d36f1550867d993a3042cb7a1235fb4adb02cacdc7477f329985c3fb3d36f819

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13a7d99f039d8bea8659dfe66cd7c170N.exe
Size

2.6MB
MD5

13a7d99f039d8bea8659dfe66cd7c170
SHA1

47f427b1a3b89bcc1370af11c0826642a4586485
SHA256

d36f1550867d993a3042cb7a1235fb4adb02cacdc7477f329985c3fb3d36f819
SHA512

1c9c26d2435de00aa2ad10068b77c55f216da624dc450fa870da18648989663ec4892c6dc504a6311bc3c89465bc3e71c72b60cf8950bbc341805c77cd383f3e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bS:sxX7QnxrloE5dpUpab

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	13a7d99f039d8bea8659dfe66cd7c170N.exe

Executes dropped EXE 2 IoCs

pid	Process
3016	locabod.exe
2224	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2124	13a7d99f039d8bea8659dfe66cd7c170N.exe
2124	13a7d99f039d8bea8659dfe66cd7c170N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesD5\\adobsys.exe"	13a7d99f039d8bea8659dfe66cd7c170N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBYP\\bodaloc.exe"	13a7d99f039d8bea8659dfe66cd7c170N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13a7d99f039d8bea8659dfe66cd7c170N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locabod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2124	13a7d99f039d8bea8659dfe66cd7c170N.exe
2124	13a7d99f039d8bea8659dfe66cd7c170N.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe
3016	locabod.exe
2224	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 3016	2124	13a7d99f039d8bea8659dfe66cd7c170N.exe	31
PID 2124 wrote to memory of 3016	2124	13a7d99f039d8bea8659dfe66cd7c170N.exe	31
PID 2124 wrote to memory of 3016	2124	13a7d99f039d8bea8659dfe66cd7c170N.exe	31
PID 2124 wrote to memory of 3016	2124	13a7d99f039d8bea8659dfe66cd7c170N.exe	31
PID 2124 wrote to memory of 2224	2124	13a7d99f039d8bea8659dfe66cd7c170N.exe	32
PID 2124 wrote to memory of 2224	2124	13a7d99f039d8bea8659dfe66cd7c170N.exe	32
PID 2124 wrote to memory of 2224	2124	13a7d99f039d8bea8659dfe66cd7c170N.exe	32
PID 2124 wrote to memory of 2224	2124	13a7d99f039d8bea8659dfe66cd7c170N.exe	32

C:\Users\Admin\AppData\Local\Temp\13a7d99f039d8bea8659dfe66cd7c170N.exe
"C:\Users\Admin\AppData\Local\Temp\13a7d99f039d8bea8659dfe66cd7c170N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3016
- C:\FilesD5\adobsys.exe
  C:\FilesD5\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesD5\adobsys.exe

Filesize
654KB

MD5
68c4930a0efdce0be48f5f69b58c6d2d

SHA1
53b59a10fd69edf1a10a451a07d9b8d8ef2b61fe

SHA256
76d760e1fcf983e7c42a8d2f685c39dad031329808ca17db0eea37156a6dd03b

SHA512
7ea25ea2101cb9bf28731a28dc383996a7ac40043278da89ee1bd66cc188f465d4982b67014cae3b0ade09d5ed7d5072947ec95efeab3f16272f62982d6662b7

Download Submit
C:\FilesD5\adobsys.exe

Filesize
2.6MB

MD5
18e212f089d7e1402303b34621f93f39

SHA1
6a4c7c9ced54929bc0a47cb79ea55fbcac116068

SHA256
18c80384e5cd5b32df15ad04043dba7e9a709a908a5a768f27b0cf387e83abdc

SHA512
3c983669ff8d79ac9886e75ea616b5200b522843a85ef7accaf35f7266e40b12d3f70e86d7e880a2a177464fbe2ddf87a53a0391b79f9b3e6e5faf889b4cdc14

Download Submit
C:\KaVBYP\bodaloc.exe

Filesize
2.6MB

MD5
4ad0858c576242a6c8bec9a8ebb20de5

SHA1
f0d180590a16a4cd1a02fe8e44ba374e07ae2d9e

SHA256
ac87a5e2bbf30483c0b15e07c3c82913ffd2ee10e7ebe0f310a0980fff7f1aff

SHA512
69445f5ba82f4a5d0897267137e4446e62fca777a46cbe91cfbb53aceff33a27041056be81aa6459661fcd0bdae03f649627031df299d74af793dfd376c51486

Download Submit
C:\KaVBYP\bodaloc.exe

Filesize
2.6MB

MD5
951373970d469a6948fd71770f36ac6d

SHA1
863a4b4cce9ef90ce0cc66989d8b5c5eebbb2b94

SHA256
0ade2c2798d341633e760e2d315955c3b6d397ea2043c61ed4a1e8a584368a67

SHA512
901f6c6abee6f472906b2ecd7445fe4fbb74700dd8fcb389787eece0627b3b8261b2063c748d0a9f005ed98fb0b65a30e3d6675e59381bb428d1200b3faea233

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
0c33bf4695536a332d8bb0e7ea482119

SHA1
36b113f97d99e26f2d361507651b97d63accc71a

SHA256
eb41648383cd298c5bd15a2f2946a530362f37833adb93c7adfe2bc1924f3a0a

SHA512
fcc6d638c3b51d14254fa5be9ce39a3a14ab853c27be10f28a1c3f6a5989dbc551f10d72c76d80be04702bbc1d2bf21184af3c7cf35f9dd2210d166fbed64ddb

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
ced71dac7850c0b494e9fa05d8b53e25

SHA1
f1923f06f133b691e099f8481ed891b1d215968c

SHA256
3bc94a4872afcaa36f3304e1fafc4859d94be65639a21791c51d2eca0b915e89

SHA512
50e799b22ca6cbf97a723afb1a3f3a9622f20b35e3f5d2a9cec453d760480321b8dcdbeee6f9e4f165bbd87c204d71970e9ef1d776348135d06d3ddc7d37bbe1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
2.6MB

MD5
e0fea963c420d455d61e06d32f42f3ea

SHA1
f243ec011cb03241874e57ab381d9376e5d2a642

SHA256
6191f41f656a1531d7a8559b8ab08f33c14bc467395c5c8f9cf453979bc0159f

SHA512
b5175b0a8ac2ad37b00d1db5dbfab80c180a79343ba53dc9f4f5a875b8c1f127934c1048814e162bdefad074fc2107ada0f25c28bf129dd37d6272eeab7786cb

Download Submit