4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe
Size

2.6MB
MD5

4f9e62b641b82463c2d09941131abb83
SHA1

d7c1a9c10178bbdededb32e5d92cebdc3a5e6acc
SHA256

4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92
SHA512

e2468c8a336003e7121545196a144096190c69f39fa15af0abd62a592666db1522522053f9401e4657e4132d302aab365938ef7024148606f91cc5e06d76689a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBhB/bS:sxX7QnxrloE5dpUpWb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe

Executes dropped EXE 2 IoCs

pid	Process
3436	locxdob.exe
1644	abodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files54\\abodsys.exe"	4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZKP\\optialoc.exe"	4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3076	4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe
3076	4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe
3076	4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe
3076	4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe
3436	locxdob.exe
3436	locxdob.exe
1644	abodsys.exe
1644	abodsys.exe
3436	locxdob.exe
3436	locxdob.exe
1644	abodsys.exe
1644	abodsys.exe
3436	locxdob.exe
3436	locxdob.exe
1644	abodsys.exe
1644	abodsys.exe
3436	locxdob.exe
3436	locxdob.exe
1644	abodsys.exe
1644	abodsys.exe
3436	locxdob.exe
3436	locxdob.exe
1644	abodsys.exe
1644	abodsys.exe
3436	locxdob.exe
3436	locxdob.exe
1644	abodsys.exe
1644	abodsys.exe
3436	locxdob.exe
3436	locxdob.exe
1644	abodsys.exe
1644	abodsys.exe
3436	locxdob.exe
3436	locxdob.exe
1644	abodsys.exe
1644	abodsys.exe
3436	locxdob.exe
3436	locxdob.exe
1644	abodsys.exe
1644	abodsys.exe
3436	locxdob.exe
3436	locxdob.exe
1644	abodsys.exe
1644	abodsys.exe
3436	locxdob.exe
3436	locxdob.exe
1644	abodsys.exe
1644	abodsys.exe
3436	locxdob.exe
3436	locxdob.exe
1644	abodsys.exe
1644	abodsys.exe
3436	locxdob.exe
3436	locxdob.exe
1644	abodsys.exe
1644	abodsys.exe
3436	locxdob.exe
3436	locxdob.exe
1644	abodsys.exe
1644	abodsys.exe
3436	locxdob.exe
3436	locxdob.exe
1644	abodsys.exe
1644	abodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 3436	3076	4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe	92
PID 3076 wrote to memory of 3436	3076	4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe	92
PID 3076 wrote to memory of 3436	3076	4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe	92
PID 3076 wrote to memory of 1644	3076	4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe	93
PID 3076 wrote to memory of 1644	3076	4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe	93
PID 3076 wrote to memory of 1644	3076	4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe	93

C:\Users\Admin\AppData\Local\Temp\4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe
"C:\Users\Admin\AppData\Local\Temp\4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3436
- C:\Files54\abodsys.exe
  C:\Files54\abodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files54\abodsys.exe

Filesize
2.6MB

MD5
c322f1f200e74465c40b6a1cc58eb732

SHA1
04e178021c14da4d2de4418cb50099508e58c9c6

SHA256
0468c85d7066c54cfedb342784c352875e378b7b42391ff0bec2fe7fa2bbf4a1

SHA512
6934724bfb3e32661d03cdecb0d76e71fcb05eac763fa9e0ea23a94afc6bc884a1a356f43c98f67da25d9f3b8116cab7fca68481ab4f956502da2be8a9d71669

Download Submit
C:\LabZKP\optialoc.exe

Filesize
1.2MB

MD5
ddad73d4f787cbe13851c57d7a2663ae

SHA1
4693ea6d94291931689c00ebd0422d1c6f9e1f53

SHA256
4d9ede245de0fa7ea57778c194459f5a39026345ffb54b34e00fd606214f6efc

SHA512
191eadff506e35b7332ae3782980437c9493164ce3db27e25b0efccef02f9af96f2ba3a96da7532245ac7a47179ae590e5240c2a06f19eec30f0235ce79aa8ab

Download Submit
C:\LabZKP\optialoc.exe

Filesize
19KB

MD5
d016b0ad254ae9664284c6bec29c5ba6

SHA1
7ae5e9559a1832a9fb2100c1032f300c8dc78e9e

SHA256
7c02f64b740ff9995b503e0f1e0c8c01d837aa4bd8585709cf0f8dfe61831374

SHA512
c22c1b33c86d3a40515e18681d66290f6976b7510b3d4fce432a93ed4220ed0ce1cc8d8f3ddbabfe38b8176b15e6f826172e59fc74b34f4e1ca4414306ea2430

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
205f4f2818d82fdbff67fbdaa8922d9f

SHA1
0f9988c720c55399a7b7f83f80266084f0c9c115

SHA256
262d3b48aa79d96eca5f8508ae99161e022bf8c78b992fbee586e4ed4821ec1b

SHA512
37896cb9c230a6a345b389bd69f6034ede87dfdc1e230ad991dd45e5270326cdfa8c1f84819516e7836d91046233926b49d964a62a74ff0fa31f19df352f0a9a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
093e212c2bf33e985cb1fa9a76bdf9e2

SHA1
269fd9d0a7fbbe77b8015a0f7eef99a1e68b5430

SHA256
a48e2ed127cf169d96da0fdf3f23e2f61354fecec6b0cc5e558afd60ff3321ba

SHA512
d107a1753334c11b39f17b97c6ca1716767c69340faf1509e7e8f095076a22b652fa2eb62c265950d78c39e3557ab6cd9628cc624a4959b3fca14033b25ebaa7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
2.6MB

MD5
27d56da6f39efbde56cff32b505bbeab

SHA1
c17e8338aedab12c51e66d7faed8a3a639e2ee09

SHA256
db09c80a7c8e3620f14d879c7489a02f6bf49b1bb0bca2a0cba71e14e346a87e

SHA512
60ff9f99128737d5d20fa9b27625f5cdd2f9f45cfc1cd00409134b0dff2fa51339c2d23bfa14104f014b2b0c4478e71ff65f0224ccd3b5c82e42225b7a009268

Download Submit