9e3f8ed25e8caaab516a552f782f7da668620792db0f6ac3439896a5ffa06f04

Analysis

max time kernel
119s
max time network
15s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2370533992d66b2c64e9ee89d2757000N.exe
Size

2.6MB
MD5

2370533992d66b2c64e9ee89d2757000
SHA1

27cb790bcaf7c8f9b42f238e76310922146a3a58
SHA256

9e3f8ed25e8caaab516a552f782f7da668620792db0f6ac3439896a5ffa06f04
SHA512

0fa4faa9f42cfbecdca252a36fb491f48662d22ebe08e8c6b9d2c9ad86621100e4061c827682724dc513eacf839233f74809128599f0413ce0c27dddaca92540
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bS:sxX7QnxrloE5dpUpcb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	2370533992d66b2c64e9ee89d2757000N.exe

Executes dropped EXE 2 IoCs

pid	Process
2824	locdevbod.exe
2860	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2120	2370533992d66b2c64e9ee89d2757000N.exe
2120	2370533992d66b2c64e9ee89d2757000N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeC1\\abodsys.exe"	2370533992d66b2c64e9ee89d2757000N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZX1\\bodaloc.exe"	2370533992d66b2c64e9ee89d2757000N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2370533992d66b2c64e9ee89d2757000N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2120	2370533992d66b2c64e9ee89d2757000N.exe
2120	2370533992d66b2c64e9ee89d2757000N.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe
2824	locdevbod.exe
2860	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2824	2120	2370533992d66b2c64e9ee89d2757000N.exe	29
PID 2120 wrote to memory of 2824	2120	2370533992d66b2c64e9ee89d2757000N.exe	29
PID 2120 wrote to memory of 2824	2120	2370533992d66b2c64e9ee89d2757000N.exe	29
PID 2120 wrote to memory of 2824	2120	2370533992d66b2c64e9ee89d2757000N.exe	29
PID 2120 wrote to memory of 2860	2120	2370533992d66b2c64e9ee89d2757000N.exe	30
PID 2120 wrote to memory of 2860	2120	2370533992d66b2c64e9ee89d2757000N.exe	30
PID 2120 wrote to memory of 2860	2120	2370533992d66b2c64e9ee89d2757000N.exe	30
PID 2120 wrote to memory of 2860	2120	2370533992d66b2c64e9ee89d2757000N.exe	30

C:\Users\Admin\AppData\Local\Temp\2370533992d66b2c64e9ee89d2757000N.exe
"C:\Users\Admin\AppData\Local\Temp\2370533992d66b2c64e9ee89d2757000N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2824
- C:\AdobeC1\abodsys.exe
  C:\AdobeC1\abodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeC1\abodsys.exe

Filesize
2.6MB

MD5
3156da6e75c4ed15c1319198a804f692

SHA1
ca2a4f127d98c69a70313f99caf00fa229256939

SHA256
abe5c7bdbcbf91e4b37d1f299ec755de6aa3e404150ded084781f1f6c5e3f054

SHA512
d339624ddc90b623811a6c7af1d093b764b1b408ab34ef04c084f786419b954a2b8c541012a13ecb19e3197635afb72569f193e59a15e8cc49a2ff4040a6c1e1

Download Submit
C:\LabZX1\bodaloc.exe

Filesize
1.7MB

MD5
63f4c43658e48095cd7676ea59ef96d8

SHA1
aa7ef92e40e29446165cfb309921e0e984464244

SHA256
036240ad7a682595a9f17e12f8b24cd797588e4a19b704c6bf3e463880a413c2

SHA512
d481bfcf17e8eb6f5cd30b84605e5892ae6ddb45f52d82a498b7cdb8cf09889ec9457fedb995fe4ad7fe034ba73f7fd44895c6a85814372a189aae05a515114a

Download Submit
C:\LabZX1\bodaloc.exe

Filesize
2.6MB

MD5
7ecc608dc5c04187697010b78be9f4e2

SHA1
7266d1ce391336ab74c1cfca656b6682ca8adfdb

SHA256
b5ab82998c0a90d7ce2f1f408a64eee354016cb31c57655d8adcf97ca8320b1a

SHA512
232d0daa25edcd5da50a872eb9e9e069c6e04b3387820074777d0a5732c74e8fce2ce31fc062bc34dbba71ccb25b9f0dc05be2e40c6baf2b3dfee9e1949c9bc2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
e09deb08eebb76bca27b7ab0f0427621

SHA1
078132acc5a91c8d7a0bd517ffba3e68030a98fb

SHA256
29b2e7506c5bd4f8069a7a7a209c64b4f6103eb8019a79e8a0797ca89aa9362a

SHA512
9e55fce7fd176116b1a0e6fad19a773f4b74c32e1b4930bc01f994682ec72021cf6837c09d51c7778f4ae1a42eac9991c6f46bfcf39957958043bb126901b4f1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
9e0c91fe1e0a1d042325704a6b94b7b9

SHA1
d1ea78a78072de1f63a010afe872ac9aee6b0db3

SHA256
442000ffb3444a6a766f7a9300807bf37328094e30d7f4b1070fddbea42f4981

SHA512
e95efdae942ab37828e9cca4e3403acd4e1e1dc80c385a80f5162a81aebca666722aa4b7bc177fe561a54e639fdfa3e7b3fe9127f49d5f9c73d48f4377dd0a46

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
2.6MB

MD5
9ab4026540a7008f2902ce82c9fa8a0e

SHA1
b9c1e0a59e66bd99fea4298694e76f073c137bbb

SHA256
6b70d9710d867dec72aaf52986d37b09d1ac6988bab92a01d12bbd017ac1f692

SHA512
981f643b3eab31c625450b0ec20cccc95a84621cf4858178a1b93d6a31e4db6b1c5fc19a5445f90be075b2cae5eaaf67ab6d5aa67e3d74efc8bf399f3b987d42

Download Submit