e018c7a9526e69c9e6e991cea006d0dd2174e178957839cf244c7dcbea5bd095

Analysis

max time kernel
150s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e018c7a9526e69c9e6e991cea006d0dd2174e178957839cf244c7dcbea5bd095.exe
Size

2.6MB
MD5

827d1a54f0828cd0b365b0972ce2fe96
SHA1

73a18d81703c0569967b0b35fa4d045f427b2769
SHA256

e018c7a9526e69c9e6e991cea006d0dd2174e178957839cf244c7dcbea5bd095
SHA512

27f261a29ca2a9c62ebb43230927fadf839d138b26f4256c29c573681df93c8f4e0670b13d4a905d6a9e9d753629f2869d94ee2b460881402e06085568bbf8bb
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bS:sxX7QnxrloE5dpUpRb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	e018c7a9526e69c9e6e991cea006d0dd2174e178957839cf244c7dcbea5bd095.exe

Executes dropped EXE 2 IoCs

pid	Process
2008	locabod.exe
2692	adobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1476	e018c7a9526e69c9e6e991cea006d0dd2174e178957839cf244c7dcbea5bd095.exe
1476	e018c7a9526e69c9e6e991cea006d0dd2174e178957839cf244c7dcbea5bd095.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocJP\\adobloc.exe"	e018c7a9526e69c9e6e991cea006d0dd2174e178957839cf244c7dcbea5bd095.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBLH\\bodxec.exe"	e018c7a9526e69c9e6e991cea006d0dd2174e178957839cf244c7dcbea5bd095.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e018c7a9526e69c9e6e991cea006d0dd2174e178957839cf244c7dcbea5bd095.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1476	e018c7a9526e69c9e6e991cea006d0dd2174e178957839cf244c7dcbea5bd095.exe
1476	e018c7a9526e69c9e6e991cea006d0dd2174e178957839cf244c7dcbea5bd095.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe
2008	locabod.exe
2692	adobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 2008	1476	e018c7a9526e69c9e6e991cea006d0dd2174e178957839cf244c7dcbea5bd095.exe	29
PID 1476 wrote to memory of 2008	1476	e018c7a9526e69c9e6e991cea006d0dd2174e178957839cf244c7dcbea5bd095.exe	29
PID 1476 wrote to memory of 2008	1476	e018c7a9526e69c9e6e991cea006d0dd2174e178957839cf244c7dcbea5bd095.exe	29
PID 1476 wrote to memory of 2008	1476	e018c7a9526e69c9e6e991cea006d0dd2174e178957839cf244c7dcbea5bd095.exe	29
PID 1476 wrote to memory of 2692	1476	e018c7a9526e69c9e6e991cea006d0dd2174e178957839cf244c7dcbea5bd095.exe	30
PID 1476 wrote to memory of 2692	1476	e018c7a9526e69c9e6e991cea006d0dd2174e178957839cf244c7dcbea5bd095.exe	30
PID 1476 wrote to memory of 2692	1476	e018c7a9526e69c9e6e991cea006d0dd2174e178957839cf244c7dcbea5bd095.exe	30
PID 1476 wrote to memory of 2692	1476	e018c7a9526e69c9e6e991cea006d0dd2174e178957839cf244c7dcbea5bd095.exe	30

C:\Users\Admin\AppData\Local\Temp\e018c7a9526e69c9e6e991cea006d0dd2174e178957839cf244c7dcbea5bd095.exe
"C:\Users\Admin\AppData\Local\Temp\e018c7a9526e69c9e6e991cea006d0dd2174e178957839cf244c7dcbea5bd095.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2008
- C:\IntelprocJP\adobloc.exe
  C:\IntelprocJP\adobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocJP\adobloc.exe

Filesize
2.6MB

MD5
be94b36104d73d6828c50bdd8bf0ad8e

SHA1
0181be6e326c459ad345c06b18b2a250584ee340

SHA256
70f510888c3bb92ac334f4fdf03782949e5021e0968ad18348eb3ec850d54ec3

SHA512
c2cd99a4974ae36295f51a46aea9195226e31ee5105f51739d6cea6bc8957e728eb6396407d11dfc4d7d98771c4c369e46e0c5b95c8284fa98998321328dbbb1

Download Submit
C:\KaVBLH\bodxec.exe

Filesize
2.6MB

MD5
c0ceb2c468e784a7db5f324ee85c6d10

SHA1
ab725260ecf76856824913f6186e57ce30aa3974

SHA256
4839172ef180b4b0810bdf2a08caa35f3e2a0f0ee9c80be9bfba8b7161058b42

SHA512
3eafd6c9ba4c31f68ddd7fd450054fa05b3b46ddd2aab0f62e2522eec44be3e9b03e3a162b684402af04cc1a1137fd6b3c4418522ebf253dc4b9475582b9f7ab

Download Submit
C:\KaVBLH\bodxec.exe

Filesize
2.6MB

MD5
a134ee38b83c900a76cdaf771013281f

SHA1
76a62ed423c05358cef467667e961a358b5718a3

SHA256
c2ca8ccd294bf1cd4d02e3f11a7a9d0f23eec41bd351e96bf12f366d3aa94ba7

SHA512
57505fbea5e84ff5afe0badebed859703cdd03a149b05bb56f483c85d478f3f42798cf7287e8c501ef8cbecfeb917a61e924b329d8c6d1fd3f5fda1fa13f4460

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
555f30b46a92577640785d318c40da08

SHA1
6f94fe1c0756db3dbf471edab2fca3b5f491396c

SHA256
d02e5e7970543c2aa13dbfb531e49f69c81c6f0a96f0b8b3d206b72982daae80

SHA512
c26aa14e1573a4882bfcf8f94aea85dd99907c9a1788f12e81e5f68f59b82d982bc9ef3ebb8da07e5ec27a49166a1fd31bd1becc5fa606901861d2ad00004823

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
2b6b53bf9101cbb0cb48e3b8aed62b76

SHA1
59e6f3c0a00ab15c49b48334857308a75788f5cd

SHA256
eb2f32660fd16479264c4f2c059d9468dacf280a2b50991fe870d0e9efa8f5d6

SHA512
6650dbdc7fa5d799178afb3f9d7ef664768a7244aff467e8d5c3f10368b4c498028603e99d950d54be75ec44e8dc950941800861410e6210d7948ce57bd623e6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
2.6MB

MD5
23775dc51b820cf95f305a01367dab75

SHA1
5bdc5305004adb58c144d43138c563ee0b05ddcf

SHA256
f44eb4294966dc148b63b89db705449adda9bfef9db8cca6828a0c0b950c2598

SHA512
fc4ab31fa2a8eff9ada7e6357673b20b982f59b3d615b6de49d2a19ad474947a2aad00ed5a6331a73a88a6fbc18a14b147dacc2d7a17c5434f35f59f64f02c98

Download Submit