Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 05:41
Static task
static1
Behavioral task
behavioral1
Sample
f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe
Resource
win10v2004-20240508-en
General
-
Target
f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe
-
Size
3.9MB
-
MD5
62de0e03112b50ef658e3d6477e0b2c3
-
SHA1
e5e1ab14aee7bb6e30cd250378238a005ad863be
-
SHA256
f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77
-
SHA512
957377e00975945f8ba188ddd7580281d2678fe32f3170bed9ab6ea215b6fb738583bd67432cc6e34b0839e8d621611be52669630e1413ed626c7a814335884b
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bSqz8:sxX7QnxrloE5dpUpLbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe -
Executes dropped EXE 2 IoCs
Processes:
locdevbod.exeabodec.exepid Process 3044 locdevbod.exe 2580 abodec.exe -
Loads dropped DLL 2 IoCs
Processes:
f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exepid Process 2016 f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe 2016 f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc5V\\abodec.exe" f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax0G\\dobdevsys.exe" f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exelocdevbod.exeabodec.exepid Process 2016 f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe 2016 f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe 3044 locdevbod.exe 2580 abodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exedescription pid Process procid_target PID 2016 wrote to memory of 3044 2016 f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe 28 PID 2016 wrote to memory of 3044 2016 f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe 28 PID 2016 wrote to memory of 3044 2016 f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe 28 PID 2016 wrote to memory of 3044 2016 f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe 28 PID 2016 wrote to memory of 2580 2016 f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe 29 PID 2016 wrote to memory of 2580 2016 f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe 29 PID 2016 wrote to memory of 2580 2016 f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe 29 PID 2016 wrote to memory of 2580 2016 f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe"C:\Users\Admin\AppData\Local\Temp\f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3044
-
-
C:\Intelproc5V\abodec.exeC:\Intelproc5V\abodec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2580
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD53a2f0e3b4dc877cd6861254f7f1b1cb2
SHA1d70e8d3d966864795e342492bc53000ca22b0d52
SHA256bb83ea2118069a1ac02f368bc4df1c1f8308ab93cc9852c09271848bc10fdae6
SHA512d7bf72601f9db881ff19c1027d8f04c64f53f415c243285106b72f00124dc02d054d11c4a651b0c36f4658e933e7f115e7c4354392e8fcf02570219f9961ff81
-
Filesize
3.9MB
MD58289566ee15db2d66110d056656af409
SHA166cd870ba62c0cfc13bfd3ddb434df4d083c9eda
SHA2569827e33487453eded58402b7e50780b2a78074411ca79a65d3d50872539a95e3
SHA512e3380f045fd393fef66ae80f8c23b7004a2c42f981bc1b94e1fdd6bb8f9c80567c5ed44cf7cbe83f789326d7e6bb6a2ec5b72e1fc67c24851ccfae341a4b4243
-
Filesize
176B
MD50bab846e313217a04bfc0fba9fe981f9
SHA1070ee2b809947c92dfed59269d4c4845b8bc0306
SHA256160f95fb112f9917b2fe2885ef0539ff97e914bb5705c48cbef63de12432e3b4
SHA512f1b5d887fa7473422ababf99da996f97e3fafcc4db1b828dba671abe81b40711461d13d8eeb7b0570d1e77c8c190e6f7d06870ed415fac4ab5146054fbf01259
-
Filesize
208B
MD5df69540fedab0e7099c74e7713c6eac6
SHA1a843362e27d9da63b742cf55bddf560b85ee057d
SHA256b63cdbd6fc715691e9141cbeeb272cc535c66c26f72010de2c9c8fd163e76f49
SHA5123ff0b27233f68461ff1302d75956454513c41d0a15b4168887d37e469651ef71ab191c8c86c06509162fab155c0f7dd2c43fa4672403ca752e659c7b1c13bcba
-
Filesize
3.9MB
MD553ee35863662e20e2c1a88c30cf10aa6
SHA1dfb6413a6e184d1c0fe334a984491b3ce196d875
SHA2565286947b103fcdcad0ebec26c0c5b135dc1f7bd0838e67438c66f45411621dba
SHA512fabf7f79a52cde10c0126c0decd60a0ccf832a5b42659e1ee6959565deca48ed54d0d4ebafdca000b11a0b23481ae4eb37f7dd3491222c75cfe1b2408aa36c8f