c3b369a69848da75bc31098a6a4f24b036c2fcc9634f17451f06cbe213ef0f9f

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80965b44d705b5cc644160777d8e3cb0N.exe
Size

2.6MB
MD5

80965b44d705b5cc644160777d8e3cb0
SHA1

8c437db70779fbc40b86ff837e1f40dc1c7a539d
SHA256

c3b369a69848da75bc31098a6a4f24b036c2fcc9634f17451f06cbe213ef0f9f
SHA512

48f4fae9874dba2d3d9525e069ee139ea17b55c3c8bf592b466efa1ad5aeee482876a9c813dfb05ff227df5b45820754c0afc5a0d2443223f36a2f6eccba70d9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bS:sxX7QnxrloE5dpUp4b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	80965b44d705b5cc644160777d8e3cb0N.exe

Executes dropped EXE 2 IoCs

pid	Process
4636	sysdevbod.exe
3188	abodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotP9\\abodsys.exe"	80965b44d705b5cc644160777d8e3cb0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ5X\\dobaec.exe"	80965b44d705b5cc644160777d8e3cb0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80965b44d705b5cc644160777d8e3cb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4560	80965b44d705b5cc644160777d8e3cb0N.exe
4560	80965b44d705b5cc644160777d8e3cb0N.exe
4560	80965b44d705b5cc644160777d8e3cb0N.exe
4560	80965b44d705b5cc644160777d8e3cb0N.exe
4636	sysdevbod.exe
4636	sysdevbod.exe
3188	abodsys.exe
3188	abodsys.exe
4636	sysdevbod.exe
4636	sysdevbod.exe
3188	abodsys.exe
3188	abodsys.exe
4636	sysdevbod.exe
4636	sysdevbod.exe
3188	abodsys.exe
3188	abodsys.exe
4636	sysdevbod.exe
4636	sysdevbod.exe
3188	abodsys.exe
3188	abodsys.exe
4636	sysdevbod.exe
4636	sysdevbod.exe
3188	abodsys.exe
3188	abodsys.exe
4636	sysdevbod.exe
4636	sysdevbod.exe
3188	abodsys.exe
3188	abodsys.exe
4636	sysdevbod.exe
4636	sysdevbod.exe
3188	abodsys.exe
3188	abodsys.exe
4636	sysdevbod.exe
4636	sysdevbod.exe
3188	abodsys.exe
3188	abodsys.exe
4636	sysdevbod.exe
4636	sysdevbod.exe
3188	abodsys.exe
3188	abodsys.exe
4636	sysdevbod.exe
4636	sysdevbod.exe
3188	abodsys.exe
3188	abodsys.exe
4636	sysdevbod.exe
4636	sysdevbod.exe
3188	abodsys.exe
3188	abodsys.exe
4636	sysdevbod.exe
4636	sysdevbod.exe
3188	abodsys.exe
3188	abodsys.exe
4636	sysdevbod.exe
4636	sysdevbod.exe
3188	abodsys.exe
3188	abodsys.exe
4636	sysdevbod.exe
4636	sysdevbod.exe
3188	abodsys.exe
3188	abodsys.exe
4636	sysdevbod.exe
4636	sysdevbod.exe
3188	abodsys.exe
3188	abodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 4636	4560	80965b44d705b5cc644160777d8e3cb0N.exe	89
PID 4560 wrote to memory of 4636	4560	80965b44d705b5cc644160777d8e3cb0N.exe	89
PID 4560 wrote to memory of 4636	4560	80965b44d705b5cc644160777d8e3cb0N.exe	89
PID 4560 wrote to memory of 3188	4560	80965b44d705b5cc644160777d8e3cb0N.exe	90
PID 4560 wrote to memory of 3188	4560	80965b44d705b5cc644160777d8e3cb0N.exe	90
PID 4560 wrote to memory of 3188	4560	80965b44d705b5cc644160777d8e3cb0N.exe	90

