1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe
Size

3.1MB
MD5

2ea85fda33ced70d1361dd6792a59921
SHA1

609d5b0d856588030255b546004e83f0814364a4
SHA256

1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b
SHA512

b668536d040d8ff17ea9b1e16d81cd93b6c23aada09d3399d0f6bfe2588e459972985361d117314b70671315c7996ac06d3c45d5e958a5186dff4b0bdf8e4645
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bSqz8:sxX7QnxrloE5dpUp/bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe

Executes dropped EXE 2 IoCs

pid	Process
2560	locdevdob.exe
2604	abodec.exe

Loads dropped DLL 2 IoCs

pid	Process
656	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe
656	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesJE\\abodec.exe"	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintPO\\bodxsys.exe"	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
656	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe
656	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe
2560	locdevdob.exe
2604	abodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 2560	656	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe	29
PID 656 wrote to memory of 2560	656	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe	29
PID 656 wrote to memory of 2560	656	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe	29
PID 656 wrote to memory of 2560	656	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe	29
PID 656 wrote to memory of 2604	656	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe	30
PID 656 wrote to memory of 2604	656	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe	30
PID 656 wrote to memory of 2604	656	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe	30
PID 656 wrote to memory of 2604	656	1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe	30

C:\Users\Admin\AppData\Local\Temp\1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe
"C:\Users\Admin\AppData\Local\Temp\1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:656
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2560
- C:\FilesJE\abodec.exe
  C:\FilesJE\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesJE\abodec.exe

Filesize
3.1MB

MD5
bb3d51f56443c5dd7a6c34b11562c3c9

SHA1
4c40266e4e557273bc297f463e408db5d08a94d4

SHA256
1578479dc48c4033dd68f2e39c32f89d7e0730e868fb3689b39dfcaf3892abd9

SHA512
1d6a204a723df48148e8a6f9cbbd627e4c2075a00de3f92843da7fff84c2c65081b70fcebc8ae76b2c00b8210ed992805f7f908e79cc2c6a026e6483b7683b6e

Download Submit
C:\MintPO\bodxsys.exe

Filesize
3.1MB

MD5
7946bbd58142075c71f29e4e470b8e0d

SHA1
747b1c26446c4a3a3c3fd42d2e9a3a9d6d855156

SHA256
c762fd258418dcdbb78b440332df63ae71ca65420878dec11e970dca9f62dfb6

SHA512
a4f0ec3613c01e5a131dc7cef4d5b1bbacb477ac21e9c05954097e24376c4741444d618260bcf920ca23b06f40307d77368303484dc30946b0646cc5398e53ed

Download Submit
C:\MintPO\bodxsys.exe

Filesize
3.1MB

MD5
012e65d0c1bf5f74ede46c388fc03ec1

SHA1
7126dc6684f1d888e1d226c873c7631b08c66e97

SHA256
dbda54c0db64ac7aaeea3edfcb944a3dfdc8a8e1c16eb0947368a4826cf2c7ca

SHA512
e0e7d2064acdd423daa042a2770ba6fa069bffe1ac0df726805182850bf7c24cbf02a0997f9d676c3b9fdfafe830fddf3c488589372bc89483904f3229800cbd

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
27a55c786e2a620f055ca2ebef7ceb11

SHA1
dce5dd807ca1bb78eb15c01b0e7e94f622637322

SHA256
c41546a95080a4086c75281c9b3f412980e8ba91a14b70493ed56cfaf7f847fd

SHA512
c3f833e115418b87d7b30facbc0c587ed389fafc7873b04922ac536ff915d2af5322c67ebe3c7cd9a7e08f6dd007ed333e1a1ac06bab11c7476e27103cc579b2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
1e653ef208db737903512836b499a5fe

SHA1
8876926d26afc9a11d6026af4347d75fe7898efc

SHA256
5c5b068fc9bb6129adf742b35b51d53b40aca0e83b2a2b8d14efcc8ec4562784

SHA512
26612babb3a079284df4f1f14882b1c730b32db39f07fc89f8cb287028a68780981ee4c5e34fc02741b4aa2c512ee49137557ea943b8b821f12a6706f8710e48

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
3.1MB

MD5
1b3d9d367049051cc7f08e1674ed7e6b

SHA1
b24c275d802a6bf03b15835964f17ddde479b2d0

SHA256
864d4aa89e1cae8f262c3020b6c602620ddc2962bb85cb02879fd079fa924d59

SHA512
65cb19f9209c2ed87c4ceb6634959109fec56139a6e172c8b1e464d37c7c02648705375bd9685758ce2df1852e442dee296b8121f5f5208b2636e8455bd20462

Download Submit