14bb8089f60455e3c63b11190c3c016e052dccfd4bb7a3ff5c3ce5b71774b695

Analysis

max time kernel
119s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3777391aa10c9f219311bcbc0a8723e0N.exe
Size

3.6MB
MD5

3777391aa10c9f219311bcbc0a8723e0
SHA1

14cc5d502851c8efd8140184f8205c38b50eec05
SHA256

14bb8089f60455e3c63b11190c3c016e052dccfd4bb7a3ff5c3ce5b71774b695
SHA512

8e3821eb12a535e175554fce4837c5c5e6a0b97c6441fbfc7c6dc2600b571b6169521af4a85169c88be96abe7bb77c6eed5a91a1a233121499cadf202ae089b0
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bSqz8:sxX7QnxrloE5dpUpQbVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	3777391aa10c9f219311bcbc0a8723e0N.exe

Executes dropped EXE 2 IoCs

pid	Process
4900	sysdevdob.exe
384	abodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeP5\\abodloc.exe"	3777391aa10c9f219311bcbc0a8723e0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2E\\optixloc.exe"	3777391aa10c9f219311bcbc0a8723e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3777391aa10c9f219311bcbc0a8723e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2808	3777391aa10c9f219311bcbc0a8723e0N.exe
2808	3777391aa10c9f219311bcbc0a8723e0N.exe
2808	3777391aa10c9f219311bcbc0a8723e0N.exe
2808	3777391aa10c9f219311bcbc0a8723e0N.exe
4900	sysdevdob.exe
4900	sysdevdob.exe
384	abodloc.exe
384	abodloc.exe
4900	sysdevdob.exe
4900	sysdevdob.exe
384	abodloc.exe
384	abodloc.exe
4900	sysdevdob.exe
4900	sysdevdob.exe
384	abodloc.exe
384	abodloc.exe
4900	sysdevdob.exe
4900	sysdevdob.exe
384	abodloc.exe
384	abodloc.exe
4900	sysdevdob.exe
4900	sysdevdob.exe
384	abodloc.exe
384	abodloc.exe
4900	sysdevdob.exe
4900	sysdevdob.exe
384	abodloc.exe
384	abodloc.exe
4900	sysdevdob.exe
4900	sysdevdob.exe
384	abodloc.exe
384	abodloc.exe
4900	sysdevdob.exe
4900	sysdevdob.exe
384	abodloc.exe
384	abodloc.exe
4900	sysdevdob.exe
4900	sysdevdob.exe
384	abodloc.exe
384	abodloc.exe
4900	sysdevdob.exe
4900	sysdevdob.exe
384	abodloc.exe
384	abodloc.exe
4900	sysdevdob.exe
4900	sysdevdob.exe
384	abodloc.exe
384	abodloc.exe
4900	sysdevdob.exe
4900	sysdevdob.exe
384	abodloc.exe
384	abodloc.exe
4900	sysdevdob.exe
4900	sysdevdob.exe
384	abodloc.exe
384	abodloc.exe
4900	sysdevdob.exe
4900	sysdevdob.exe
384	abodloc.exe
384	abodloc.exe
4900	sysdevdob.exe
4900	sysdevdob.exe
384	abodloc.exe
384	abodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 4900	2808	3777391aa10c9f219311bcbc0a8723e0N.exe	87
PID 2808 wrote to memory of 4900	2808	3777391aa10c9f219311bcbc0a8723e0N.exe	87
PID 2808 wrote to memory of 4900	2808	3777391aa10c9f219311bcbc0a8723e0N.exe	87
PID 2808 wrote to memory of 384	2808	3777391aa10c9f219311bcbc0a8723e0N.exe	88
PID 2808 wrote to memory of 384	2808	3777391aa10c9f219311bcbc0a8723e0N.exe	88
PID 2808 wrote to memory of 384	2808	3777391aa10c9f219311bcbc0a8723e0N.exe	88

C:\Users\Admin\AppData\Local\Temp\3777391aa10c9f219311bcbc0a8723e0N.exe
"C:\Users\Admin\AppData\Local\Temp\3777391aa10c9f219311bcbc0a8723e0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4900
- C:\AdobeP5\abodloc.exe
  C:\AdobeP5\abodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeP5\abodloc.exe

Filesize
3.6MB

MD5
80ca0e5a78f5e6e867eb7617fe760c2e

SHA1
42ca55e79aeb25eb81145f26a54f535bf1d52beb

SHA256
405e5c3fd878c2eedf19c3aca5b2917d17b5cc9c6734ba0348bdf915ecde76f7

SHA512
fa956e2df10df1c6d30b830a83f5433dbb4b6d988421d215a3a0566ff4f3ca6c9e80fc6c4ff1852377879708bc5d377c71a45cd7e44f4d47a361aa85bc817b70

Download Submit
C:\KaVB2E\optixloc.exe

Filesize
2.0MB

MD5
b5c62a0e92ea389325cea6ba59be9da7

SHA1
a410a93adccab0ea3b9184f9fc7bdcf03fc3ddac

SHA256
735f262e1051a1ffb6973c2b1521391509f11087443505490be65255e36d71a3

SHA512
00c424c29421599fbd4ea4f444a74b4219291a1720f8e011bba1a5a00086e672148590a3352f5181c2ff02b6d2a79ccf6e10672e9a95234e405a6165076eebe2

Download Submit
C:\KaVB2E\optixloc.exe

Filesize
3.6MB

MD5
3bfa25919dfdea2f9fb5846b67f1b49b

SHA1
4cd6eb0db50b7159434c03e2d7af19a1112a603c

SHA256
90dabb71df704e58ea7a41253d713c2bdf6e97f0de8051bf998e9e379d731f64

SHA512
bd6c725b8ba4862262e106e546c3781fd3c6a151bbc42d39aee5f64e77832e163b0737bb6d574a7c186eb936fdc6b42d56184ec56abf2da9810333f938683c73

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
2dd47d6228a06d0390ce5cb07e98777d

SHA1
e5703e710f9cf0d2a0ef595b98a58b73c5cc2e85

SHA256
a97357a86d4986aada6b910f3479e8ef81a8eb89b019c632e1358390d02cd6b1

SHA512
37440a54ed9da3992ad8eb067c01f7e29898948320d6557215fb5074b0db6b702bdc67b3752c79b979614bfa165e39172321d072bec36656f70918eb1f79796e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
743844481d85a48e71af935735d77f03

SHA1
9c9caff60bb35d08ee70f357ad3593b65fab81ac

SHA256
b26c97f5390eca8df690afb51048ceea0af3865aa5570b85a4158b9b1265d88f

SHA512
064ae4427da16603dd7f783cb5c9ddee6e8be547d6e8a90e0a8ba75d73d117f487fb89448266b6b4b562f122fd843cd1d3114b1a0fb9da66cbb5a3f878ddc3b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
3.6MB

MD5
a2e8c68963574468b2cacc8ca22ba9a1

SHA1
09a68c47ca4d54d789e854cba23fadda1b1769d7

SHA256
0f027ed0d0495b8cfa43a7e10e0115df3589bbb2afa0844fd76708a0248b9a5c

SHA512
b85b1e73e56a56ad55f66fb7129849cb2b0998614795adb1aad8e8e408d3207697954389781e3f2867a32eaf8c6d9e3660a5bf46252592e2f54fabe86caab18c

Download Submit