d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-04-2024 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe
Size

3.1MB
MD5

eb4f6c93fefecb40da195f50fd9cf5ae
SHA1

b66afc8d52b794b2e4dd089b7ae10125da41ba75
SHA256

d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37
SHA512

909e9df085a88d2a61be9f74b95466efb98de386c030ef20edcf7082bebb6496a517586be7d172f8d743fd835f6fac82a75b644d625f729b6e37db27397e1887
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8:sxX7QnxrloE5dpUpRbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe

Executes dropped EXE 2 IoCs

pid	Process
1876	locxbod.exe
2488	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2196	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe
2196	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot9K\\abodsys.exe"	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ2R\\boddevec.exe"	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2196	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe
2196	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe
1876	locxbod.exe
2488	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 1876	2196	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe	28
PID 2196 wrote to memory of 1876	2196	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe	28
PID 2196 wrote to memory of 1876	2196	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe	28
PID 2196 wrote to memory of 1876	2196	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe	28
PID 2196 wrote to memory of 2488	2196	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe	29
PID 2196 wrote to memory of 2488	2196	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe	29
PID 2196 wrote to memory of 2488	2196	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe	29
PID 2196 wrote to memory of 2488	2196	d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe	29

C:\Users\Admin\AppData\Local\Temp\d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe
"C:\Users\Admin\AppData\Local\Temp\d1c65f323a891fe60fb823afe5fa2ab2d1323f3c8c405a2ad1a8debc6af48e37.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1876
- C:\UserDot9K\abodsys.exe
  C:\UserDot9K\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ2R\boddevec.exe

Filesize
1.7MB

MD5
cdd97b53b5ff1c4c91ddadde33a72d19

SHA1
e874795b48a2225d7a2708576fd4d0606378c736

SHA256
438c7c7dea5c73e6703f67772e6ae3226277177616fe6469e4a85d7a37eb1fde

SHA512
e74bbb0f1a6c70a85e4a19f9210eb0a23ba0e66948a6e4ed7d84876eb2015b382eddbad1ef6992eb2581bd54de559a61e47b322cd032e848d367ac45a3f59cc0

Download Submit
C:\LabZ2R\boddevec.exe

Filesize
3.1MB

MD5
76b61d4460a161f1894914c502467002

SHA1
b509b5db3b801d66fb7b4e8ce7ab709f97cc36c1

SHA256
717f0ce2e1673a5db17850cf246f1ce0511a3e69d540c1aea5a7fbe1601406bf

SHA512
b16833a56d5f32e5eba922c801c993c9a9d5f0a22c983a3662423e49594f8976abeab732b88b7f05279604a7ee9e363f6c6204d270b817f0735dc982a03364ce

Download Submit
C:\UserDot9K\abodsys.exe

Filesize
3.1MB

MD5
5f747f62102b66ef40eb5b2132c0fed1

SHA1
f3252401a15dc0074e7e375ac12a2d12fd3745ed

SHA256
a314f706437e4ab61dc88c5e192be0d47d82e9c57b45007103a35790a4c90391

SHA512
9a15716a64069606f9d217a6b8b14a922927642672f2da807f322088f1b460176948f08e14eb448e3f53abb84663f087ca70be2fec2ce4c9228f295fa7d858e5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
daf9282ecf16e3c3c5d2593a28efd802

SHA1
fe8a97ae1e1e53f15d50c4d25b2e62cab59b5576

SHA256
27e03c6beb507ae163c78cc187def357f66b9ede15c2b4c767328c9bc0690e13

SHA512
34ff53281cfc919c46d51d1562bb2937b09869261e1273f99eaa0aaa189a1637a492c076d2031a337d071abbc114ae594da174d8c43b6bd0833ca401f692bcbd

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
680bc814a64d50cedd9e026e1a7c6f06

SHA1
76fd9763456b6f42a494bc8edc23d897bf29a00c

SHA256
fcc5c62a04635e221114bcddea2097abfcd4220d0357ef1e599cc397e6ca7fde

SHA512
ff4d002d77c1a25614a8e110ac0ebc08567b5a686cbd0da8c96874fa2632707e7516b80b25f768c6e6c28878d0f64c2011acf8c9ecbd48f2c6f7994162e33cc9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
3.1MB

MD5
3eff29921994a4281bf3a0818ba63202

SHA1
b0de8fddb3ef908a2057ce89394f0f5f2f28dd76

SHA256
8d67d5d539391ee44990d846cf742882c529d527a75715cf658c6e67d6b0a582

SHA512
914b51df7c240809cbe2faf658dc0caf389535e85c9f68b64c5dff714b75e35ada11c545807f31e5a2aae734efecb50e90269d8cf0b4804b6c12230646f0de4a

Download Submit