b47a464641b336cdc9144beb68bf0ccd7236bd60c54a3e8b87c81d5d4ec12668

Analysis

max time kernel
119s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

571f4b0e05121971eb365a9c31c83fb0N.exe
Size

2.6MB
MD5

571f4b0e05121971eb365a9c31c83fb0
SHA1

fef044dccbb1472cb85ae27211090a46986c7557
SHA256

b47a464641b336cdc9144beb68bf0ccd7236bd60c54a3e8b87c81d5d4ec12668
SHA512

03a38b3f781451961568245234781faabafa5b7ce3a4ec913a5d0de73750cdb017ba814a58102827494e2fc977abc05788e4ff17e738163c4a88aaaa21b3914f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bS:sxX7QnxrloE5dpUplb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	571f4b0e05121971eb365a9c31c83fb0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2720	locdevdob.exe
1240	abodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvQL\\abodsys.exe"	571f4b0e05121971eb365a9c31c83fb0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintUQ\\optiaec.exe"	571f4b0e05121971eb365a9c31c83fb0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	571f4b0e05121971eb365a9c31c83fb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4284	571f4b0e05121971eb365a9c31c83fb0N.exe
4284	571f4b0e05121971eb365a9c31c83fb0N.exe
4284	571f4b0e05121971eb365a9c31c83fb0N.exe
4284	571f4b0e05121971eb365a9c31c83fb0N.exe
2720	locdevdob.exe
2720	locdevdob.exe
1240	abodsys.exe
1240	abodsys.exe
2720	locdevdob.exe
2720	locdevdob.exe
1240	abodsys.exe
1240	abodsys.exe
2720	locdevdob.exe
2720	locdevdob.exe
1240	abodsys.exe
1240	abodsys.exe
2720	locdevdob.exe
2720	locdevdob.exe
1240	abodsys.exe
1240	abodsys.exe
2720	locdevdob.exe
2720	locdevdob.exe
1240	abodsys.exe
1240	abodsys.exe
2720	locdevdob.exe
2720	locdevdob.exe
1240	abodsys.exe
1240	abodsys.exe
2720	locdevdob.exe
2720	locdevdob.exe
1240	abodsys.exe
1240	abodsys.exe
2720	locdevdob.exe
2720	locdevdob.exe
1240	abodsys.exe
1240	abodsys.exe
2720	locdevdob.exe
2720	locdevdob.exe
1240	abodsys.exe
1240	abodsys.exe
2720	locdevdob.exe
2720	locdevdob.exe
1240	abodsys.exe
1240	abodsys.exe
2720	locdevdob.exe
2720	locdevdob.exe
1240	abodsys.exe
1240	abodsys.exe
2720	locdevdob.exe
2720	locdevdob.exe
1240	abodsys.exe
1240	abodsys.exe
2720	locdevdob.exe
2720	locdevdob.exe
1240	abodsys.exe
1240	abodsys.exe
2720	locdevdob.exe
2720	locdevdob.exe
1240	abodsys.exe
1240	abodsys.exe
2720	locdevdob.exe
2720	locdevdob.exe
1240	abodsys.exe
1240	abodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 2720	4284	571f4b0e05121971eb365a9c31c83fb0N.exe	90
PID 4284 wrote to memory of 2720	4284	571f4b0e05121971eb365a9c31c83fb0N.exe	90
PID 4284 wrote to memory of 2720	4284	571f4b0e05121971eb365a9c31c83fb0N.exe	90
PID 4284 wrote to memory of 1240	4284	571f4b0e05121971eb365a9c31c83fb0N.exe	91
PID 4284 wrote to memory of 1240	4284	571f4b0e05121971eb365a9c31c83fb0N.exe	91
PID 4284 wrote to memory of 1240	4284	571f4b0e05121971eb365a9c31c83fb0N.exe	91

