Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 05:33
Static task
static1
Behavioral task
behavioral1
Sample
f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe
Resource
win10v2004-20240426-en
General
-
Target
f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe
-
Size
3.1MB
-
MD5
1fc9c061cffa61d9910130b0704877bd
-
SHA1
165432d7a40beff25264f2f8aa17ee71b4eea543
-
SHA256
f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc
-
SHA512
2d79cc1b349d864a949f12f981548f6fb962689ed0befa9b2d663e1d1f23caf22b2f2e64c9dbfa264bf627cc6483968e60e418db4c90de5adb6d9916660f575e
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpIbVz8eLFc
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe -
Executes dropped EXE 2 IoCs
Processes:
locdevbod.exeabodsys.exepid Process 4736 locdevbod.exe 452 abodsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOU\\abodsys.exe" f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZWO\\optixloc.exe" f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exelocdevbod.exeabodsys.exepid Process 4656 f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe 4656 f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe 4656 f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe 4656 f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe 4736 locdevbod.exe 4736 locdevbod.exe 452 abodsys.exe 452 abodsys.exe 4736 locdevbod.exe 4736 locdevbod.exe 452 abodsys.exe 452 abodsys.exe 4736 locdevbod.exe 4736 locdevbod.exe 452 abodsys.exe 452 abodsys.exe 4736 locdevbod.exe 4736 locdevbod.exe 452 abodsys.exe 452 abodsys.exe 4736 locdevbod.exe 4736 locdevbod.exe 452 abodsys.exe 452 abodsys.exe 4736 locdevbod.exe 4736 locdevbod.exe 452 abodsys.exe 452 abodsys.exe 4736 locdevbod.exe 4736 locdevbod.exe 452 abodsys.exe 452 abodsys.exe 4736 locdevbod.exe 4736 locdevbod.exe 452 abodsys.exe 452 abodsys.exe 4736 locdevbod.exe 4736 locdevbod.exe 452 abodsys.exe 452 abodsys.exe 4736 locdevbod.exe 4736 locdevbod.exe 452 abodsys.exe 452 abodsys.exe 4736 locdevbod.exe 4736 locdevbod.exe 452 abodsys.exe 452 abodsys.exe 4736 locdevbod.exe 4736 locdevbod.exe 452 abodsys.exe 452 abodsys.exe 4736 locdevbod.exe 4736 locdevbod.exe 452 abodsys.exe 452 abodsys.exe 4736 locdevbod.exe 4736 locdevbod.exe 452 abodsys.exe 452 abodsys.exe 4736 locdevbod.exe 4736 locdevbod.exe 452 abodsys.exe 452 abodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exedescription pid Process procid_target PID 4656 wrote to memory of 4736 4656 f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe 84 PID 4656 wrote to memory of 4736 4656 f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe 84 PID 4656 wrote to memory of 4736 4656 f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe 84 PID 4656 wrote to memory of 452 4656 f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe 85 PID 4656 wrote to memory of 452 4656 f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe 85 PID 4656 wrote to memory of 452 4656 f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe"C:\Users\Admin\AppData\Local\Temp\f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4736
-
-
C:\FilesOU\abodsys.exeC:\FilesOU\abodsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:452
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5a8b6d48fc722ddd617a46d366bc47b12
SHA17aa42f30b67bfc0bfc3029425037df54da3d719d
SHA25614ea4779fb0bfea29b24dac1a88d2eea4f17bb3366cfb9d88b269f89ae5c600a
SHA5121673d13ecc9a01215a5bec2e2d6870bc9d74b2c7ecd0a2baf468d59c49c29fc15e261dd6c551b2cd373837a83766930fdaeab241f72c0a78abbfa7ff88d74f0a
-
Filesize
8KB
MD54f22d799849ad951d457b82eff37db75
SHA14e1063fe8d636bd72f9cd680c689c23c67188ea6
SHA2566d731a85e1aa5373ae56b774f79879aaae0bf7acee2d491ffbe549dc72920948
SHA5129906f7f210918aad8326adf8876fb1a50517812f1d6dc706f0ad6c14c9363ea1c2bdf15f1589563e9483925b76a4a315f4db9d27af6ab0674f200275d3b25f9a
-
Filesize
3.1MB
MD5fa9d72384aac85b56fd506984fffa94c
SHA149dcbfbd5ec47a6c2b958f9ed1218162910753e5
SHA256d57b67d65d2358e8c397dafcf32f67b15eb0979b7fc5c55085b5d9095cded2f7
SHA512944347d008833196fcfbaccdd516ae115e4c31775e04b506a1497e1fb36272461f65ec21fd6f49f0459d9a1ca68d076378f6ad70fcd66af5cf33d9c215c56c28
-
Filesize
203B
MD5a7f4aa5cbb20135a5fbce66126932d0c
SHA17bd8b9f703c20646f2a7e67c54bcd02e08e62547
SHA25617f49d933dd5687ea837526b7dc309fae2d570acda24fbf5178133617539c401
SHA5122e21f53b3e5efb8ee6023fc613e3309e9deadf9ebf928724ae4d3b072759da8ddf9fdda85f1e47d11e385186a8a801ac031a46f3dce6e6ff042b14d3841c46ac
-
Filesize
171B
MD535999cfb797e622f5862706569985839
SHA16ce2c0110f46c8518094a1f14ef580f2925ceb86
SHA2564b78a4b4fa896eb1546e3255de0ecadbc4387e10bd6ef1dfbfb72a92df234f26
SHA512126cb8536d521f94c321ae7a8494cbd08b0c08f9735a4aa9f31fac0417b74676ff413ffb11f7aae6d4e96445d6e05e0367e60ce33951a745c886b85815929ee5
-
Filesize
3.1MB
MD58158a12d0d852e060b4f60ba9bbd3a37
SHA1e003535300e735a069753c2d84e7602393209eb9
SHA2562caf5241cfceb9c2eda93b750c6212346d13e69229faed3c13c845fad5f9160a
SHA51286e75146dfefe93a47d3fc2ea889fbc14db574e3f0355cc308cc860ad183d484433dac53d6f2615bbefcab889d19c8893db287d3fc64b839a6f4241bf122eb63