f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe
Size

3.9MB
MD5

7112afea309abbdceb6abaa2cc02ef26
SHA1

5ce49d308f912d0aa1b5c35e86b86c0b65cca4dc
SHA256

f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324
SHA512

d9431f85e526065cc654b1a1f24147b19f7f5f04c3e6d482a92c12334dc790737388693d2713424372afac0dbcfb9e89358891041643ad879742651260e9c124
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8:sxX7QnxrloE5dpUpobVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe

Executes dropped EXE 2 IoCs

pid	Process
3436	locabod.exe
784	abodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files5O\\abodloc.exe"	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBCQ\\bodaec.exe"	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3272	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe
3272	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe
3272	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe
3272	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe
3436	locabod.exe
3436	locabod.exe
784	abodloc.exe
784	abodloc.exe
3436	locabod.exe
3436	locabod.exe
784	abodloc.exe
784	abodloc.exe
3436	locabod.exe
3436	locabod.exe
784	abodloc.exe
784	abodloc.exe
3436	locabod.exe
3436	locabod.exe
784	abodloc.exe
784	abodloc.exe
3436	locabod.exe
3436	locabod.exe
784	abodloc.exe
784	abodloc.exe
3436	locabod.exe
3436	locabod.exe
784	abodloc.exe
784	abodloc.exe
3436	locabod.exe
3436	locabod.exe
784	abodloc.exe
784	abodloc.exe
3436	locabod.exe
3436	locabod.exe
784	abodloc.exe
784	abodloc.exe
3436	locabod.exe
3436	locabod.exe
784	abodloc.exe
784	abodloc.exe
3436	locabod.exe
3436	locabod.exe
784	abodloc.exe
784	abodloc.exe
3436	locabod.exe
3436	locabod.exe
784	abodloc.exe
784	abodloc.exe
3436	locabod.exe
3436	locabod.exe
784	abodloc.exe
784	abodloc.exe
3436	locabod.exe
3436	locabod.exe
784	abodloc.exe
784	abodloc.exe
3436	locabod.exe
3436	locabod.exe
784	abodloc.exe
784	abodloc.exe
3436	locabod.exe
3436	locabod.exe
784	abodloc.exe
784	abodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3272 wrote to memory of 3436	3272	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe	89
PID 3272 wrote to memory of 3436	3272	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe	89
PID 3272 wrote to memory of 3436	3272	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe	89
PID 3272 wrote to memory of 784	3272	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe	92
PID 3272 wrote to memory of 784	3272	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe	92
PID 3272 wrote to memory of 784	3272	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe	92

C:\Users\Admin\AppData\Local\Temp\f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe
"C:\Users\Admin\AppData\Local\Temp\f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3436
- C:\Files5O\abodloc.exe
  C:\Files5O\abodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files5O\abodloc.exe

Filesize
3.9MB

MD5
985d667534ca608ab2bcdb55def09019

SHA1
911c461bf60c4ed3c1f754e0653e80c94638b640

SHA256
fb94063f40d639b23a0de0946ad1507ff7d4b95172010cb3b292fdc685cf0022

SHA512
380dc4bcaf946be3e89476babe2a758bd422b04b767c8490d05f1afc8b2f4cfc8eae70fceae81f3928bf36ffa90b0291aaff025404cf192a42609efae4968d28

Download Submit
C:\KaVBCQ\bodaec.exe

Filesize
3.9MB

MD5
d3fa4d639660d832bda40407eba5462c

SHA1
5573d2d51a1a7233f03019e954d2e240bbba7b3a

SHA256
f6d5f67787f84df71be2ea04580703127eaa2a03719b434a3f065efa9c123f0d

SHA512
f80484f42b727612e4a1911cddd7cd2822d02b4728360dffc7be7f70ea772d72ce3cb212155917232a56eb68eaec6ae89de88ab97ccf1fee21cbe9241f6cca6a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
199B

MD5
d04d249f8b90a853ac67290536b50323

SHA1
c0659b90524c2913c577009b60c350275b4da18e

SHA256
059eb1763688fa61ddb222045677081178a99a76f9b204bd63aaef46d14be96a

SHA512
d64b0df0f00f931110f44ea17eaf14325c027939f9a3f40404677a7e7a51ab7c712fafb116916eb3637a85fcf2ba9ddeb28f9e2667c1125af93cb56e47654ca1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
167B

MD5
50e3d60817310f5ba80aacbb07914240

SHA1
41087dc06f021835ac97ff30f4e8fa957c1cc66e

SHA256
71f817e2eb0034da56cd4f2cdb73e5fe50ca399c0565c9a868d97153ff5af4f4

SHA512
ea1e7e8c5bab5f6c6af4235f506559c9fb08333c265e29c676b48e0ca16d1b91b7530a449290aa0e79e1f91618a4f4cd01d47868711ef0da3b940e9c105a0cc8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
3.9MB

MD5
bd92172af8bbfcaa70003fc3f0555816

SHA1
8b2c53cbdf2cf5603923f0ed0598e7bda9cd5cee

SHA256
75099f4b9fdc3423ac97cbcd0851cb0f2818fbcf55cdd9cfea0b89314c1f7b99

SHA512
b61cf31088bde0354e3e2a35657abc7285fc93b33711aef59bdb81563ce09724bb594573edb685ab0b286aa47c699b3d6283c8150837c03bfcf8a2dc4e41712a

Download Submit