Analysis
-
max time kernel
119s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 09:34
Static task
static1
Behavioral task
behavioral1
Sample
06ab4933f4afb37257e7667d54115260N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
06ab4933f4afb37257e7667d54115260N.exe
Resource
win10v2004-20240802-en
General
-
Target
06ab4933f4afb37257e7667d54115260N.exe
-
Size
2.6MB
-
MD5
06ab4933f4afb37257e7667d54115260
-
SHA1
843c38a878b7ad06753e72ec0e1e95ddfb482b2e
-
SHA256
a704d820425de8dd10721d27ba8508def59a7b3c4ac5c60736cec431786d9fca
-
SHA512
f097623fb69fdfa9bf6408b90b41ce22c8a5846f94ec1c50c41a2448d9a3d8ab012d75f9d832a3c312c32831e40507b100897cabaa7d569ddaa9ba7c2391be48
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bS:sxX7QnxrloE5dpUp+b
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe 06ab4933f4afb37257e7667d54115260N.exe -
Executes dropped EXE 2 IoCs
pid Process 2324 locdevopti.exe 864 abodsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc8H\\abodsys.exe" 06ab4933f4afb37257e7667d54115260N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax6U\\optidevec.exe" 06ab4933f4afb37257e7667d54115260N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06ab4933f4afb37257e7667d54115260N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 368 06ab4933f4afb37257e7667d54115260N.exe 368 06ab4933f4afb37257e7667d54115260N.exe 368 06ab4933f4afb37257e7667d54115260N.exe 368 06ab4933f4afb37257e7667d54115260N.exe 2324 locdevopti.exe 2324 locdevopti.exe 864 abodsys.exe 864 abodsys.exe 2324 locdevopti.exe 2324 locdevopti.exe 864 abodsys.exe 864 abodsys.exe 2324 locdevopti.exe 2324 locdevopti.exe 864 abodsys.exe 864 abodsys.exe 2324 locdevopti.exe 2324 locdevopti.exe 864 abodsys.exe 864 abodsys.exe 2324 locdevopti.exe 2324 locdevopti.exe 864 abodsys.exe 864 abodsys.exe 2324 locdevopti.exe 2324 locdevopti.exe 864 abodsys.exe 864 abodsys.exe 2324 locdevopti.exe 2324 locdevopti.exe 864 abodsys.exe 864 abodsys.exe 2324 locdevopti.exe 2324 locdevopti.exe 864 abodsys.exe 864 abodsys.exe 2324 locdevopti.exe 2324 locdevopti.exe 864 abodsys.exe 864 abodsys.exe 2324 locdevopti.exe 2324 locdevopti.exe 864 abodsys.exe 864 abodsys.exe 2324 locdevopti.exe 2324 locdevopti.exe 864 abodsys.exe 864 abodsys.exe 2324 locdevopti.exe 2324 locdevopti.exe 864 abodsys.exe 864 abodsys.exe 2324 locdevopti.exe 2324 locdevopti.exe 864 abodsys.exe 864 abodsys.exe 2324 locdevopti.exe 2324 locdevopti.exe 864 abodsys.exe 864 abodsys.exe 2324 locdevopti.exe 2324 locdevopti.exe 864 abodsys.exe 864 abodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 368 wrote to memory of 2324 368 06ab4933f4afb37257e7667d54115260N.exe 90 PID 368 wrote to memory of 2324 368 06ab4933f4afb37257e7667d54115260N.exe 90 PID 368 wrote to memory of 2324 368 06ab4933f4afb37257e7667d54115260N.exe 90 PID 368 wrote to memory of 864 368 06ab4933f4afb37257e7667d54115260N.exe 92 PID 368 wrote to memory of 864 368 06ab4933f4afb37257e7667d54115260N.exe 92 PID 368 wrote to memory of 864 368 06ab4933f4afb37257e7667d54115260N.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\06ab4933f4afb37257e7667d54115260N.exe"C:\Users\Admin\AppData\Local\Temp\06ab4933f4afb37257e7667d54115260N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2324
-
-
C:\Intelproc8H\abodsys.exeC:\Intelproc8H\abodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD53159fc8dce15d04331f6815541f603a0
SHA13940a252357ac6aab66663444310a0c09304618a
SHA2565e749ab7c054d20086726a953c06d4f2f1377d1918c4833d28f08ca85072023f
SHA512c95856215c483c14533572d55b8b409a369f4d729a2e77a6a6a8211100d16dc5aa63f6e76772e061006f0821a6405a7750aeedf3a30434c97d533d42d5637f7c
-
Filesize
2.6MB
MD5a77102dc232b9571bb41bcf334388820
SHA1f16bd67b085bf76f710997524f02b9ffb67eea75
SHA2568bcdf63009ad06e96deb0120bb72bd14158d73e06c5f7ef30c1583f3f25c851b
SHA5124fbfe00a542fc167a09b4e997b9708f5dd41945866f7466e59db96da7b0310e6ee29aa8f81a90b23f52b0765864fa06c85335a3db2636fe86622344d6522aee0
-
Filesize
2.6MB
MD5730fcf647371d2be0ab62507a736ba32
SHA1f8ef8f0089c35b2d59cb6548f990f735fd86c491
SHA256c253f4bc9c014d930508a42113f11cc78a256772c03aec3da17578f529db24ba
SHA51256cbfc1ecaf9327c01468608307040ee0da26fa680e4f3f8439d881ae8a4952c3588084cfff7ca3b6479407cfba28a2166b47e8236c2852c1dabcf3a51dd75d3
-
Filesize
210B
MD5e1354dde54bed2e3bd2945901c566dae
SHA10a3bf5d97cb0578286c6962f96036c7412af20c1
SHA25643d6a4b00a6f5b9b742b8d7ecac9667f392ffb1b472bbcf32189b94b657c088f
SHA512a2d4b5095c4c79175ac8f8264854fafeb1f3ecc6121bf351e9994a12a7f9390bec12c9875dcdb88bf0109fe998d2f2f17e02d2ae3e97bbb7c31fad81f644fde6
-
Filesize
178B
MD5ad1792ff874d021ad2079e9573db9b5e
SHA1ec5daf04bfe5d3e5d20fd1ec2e98354167b3c980
SHA2569c701101a5961d762ecb60e10ca5ff7c7d9aebccf4a970e4ac9bed97ba3c5d4a
SHA5126856847fdd1a931d44d9057df720924530cc94650e7760e1c50a8023ddd03d7afe45a8f1dc9add5d01cc5367f8eb002a3dd9af45262567b347657c0b1f7c4e4c
-
Filesize
2.6MB
MD52c7ff2af4ab298cd8125f0e3763eb37a
SHA11b1ddb367f14b674c288c5f7cbbae7dcdfa0279e
SHA25670b8595d98f0a96143f4ef1b40dcc61635ac4ba2a96c28d3dfe6da85cf6d5971
SHA512a0341a6ccb83e6cbb78b8ad0d98541fb23b9e0374531b5786037ea6facc4096c84b015cbd80c19f1e0f41e351dbc99e81ca85a510bc051dd5995313dc9f0a3f5