C:\Users\Admin\AppData\Local\Temp\571f4b0e05121971eb365a9c31c83fb0N.exe
"C:\Users\Admin\AppData\Local\Temp\571f4b0e05121971eb365a9c31c83fb0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2720
- C:\SysDrvQL\abodsys.exe
  C:\SysDrvQL\abodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintUQ\optiaec.exe

Filesize
2.6MB

MD5
55dca8bb92ed21ecbd3d3f0e51e86e28

SHA1
3728d76da71319fdee920e05ddaf70a1a03c5c40

SHA256
4f899c9740e32816a9089fc7bd85a042f03062ef9bddd0171cb21d6c8ae36ad5

SHA512
9a7e7b63be4fd93b5d4a360ac9d01eb6b10e7656601fd83a665837fcf445e245d2f31a160e45e0bbb3b4ae94e1d7ea31e38da4e3d52ae26b5cf803dcbe538bff

Download Submit
C:\MintUQ\optiaec.exe

Filesize
2.6MB

MD5
bc95c1329d4dbc1281638fb4fdc03b52

SHA1
eb04db2f2252fc95a04654b76109cd669024e4f3

SHA256
0f8448667f0fa483fb52513c6dc9940132278d6f40cdd41c6b78fc11a44d59d0

SHA512
452ebcdab5d4340983af24b1e4728a764b4a4742867c97ac36b0c1ecf6f6cb770894201abb75f9bf92a27a9eb7348769fe4a46505b2d1c30ca16562934eb5d90

Download Submit
C:\SysDrvQL\abodsys.exe

Filesize
4KB

MD5
b61f1c7ad73efe910c92dd7a7c9a7a0e

SHA1
da9ddf3e1877afc7efd9c8d203fc7f7be3458ddd

SHA256
b362504c75e4817110ee35bd9d522710e988aa3feb5cfb08054cbe0cfa6e45f0

SHA512
224073e4b1011e45541352166fffbcb47dc06282baa16dc5279ee78e858f642e1495bf79dc1ee547b1db3adc2c1a1fbb08ea75a50ef49d2a238000e931ebc155

Download Submit
C:\SysDrvQL\abodsys.exe

Filesize
2.6MB

MD5
1d3ea132ff9724768a2a4c9918279df3

SHA1
48e0c664909f2d890982d77b4174963cffc6472b

SHA256
a773e7a4d80d14ce278be670568d0e23eb85d57a5602ed9c91d90b50e881a677

SHA512
8e360abc489464f9138b78682a139601759729837a4896eb9e0a42c39b8659886dea48327954f4184b6ada894efde5763a216a0e250f73c7cbb8be02a5a2bfa4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
8ed3afdbbf5769d66480a67574ce9314

SHA1
2a168714f8459b797e381af528395a0037befaea

SHA256
4f7a030e931c776d7a6654df9cca09663f426be882acfaf6348210b11f0e3174

SHA512
3731a33455844e0fb53f54e60a206d757c280593058c2efa7d32bb59eeb21ab3a26ffedcd605dd9a8ee8cb8713bd8125e0f13285d70d646bd188e54bc4d3b68b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
6cd32e622cb42560832005a04c000de6

SHA1
1cd77b19205d4379bbcad9670493a8b6ed0ce8a6

SHA256
f98b0e858c6676569ebac7992b8270946c2d64a9bec26abf2836403ecf17abf6

SHA512
325c31fa34ad36cb0ed6b3aa7ec6c90a9153b0ba5b839903769fa26d72cb3940de36207584390e082e7058e6443fb1f4b19c4dd275580173daf16aa2eec2d48f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
2.6MB

MD5
034e1b2391c4f9b2ceb13c6ce44f2b48

SHA1
65cf97134075e9e6c5ce828809c59d2b4d91cc92

SHA256
4e238475a30efec8d391edf3aab14814520489f27c5691f24668b3ec410735fa

SHA512
af3dd6485e332b2b48728cf7ceab7f26736dfe2d4794f01de83dd868542095acd327b0b263d6203b5c31d0f3a7a268ab68f990ee3655c00b8f86e098ac9731f1

Download Submit