b47a464641b336cdc9144beb68bf0ccd7236bd60c54a3e8b87c81d5d4ec12668

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24/07/2024, 06:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

571f4b0e05121971eb365a9c31c83fb0N.exe
Size

2.6MB
MD5

571f4b0e05121971eb365a9c31c83fb0
SHA1

fef044dccbb1472cb85ae27211090a46986c7557
SHA256

b47a464641b336cdc9144beb68bf0ccd7236bd60c54a3e8b87c81d5d4ec12668
SHA512

03a38b3f781451961568245234781faabafa5b7ce3a4ec913a5d0de73750cdb017ba814a58102827494e2fc977abc05788e4ff17e738163c4a88aaaa21b3914f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bS:sxX7QnxrloE5dpUplb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	571f4b0e05121971eb365a9c31c83fb0N.exe

Executes dropped EXE 2 IoCs

pid	Process
1436	locxopti.exe
2000	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2504	571f4b0e05121971eb365a9c31c83fb0N.exe
2504	571f4b0e05121971eb365a9c31c83fb0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesK6\\abodsys.exe"	571f4b0e05121971eb365a9c31c83fb0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2W\\dobxsys.exe"	571f4b0e05121971eb365a9c31c83fb0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	571f4b0e05121971eb365a9c31c83fb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2504	571f4b0e05121971eb365a9c31c83fb0N.exe
2504	571f4b0e05121971eb365a9c31c83fb0N.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe
1436	locxopti.exe
2000	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 1436	2504	571f4b0e05121971eb365a9c31c83fb0N.exe	30
PID 2504 wrote to memory of 1436	2504	571f4b0e05121971eb365a9c31c83fb0N.exe	30
PID 2504 wrote to memory of 1436	2504	571f4b0e05121971eb365a9c31c83fb0N.exe	30
PID 2504 wrote to memory of 1436	2504	571f4b0e05121971eb365a9c31c83fb0N.exe	30
PID 2504 wrote to memory of 2000	2504	571f4b0e05121971eb365a9c31c83fb0N.exe	31
PID 2504 wrote to memory of 2000	2504	571f4b0e05121971eb365a9c31c83fb0N.exe	31
PID 2504 wrote to memory of 2000	2504	571f4b0e05121971eb365a9c31c83fb0N.exe	31
PID 2504 wrote to memory of 2000	2504	571f4b0e05121971eb365a9c31c83fb0N.exe	31

C:\Users\Admin\AppData\Local\Temp\571f4b0e05121971eb365a9c31c83fb0N.exe
"C:\Users\Admin\AppData\Local\Temp\571f4b0e05121971eb365a9c31c83fb0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1436
- C:\FilesK6\abodsys.exe
  C:\FilesK6\abodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesK6\abodsys.exe

Filesize
2.6MB

MD5
3ee815b3eaf1e80731b9a278d1839959

SHA1
c008efb38654b53d935c9c30e7d6bb8a00bc245b

SHA256
b5fc0330639629090fe806d632a16253e35c866086a0b88c7d7470c7a3fd0534

SHA512
d967f387cfbcd5562a2b4ff6af6d66412ff757197cd29d178a8250dae5a7348e18146c5ffe3b3691d467060d967b8176b356e70afcdb6f02d93d97e25f7bdac4

Download Submit
C:\KaVB2W\dobxsys.exe

Filesize
2.6MB

MD5
b02dec2667ef1ba41a8b58f85be7e927

SHA1
dbc9647beb43dc767dd3c3dba8f0e7e60977c4d7

SHA256
51931c5737be2caef7b991226067e2ff284577f0190e783cd0ff55887d218d8e

SHA512
c72d38dd201ba135635ed22390a56108c456fa7fd92ee491931b193fbc321e5ccb2e63de977799fca325c197648b347a0e388f5a1739dc03242055c967b01aeb

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
b2cbe47f23424bbb1123882952858e6d

SHA1
fc9eefa79eabd38baeb464c9feabefc67fb3d3be

SHA256
59dda934209d67f5df95f886371d95c5aae7ffc0b29dbacb017024f5a5a8c6cf

SHA512
0f63b9cd12caec61f5d414b5126cf28a1a8c78921f19b19f2bfa9eaaade73a06393ca41abfa5ce3735d3bb109ab86a34b1f63de78c3aa6a116d4891b042a9d46

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
9c3363f2743a9e5908a01927494848d5

SHA1
cf4262c13983b070d5cff582071ef8152f6aa7b0

SHA256
319e58d2a42cb7c00e6570f66027e6a21a3bf8f7b182e58e697e7b9216f644eb

SHA512
8ac3c090f4d652dbc42d0891346c06ce97ff25cec3561c2609ebe3760c143dafb595303b23f79bcd9bbf6797e9fa522ea14a06aba255fd29493d8b252195439a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
2.6MB

MD5
c2f3ac44d5051296f4cbacf0881a20eb

SHA1
52dd7e86775ba3ad08a2e39213f940dd2702f848

SHA256
b47670200b77f3b98b53ac7a45bdeda33e964dfaad938e083367f4b9921ab58c

SHA512
56cd521843b8d1619e9a32b760d835b8e80cadea3731e77f363a1b28572ff79744e34fbee43d4abacef85d31c7c116d6000becd44bd3a3416c55dd15ae74746a

Download Submit