee1e01e5ffc502f0bf0e77cbf9581e14fb6a83f7b200b2faa551838696

SHA512
b77779ea2963beba414e70f7f687b39173198b0bc412a69c3a9a1e813af7080d1a5677fff3b749a01c09e7aeee937661eea83230705d4c29512bcab380538a74

Download Submit