295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32

Analysis

max time kernel
149s
max time network
128s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06/08/2024, 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe
Size

2.6MB
MD5

d26b5adb1b5ea2d0fa196ec3b837a355
SHA1

9e7cd4f04c060c64d7773812b662dbeba3148b32
SHA256

295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32
SHA512

680a5265895eff8a09e9e3ebb7f70fc4d2d8a0fb07e48eafe869ceaf7c9bb5612e5a6614888d1eeade03b39d69016aa2139b239d18369df55293b90f82836c47
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUp7b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe

Executes dropped EXE 2 IoCs

pid	Process
2164	locxbod.exe
2676	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2280	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe
2280	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files4F\\abodsys.exe"	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidB7\\boddevloc.exe"	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe
2280	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe
2164	locxbod.exe
2676	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2164	2280	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe	31
PID 2280 wrote to memory of 2164	2280	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe	31
PID 2280 wrote to memory of 2164	2280	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe	31
PID 2280 wrote to memory of 2164	2280	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe	31
PID 2280 wrote to memory of 2676	2280	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe	32
PID 2280 wrote to memory of 2676	2280	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe	32
PID 2280 wrote to memory of 2676	2280	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe	32
PID 2280 wrote to memory of 2676	2280	295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe	32

C:\Users\Admin\AppData\Local\Temp\295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe
"C:\Users\Admin\AppData\Local\Temp\295ef7779614beae1ec9f71d8110881ca99a4fe43631cb730fd0cebedbef0b32.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2164
- C:\Files4F\abodsys.exe
  C:\Files4F\abodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files4F\abodsys.exe

Filesize
2.6MB

MD5
425170f1884b66b9e3ef506ac8ac33aa

SHA1
80b60e77ebe5f30735be18f29630c51d11af6018

SHA256
c1233e4c5f9bc45d7db88eef4346ede6b4b89fd7a1126a91038b076c78045754

SHA512
7c5c8b02112ad97baf8496fc47b3679074b38f8a52376e9bf9027e511be6cb9be12650e2308a4556a2ede13157244c032a1e36ec71f789c66c68163804ceac01

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
e9624b470560a54bd9b00c444abe73f2

SHA1
24b517a4d26f20cccfa71dd0f5e99a523fb7c65a

SHA256
dbaf551c2c17f25d6fa9a367e2cfd1039c5d763fb54816586305d2856b24b128

SHA512
3c1c10a6305a72e740ffc0163dd28d7783153045db8a983e606d21524c69468a5b7bf771e68d38f8de868842e3d91e9899ab51a545a23130da023b4c03f164aa

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
fd1a8baf8cd37daa132d28c266ac036d

SHA1
9d98649a56ec0e0eebb12ad6245e904ab68e43b9

SHA256
205b854cbc705b6f0642227ec7a64c929a406e0265963be764ce655aaa38458f

SHA512
c8bb00f8376542dce4f82707c2c455f5e53aaa0d89ddc93d8223124a7352989eb7a2c79db5b9ca1c9baa2ee3b5ac11b1e5ece5be806a663dc9df697b3bcbc5d7

Download Submit
C:\VidB7\boddevloc.exe

Filesize
2.6MB

MD5
92def3f25197ea82014bd109f5080769

SHA1
0ea44fb1f6dedf9b6dce344c8f8639655d0f4401

SHA256
9f2421437eec04cc173ba8b0a35051ec7785c5f98403ce15ba8a5a8cf6823784

SHA512
548b7e4887f5423a02dbe5d2e978ec103d7065d01e23d2cc54e3a3a0082f3d2089c0f3f453ecbf81eae466e3c4ea649debf626c6b75a7f71f5fa1089c1e969a9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.6MB

MD5
ac61f660f6388580b91fa91a245fc249

SHA1
a2b5582705e6aabf5e628704750f630427963843

SHA256
4053ca4e5507b243373479ce8da749025e1c335525531fc6717295767eb7f62a

SHA512
2ee56deb2499ea6248c740e74929d50453bf6f6d4aff6ef6269d394ab65d32891f24db4e105420da814c98f31908e749b5da14de00cf8d783f794bd055567997

Download Submit