882494401c57b52fa37b291e52ec01f9bbd32eed4ede91e17e7d1f79e885c5fd

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/06/2024, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

882494401c57b52fa37b291e52ec01f9bbd32eed4ede91e17e7d1f79e885c5fd.exe
Size

3.6MB
MD5

1324d818b8971b32a7c9de480ac1f64a
SHA1

e5eb70ffbc50ec3f77cf94e1f84611f479b33f94
SHA256

882494401c57b52fa37b291e52ec01f9bbd32eed4ede91e17e7d1f79e885c5fd
SHA512

e354d796a37a6289b93672adcd16002fe93f5b57b3999d7d0ee0fae8e758bd81a0380813f8faa9d1bb7564429adf02351df856f2dcaef8bf8f5be386ea31e269
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpUbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	882494401c57b52fa37b291e52ec01f9bbd32eed4ede91e17e7d1f79e885c5fd.exe

Executes dropped EXE 2 IoCs

pid	Process
2952	locdevdob.exe
2876	abodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2920	882494401c57b52fa37b291e52ec01f9bbd32eed4ede91e17e7d1f79e885c5fd.exe
2920	882494401c57b52fa37b291e52ec01f9bbd32eed4ede91e17e7d1f79e885c5fd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc4L\\abodloc.exe"	882494401c57b52fa37b291e52ec01f9bbd32eed4ede91e17e7d1f79e885c5fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid2Q\\optidevsys.exe"	882494401c57b52fa37b291e52ec01f9bbd32eed4ede91e17e7d1f79e885c5fd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2920	882494401c57b52fa37b291e52ec01f9bbd32eed4ede91e17e7d1f79e885c5fd.exe
2920	882494401c57b52fa37b291e52ec01f9bbd32eed4ede91e17e7d1f79e885c5fd.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe
2952	locdevdob.exe
2876	abodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 2952	2920	882494401c57b52fa37b291e52ec01f9bbd32eed4ede91e17e7d1f79e885c5fd.exe	28
PID 2920 wrote to memory of 2952	2920	882494401c57b52fa37b291e52ec01f9bbd32eed4ede91e17e7d1f79e885c5fd.exe	28
PID 2920 wrote to memory of 2952	2920	882494401c57b52fa37b291e52ec01f9bbd32eed4ede91e17e7d1f79e885c5fd.exe	28
PID 2920 wrote to memory of 2952	2920	882494401c57b52fa37b291e52ec01f9bbd32eed4ede91e17e7d1f79e885c5fd.exe	28
PID 2920 wrote to memory of 2876	2920	882494401c57b52fa37b291e52ec01f9bbd32eed4ede91e17e7d1f79e885c5fd.exe	29
PID 2920 wrote to memory of 2876	2920	882494401c57b52fa37b291e52ec01f9bbd32eed4ede91e17e7d1f79e885c5fd.exe	29
PID 2920 wrote to memory of 2876	2920	882494401c57b52fa37b291e52ec01f9bbd32eed4ede91e17e7d1f79e885c5fd.exe	29
PID 2920 wrote to memory of 2876	2920	882494401c57b52fa37b291e52ec01f9bbd32eed4ede91e17e7d1f79e885c5fd.exe	29

C:\Users\Admin\AppData\Local\Temp\882494401c57b52fa37b291e52ec01f9bbd32eed4ede91e17e7d1f79e885c5fd.exe
"C:\Users\Admin\AppData\Local\Temp\882494401c57b52fa37b291e52ec01f9bbd32eed4ede91e17e7d1f79e885c5fd.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2952
- C:\Intelproc4L\abodloc.exe
  C:\Intelproc4L\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc4L\abodloc.exe

Filesize
3.6MB

MD5
22d08bc15d154742545d62ea348691a4

SHA1
afef26dc59d05d2d88e5ac21a70405dc881f6c55

SHA256
ef19e3d8d376581df9aac0f96c900b34b9031c053719d312f77d99d672378ee9

SHA512
a7c5b5cf069204d4c828142e4879aa71daa7e22ef9eb11e0755b379854cec566e74402a572bdb34df4ed46a8660f44d47a0dac37cb5a8fad7b98125d9cd0a867

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
11b3c1dc56e294e1d5738e95b43fee47

SHA1
28e96fc7d315e4ddfb9ea6993836dd6a34f5351e

SHA256
cff2fdfaa53f7c6e27266c7ae094b771610b45623d8a6f1206101b5e1a6570eb

SHA512
7dff1953762e61030f979c5ddf845950aa10839ec03668879f3f8be29f6f49172c483a5f43535ca3d01fd0eba48ea3f99b6d43dab322c43533a97f44fecd0945

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
b6392cb2c6844f40fcb94a37939f6688

SHA1
562cf00002891277dcdbaec7cae78df3b74f01d2

SHA256
8e789105565e29d9cf0000c7b2819793346b3cebc852f6c007fd3d2d7c4878e0

SHA512
e050c394310dbcf88e72053f439e2566006836b3b573154e63a6fd0b0abcd3716ad5610577db4d830d1f93ee7cb51acc1d45edaaa3a51ad89b60bf54874109b4

Download Submit
C:\Vid2Q\optidevsys.exe

Filesize
3.6MB

MD5
84d2cb649700cf9371a48465d2356ee2

SHA1
33bf4aa30e3b4d7ead6da1fe38b0df260368ecd7

SHA256
3065b61cc686ca02a726a1e25ef86add1c26a652bed02adb57daaee4e0c28d8f

SHA512
ec0aacf7e6f21bee33451b452f015ef10300da75c86f754481cb42f3d0f06747f344a8c5387c17685222869851f1fbd4ce704c46b7dd8f46fbab13e3d75e6eef

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
3.6MB

MD5
f0b5ccda7dc0acb22737fad0a60a5582

SHA1
444e118cbc3ed23e3fa7b69fa362f6fd005c0847

SHA256
bad806dd246e38cccc92575f5e2a75e76c35a0913c1ff3988540692577165cdf

SHA512
2cb7d8d34d3e760012b582ee0ed4903d484c64193daa3dc25a0154a0269c3d80744774b1bb708cf7594e2e538c2470b9254c05ce3dd9b13f9f5750e11f9f2eab

Download Submit