cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17-05-2024 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe
Size

3.6MB
MD5

40dc544ba99243539f6d6be8a4bbd796
SHA1

c9fceb70dfdb1fb185c6d663e1d54d4a03979450
SHA256

cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec
SHA512

f6bd2492af9a6ef73998ed070a95c8d2f4476dc238f8d0c9ee690c95f3f957174b0635205dca45f43299cc01a8c07b2161b39bafd86d91a8f1928055d1658167
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bSqz8:sxX7QnxrloE5dpUpJbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe

Executes dropped EXE 2 IoCs

pid	Process
2148	locabod.exe
2600	adobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1684	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe
1684	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe9E\\adobloc.exe"	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxZV\\bodasys.exe"	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1684	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe
1684	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe
2148	locabod.exe
2600	adobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2148	1684	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe	28
PID 1684 wrote to memory of 2148	1684	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe	28
PID 1684 wrote to memory of 2148	1684	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe	28
PID 1684 wrote to memory of 2148	1684	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe	28
PID 1684 wrote to memory of 2600	1684	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe	29
PID 1684 wrote to memory of 2600	1684	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe	29
PID 1684 wrote to memory of 2600	1684	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe	29
PID 1684 wrote to memory of 2600	1684	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe	29

C:\Users\Admin\AppData\Local\Temp\cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe
"C:\Users\Admin\AppData\Local\Temp\cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2148
- C:\Adobe9E\adobloc.exe
  C:\Adobe9E\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe9E\adobloc.exe

Filesize
4KB

MD5
ede40b36034d11420daf9b761d447622

SHA1
83e69cb72e12fd8ccd507bfa21133e1fca0fd5d7

SHA256
6e27085c9b049479ed4b5d515c82d49091d1d0d6a70cc1af4fe1e085816236d4

SHA512
0fc2330cfab1d7a2fa7e55f9cc177aa246de7f672540212721ca9232920652a2306906719e60af2bd37ca2fc9074d2244a5514fdc7f344e7c4006b4c69a75120

Download Submit
C:\Adobe9E\adobloc.exe

Filesize
3.6MB

MD5
643f81563be9db2060bc69ef8850b8ae

SHA1
43a50fb142bc545ca75c0ca9a6beccc399530a34

SHA256
d459ee660450afa530dd3e1c9621954d09fad90044618350ac0e637d596c5989

SHA512
be6e2898d9f212da849e12f33e4f5e4eb86bbe7386044d40117d80a6dfc8168e057ef7aef8c2f046aa5044bfdeeb02a0312667537f2ee9ef9d1fb1348f01e61f

Download Submit
C:\GalaxZV\bodasys.exe

Filesize
3.6MB

MD5
1c316c39804fe5f892afa0a272067a7d

SHA1
e72148318db2ecca5345dbb8df90a6c4dc97606d

SHA256
f6f46ab3eb485551e457b3bc861a3eec5b725003dfb4b57c8604c90aca047c5f

SHA512
393a3b4d5c3cff24ec30dc56f24132b46106a09fc1f93e01607cde3df3e56857db91e22ede2fcf0f342934ff9c1cf9809799ebd7e86a0fbe80f3bedd4fdee503

Download Submit
C:\GalaxZV\bodasys.exe

Filesize
3.6MB

MD5
e777174f78f22390fa3571714ff29056

SHA1
817191c0f832812a4365795d689f497896f5baf3

SHA256
9ada9a23dbf8c9edbad11ed5d235ecba2777f986fa576480f37ea25fe7f3dddb

SHA512
faa02f0bbae3bbeccf579cc9cdd318c821c2e000d735e0b10761b37424029e432c622d1868b8a8dd67da67698bd3235d695f1d6034117cbad1200450606b73a9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
ed142508c0f0f8f6242937174ee92c1b

SHA1
22ee441a89bad9e762f9c32fab3a688cfe17dabd

SHA256
225738ea9f8fcfbe044339ef485e701a96137d638b482cd28ad02a6d290ef8fa

SHA512
344077ff269eedd2810a094f8c8bc46f20b300e0ba49f7e24139e72a4b077e87a7eec47b7cbc460e9175402edbe450a153e7ae2dde66945519a54c3ec07b60ac

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
915f16b24605fba989a2b7196353948d

SHA1
80801525b9cd2aa3f9cb99feb019828623f045cf

SHA256
ec6b44feb99d8eadd5486e6152021ef113362e84619cacb23826cfed6b29581a

SHA512
71f2abc62b3f5329679f3ee98e85057e8d342d07c1b43e6574e9041668b084553a673a7bd4ea17d14c9f35ed326f516b7b85ac3e7c2c3952be3cffe09c16f514

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
3.6MB

MD5
707e7b85db6b0ddb11e0d499afbd5973

SHA1
2258e6bb81570899f9779aec982166cfd6654364

SHA256
14ab37710c21baa469aad73ff82bb090176ba932f7cdcfc854816a91e9b54424

SHA512
27004c117378adb5479cd950b94257715ecd7be97ec1d23779987fd6185057e067555163fa7e911e78cbe471812d25aa80c13a377ebdc20bb239ae1b7a6facbc

Download Submit