0d71b440096089d4ec77e7f3d1867759b57a0a34a5ffa303dbccc605694d5dd6

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 01:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e03d589f4f4540c531f8b5f7eb89efb0N.exe
Size

2.6MB
MD5

e03d589f4f4540c531f8b5f7eb89efb0
SHA1

e84a5158655fcc7f441bc3047ec9bef987bf9e09
SHA256

0d71b440096089d4ec77e7f3d1867759b57a0a34a5ffa303dbccc605694d5dd6
SHA512

d93378fcfbbbdd784a7daec80dc2e794a55ac9f3956b38b31ed5034847f2e40d8ff6362016b911611aea1d0d7d7d96b8e43ee7ce04b244891f3c4d1129238d7e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bS:sxX7QnxrloE5dpUpxb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	e03d589f4f4540c531f8b5f7eb89efb0N.exe

Executes dropped EXE 2 IoCs

pid	Process
4368	locdevdob.exe
3484	abodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesJS\\abodsys.exe"	e03d589f4f4540c531f8b5f7eb89efb0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid8N\\optixec.exe"	e03d589f4f4540c531f8b5f7eb89efb0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e03d589f4f4540c531f8b5f7eb89efb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4428	e03d589f4f4540c531f8b5f7eb89efb0N.exe
4428	e03d589f4f4540c531f8b5f7eb89efb0N.exe
4428	e03d589f4f4540c531f8b5f7eb89efb0N.exe
4428	e03d589f4f4540c531f8b5f7eb89efb0N.exe
4368	locdevdob.exe
4368	locdevdob.exe
3484	abodsys.exe
3484	abodsys.exe
4368	locdevdob.exe
4368	locdevdob.exe
3484	abodsys.exe
3484	abodsys.exe
4368	locdevdob.exe
4368	locdevdob.exe
3484	abodsys.exe
3484	abodsys.exe
4368	locdevdob.exe
4368	locdevdob.exe
3484	abodsys.exe
3484	abodsys.exe
4368	locdevdob.exe
4368	locdevdob.exe
3484	abodsys.exe
3484	abodsys.exe
4368	locdevdob.exe
4368	locdevdob.exe
3484	abodsys.exe
3484	abodsys.exe
4368	locdevdob.exe
4368	locdevdob.exe
3484	abodsys.exe
3484	abodsys.exe
4368	locdevdob.exe
4368	locdevdob.exe
3484	abodsys.exe
3484	abodsys.exe
4368	locdevdob.exe
4368	locdevdob.exe
3484	abodsys.exe
3484	abodsys.exe
4368	locdevdob.exe
4368	locdevdob.exe
3484	abodsys.exe
3484	abodsys.exe
4368	locdevdob.exe
4368	locdevdob.exe
3484	abodsys.exe
3484	abodsys.exe
4368	locdevdob.exe
4368	locdevdob.exe
3484	abodsys.exe
3484	abodsys.exe
4368	locdevdob.exe
4368	locdevdob.exe
3484	abodsys.exe
3484	abodsys.exe
4368	locdevdob.exe
4368	locdevdob.exe
3484	abodsys.exe
3484	abodsys.exe
4368	locdevdob.exe
4368	locdevdob.exe
3484	abodsys.exe
3484	abodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 4368	4428	e03d589f4f4540c531f8b5f7eb89efb0N.exe	95
PID 4428 wrote to memory of 4368	4428	e03d589f4f4540c531f8b5f7eb89efb0N.exe	95
PID 4428 wrote to memory of 4368	4428	e03d589f4f4540c531f8b5f7eb89efb0N.exe	95
PID 4428 wrote to memory of 3484	4428	e03d589f4f4540c531f8b5f7eb89efb0N.exe	98
PID 4428 wrote to memory of 3484	4428	e03d589f4f4540c531f8b5f7eb89efb0N.exe	98
PID 4428 wrote to memory of 3484	4428	e03d589f4f4540c531f8b5f7eb89efb0N.exe	98

C:\Users\Admin\AppData\Local\Temp\e03d589f4f4540c531f8b5f7eb89efb0N.exe
"C:\Users\Admin\AppData\Local\Temp\e03d589f4f4540c531f8b5f7eb89efb0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4368
- C:\FilesJS\abodsys.exe
  C:\FilesJS\abodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4548,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:8
1⤵
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesJS\abodsys.exe

Filesize
2.6MB

MD5
c5a15938a246ea4d82502a22f4e5ebeb

SHA1
dfc0d294c6c2dae7be2a7225ff3e55c08500d29b

SHA256
f3d91c1711025b1c1559799658bf84652136f7337d1f65431ecad02455438929

SHA512
cc570168a910f2bb3af8d81417a0fa245818a149997a9fc006d455c392e8c7a320940242f3b60773834ea6181cc873da0b7a456fb90104668877d5bc8e4c3cc3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
308673dfbd2e9622636d060d947bfb03

SHA1
a9fee37a42e79e26512b12d673599ec5e03a9cc4

SHA256
616e19bed92d98eb02c5def6d48197d1fc2394a1a6631f6e537d6432ce13e874

SHA512
4daac59879f764a5774b88cef0135e97d15526da49428babe4d23667155e620a64397ea4196139f5ca0df921f03de589f84bb599d6d8d699514a4133b3292386

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
0793e5e60f7a21c657d33046966e40cf

SHA1
7f0e9bd62c9490da9b013b71e50a289995d879a5

SHA256
951b30909d157dca8f712fc5e9d65be322c2a0b9e1066eaa8e8670b24b075426

SHA512
7e63b360261fbd22e6c5e9e15ca28621d03c55e0f68982f68458eca9c8d8ee018cb282aef3f68a7a1e43c8b7bda2bf011f13351ff075863ad4510fbd08d075df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
2.6MB

MD5
4faeb33a03ef86a7d6a29f49029c1c9c

SHA1
92e82aacc86ff16731535175dbec92c27af85379

SHA256
3861c6cd74bb8703bd67986c03be04c8b6f8504317e9788140eecb51cd4d504e

SHA512
2d18855fc3bf6eb4cfdca804f1199672b81af7380c582bfb937d6e7603ca77464a6ad16495667b0177e236002ac0d2e82beba081eddab3c8fa858baeb3fe77fe

Download Submit
C:\Vid8N\optixec.exe

Filesize
2.6MB

MD5
23bf8558cae5fba6377a720e22b34b7d

SHA1
962a3bb6cc205e7d487fac8b51b2fbee014ee13e

SHA256
cb70a011104042a4cd2f83bb070b4cc410bbea34c07fc96393cda3c18f1e0d7c

SHA512
a18213afa4a456afe4fc477bcb9d74feff0f60a4a053d50e9f4b9a6129e27eb62fea85659dd136bf7a3488c398452680b1aff12dc5f49310e9312f0a5f7daf42

Download Submit
C:\Vid8N\optixec.exe

Filesize
2.6MB

MD5
e41ee29609e55c598f789099a8b09d9f

SHA1
6ab2f5172a012fdd98b304c5e3fddcc459727a41

SHA256
aef2e9a7386a0c42c30c2c9adeb6ba20e3748d8dda13ead9727c161c79bd344f

SHA512
a7ba2d776003d9da015dfdead3522722396057ea266eba685d5caf625b1abba9165ea0e566bac23195c1dc2791b9e76db3c1f184eb51f6a884fdcffe14226ae9

Download Submit