C:\Users\Admin\AppData\Local\Temp\80965b44d705b5cc644160777d8e3cb0N.exe
"C:\Users\Admin\AppData\Local\Temp\80965b44d705b5cc644160777d8e3cb0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4636
- C:\UserDotP9\abodsys.exe
  C:\UserDotP9\abodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ5X\dobaec.exe

Filesize
61KB

MD5
ec38d24cdd2704cd7db62f1730ccee06

SHA1
e2049a2c94b1c6e677b49ea70935de9ea3643765

SHA256
dcdd6114a98b576ae6e36fec702dfe98e8f8adf74b07ec2111ca048f4fecd7e0

SHA512
570d8219cd11a7c452cc809b72ea8f53aadbab44cdbe06aef7076161b03f0c7d026b8d3cd95f435d0ec3dc63e6be69c1d7513c8691273c62b52dad7642b076c5

Download Submit
C:\LabZ5X\dobaec.exe

Filesize
41KB

MD5
1a23ec2027f1b25d36cdd2ebedb6dbe0

SHA1
dea49342dd5d25e1251127f038d63e1e2931e3b0

SHA256
2110ad2ba05c2f9e3b733f1229b2040a2f1055e216fd08ee15bbd366d54146fd

SHA512
871ac54c9d58f9206613e1c427b638ed18eee63adee87ffab33924e7df9440d9655a5483df04caa307d8236c4bea6bf4251d4866f69c9315788d51f5d0e77d6e

Download Submit
C:\UserDotP9\abodsys.exe

Filesize
936KB

MD5
3c2ac8eac33c79e0a6c853faab9405ff

SHA1
f9482e95286c0cb69ee6b3f1b03c9165dd1447f1

SHA256
335228d7457183c2c60208d95089e70c28b02b655308644c97a01704e365a5db

SHA512
0b0d9d8b9f813270ff04f6f6d4f6bf199256556edb08bfd3bc98851653fc4fdb5fa7126cdc21725b5fb86bdefe76c9e4a9abd4ef00c2d8859082ca6a7fb726b8

Download Submit
C:\UserDotP9\abodsys.exe

Filesize
2.6MB

MD5
e0774307062a9689b6809f0cdd6d1591

SHA1
df68a612115f1ac4536f902140d978679d1dd5fb

SHA256
f5a020ef11b8f484f60f8c063043b8a5401fac1a4612256d6f54c3914a08866e

SHA512
0d113b23ed1a81b1a482433eb925d1f635759dd5aa6f9dbf04b06b2f66a6498aac89e092f6d8abd16f33e67175a9537ff7e44ae56f217c41543976547c7fb6de

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
5e8c6852aef7b24c6637a93fde3d1853

SHA1
6e71716a507fe0ea32e3f99c611fe6c2abd4bd65

SHA256
91f9c37d193c5ad0290938426b3ac55ed8f1ba7657732df6afd83e9b5bb2fb46

SHA512
0059625dcaa79a6f306ea823508b2c6f288c48ac32e69c040ced556fd0e831bfbd46942cb09c2e738cbd4f21c4e754bca96faee26c66765151b09ac2586cc950

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
d80242a6d0cc762c772f318ff98349f1

SHA1
9df217006351cfed82dda72dbc3ead378a702f3f

SHA256
7bf6baf7cd44036733bca4345690bffdf7376820eaa584f10ff9cb3a63eb012e

SHA512
ca196965c2e5d41d359373616c613acbbe58d916b461e5e319d3f6ba9a2eff565ed8b93632543f188d0122d0c146f7906a56dd6275ff493ec5e4cdbb3c113729

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
406f9073bf937fa7a663b0bc68281cff

SHA1
7442c98ea9eda70660502c1fe793962ac9fe9381

SHA256
3eb8fc48a2f9477dfd47a40837b28166599c32f426895a40cbad92e592439d0e

SHA512
db02e0e5e8491d9e8c564c1b1e68b63c2f81bcff39d3f99b227d86a836d2d58900e1d30cbf2ed3d374dcdea108ea822db3eac8be5dff939aeeb3704e577d065e

Download Submit