16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe
Size

3.0MB
MD5

7ac408baa8038cfc6a553f93a168b35a
SHA1

387099e5299f285ad0ece8ed2d67aa4fab0ac31d
SHA256

16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd
SHA512

c5724a3dce76482fa15a44e8854c40b211ee05c0ae18b3f3ea2282f8fd75a8aeb23c36abf7046e98f4ed6ed0aca18f8060bfb589787a097b5b203f54c2548d80
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBsB/bSqz8b6LNX:sxX7QnxrloE5dpUpTbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe

Executes dropped EXE 2 IoCs

pid	Process
2052	locxdob.exe
2516	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2656	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe
2656	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotI2\\abodsys.exe"	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintWG\\boddevloc.exe"	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2656	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe
2656	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe
2052	locxdob.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe
2516	abodsys.exe
2052	locxdob.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2052	2656	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe	28
PID 2656 wrote to memory of 2052	2656	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe	28
PID 2656 wrote to memory of 2052	2656	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe	28
PID 2656 wrote to memory of 2052	2656	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe	28
PID 2656 wrote to memory of 2516	2656	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe	29
PID 2656 wrote to memory of 2516	2656	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe	29
PID 2656 wrote to memory of 2516	2656	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe	29
PID 2656 wrote to memory of 2516	2656	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe	29

C:\Users\Admin\AppData\Local\Temp\16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe
"C:\Users\Admin\AppData\Local\Temp\16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2052
- C:\UserDotI2\abodsys.exe
  C:\UserDotI2\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintWG\boddevloc.exe

Filesize
3.0MB

MD5
dc4496e879ef9be9663f4a738be97544

SHA1
8064207e09994c9a8bbd1513fb7eb61bdfdad1c9

SHA256
ebd566044c96bb4cdb28390b7a3b3eca93a72ed61d83a545e223b287d38e78dd

SHA512
03bda2733a041f2c01ac9af1b48e0a0edbe685d8fedd29203ce536154b0fb64bc29618d3851dfb88817ed3bedd4b6ee0a1f704a771a55a8d2f2c962e37ff3556

Download Submit
C:\MintWG\boddevloc.exe

Filesize
229KB

MD5
fa9b8b724a6a540b7a17d0e50307777b

SHA1
70d5850c6ad692fbbf1544776600b9b29881c546

SHA256
9474c9f98969ada1d1fe8fb238002e9f52dc9ce505c0e69708125c4540544387

SHA512
f68d3ec0570adbef8102d3cc246d1f4b59d1af876dd6757681ab6476af06188402f65ce9230659abf405a070cf1efb10d97f1f0576a5ed381d7688617f69200d

Download Submit
C:\UserDotI2\abodsys.exe

Filesize
3.0MB

MD5
b402c957156ef42e97cf69bb644af0d5

SHA1
c5b0b24f4bb58d0f024a5c9525077d2e7106919b

SHA256
f5868a6471c6d3e166ad34bed98a4e83ed620ea2a900f26aacea334d96f1a59b

SHA512
474ca00a8599cc2f270ead08818c0b794c4579d054287b9cef7de4dd1737812c1e551c15e4206f77f562386d09872289982df48c8f4cbe64ba4b84924673cf51

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
cde6c214e2100f015deb7200a3a42b6c

SHA1
e65f03ac8684f96a3a96eef10c6237352a08309c

SHA256
4a308fa29bdeafb157c5ef3a3c84517718cc07ae34c09eb137d09e5bfba13926

SHA512
e74142db5c27d518397ae5d156027e87c0b3892b6dd2ebbc5e69d67dd559642acf729f5aaa9e8425f73f86e8d75c331a06dca7967da0c1bfaa6e16d428e5ea66

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
2ede303e4d1de84933d802e20014e382

SHA1
cdda1ce685a588ca820d22abe34fb669c2fdef0d

SHA256
95990d81f70f6fe96f09c9901f65fe9c246a66007d870f97c5511f76e4acb108

SHA512
e989ce4b48e70a365e053596ae22749099f0e33f540e387ca884ea0b674b40399f10a32863071a3328a23a02d00738375d9df3f69fe429354b60d3d8519d2b13

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
3.0MB

MD5
c86c96a9260929624fe80bb019dcce12

SHA1
f102bab96728e4ea2d944d38de0a0dfca812cc78

SHA256
65d7bb480b15c2b2012a4b0dc7b4a5499b98d78dfcbd4f378e9adeff7e05f8de

SHA512
cebed6e5b4c21b669ff2915311322b9e41cc3fa22b8e549062f35faf226a5d49f6327457701583daf1a4303833efabf8f36065718329dc6c66ffafee80fea068

Download Submit