89150caacad1e4aa6e4de536f445d68c2a00dc19329c08e2fd776b281fd40826

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdcdc0a1e3a0ed6a801a8ab1415bb870N.exe
Size

2.6MB
MD5

cdcdc0a1e3a0ed6a801a8ab1415bb870
SHA1

b09b737f3340c906dbda57cccf33355f154d0970
SHA256

89150caacad1e4aa6e4de536f445d68c2a00dc19329c08e2fd776b281fd40826
SHA512

43d9fddfed193a1d20ded5ad4b80efe72743f86951574f0300c3ebab96deba68db86ff6cd18efc25e04319ce9878ae23130b4ce47586e400c1018e32069569ec
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUpbb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	cdcdc0a1e3a0ed6a801a8ab1415bb870N.exe

Executes dropped EXE 2 IoCs

pid	Process
2500	sysabod.exe
848	abodec.exe

Loads dropped DLL 2 IoCs

pid	Process
1236	cdcdc0a1e3a0ed6a801a8ab1415bb870N.exe
1236	cdcdc0a1e3a0ed6a801a8ab1415bb870N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesA3\\abodec.exe"	cdcdc0a1e3a0ed6a801a8ab1415bb870N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidM2\\dobaloc.exe"	cdcdc0a1e3a0ed6a801a8ab1415bb870N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdcdc0a1e3a0ed6a801a8ab1415bb870N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1236	cdcdc0a1e3a0ed6a801a8ab1415bb870N.exe
1236	cdcdc0a1e3a0ed6a801a8ab1415bb870N.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe
2500	sysabod.exe
848	abodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 2500	1236	cdcdc0a1e3a0ed6a801a8ab1415bb870N.exe	31
PID 1236 wrote to memory of 2500	1236	cdcdc0a1e3a0ed6a801a8ab1415bb870N.exe	31
PID 1236 wrote to memory of 2500	1236	cdcdc0a1e3a0ed6a801a8ab1415bb870N.exe	31
PID 1236 wrote to memory of 2500	1236	cdcdc0a1e3a0ed6a801a8ab1415bb870N.exe	31
PID 1236 wrote to memory of 848	1236	cdcdc0a1e3a0ed6a801a8ab1415bb870N.exe	32
PID 1236 wrote to memory of 848	1236	cdcdc0a1e3a0ed6a801a8ab1415bb870N.exe	32
PID 1236 wrote to memory of 848	1236	cdcdc0a1e3a0ed6a801a8ab1415bb870N.exe	32
PID 1236 wrote to memory of 848	1236	cdcdc0a1e3a0ed6a801a8ab1415bb870N.exe	32

C:\Users\Admin\AppData\Local\Temp\cdcdc0a1e3a0ed6a801a8ab1415bb870N.exe
"C:\Users\Admin\AppData\Local\Temp\cdcdc0a1e3a0ed6a801a8ab1415bb870N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2500
- C:\FilesA3\abodec.exe
  C:\FilesA3\abodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesA3\abodec.exe

Filesize
2.6MB

MD5
b72a8852933abdf75c476d54fb303abd

SHA1
c97c149f4f53caf3d625579c80d9c88352ff9324

SHA256
a193ddf3307415da44057dd50145f9df960f9e8d663b5af6d1b0171e43f77273

SHA512
5929c6793ac53f7f3805dc787b0775487d18efeac2a33d30f22517d44b63927c8e4e6e8d60a4a119a039f9592e91c5af8c6d7671a8b5703e4bb5664af394f571

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
166B

MD5
8c610cd2b35c12835561c889daeebd5c

SHA1
a1e5b91cabd4d98e6e743994f5f7d674d5e5799f

SHA256
a6f00d03fee5065eed46f67b7c9a2693564a49a22860a2329942893bb3a35658

SHA512
8df3300205afeccfc0ef205b2e67256d23d76fceb2d0114a10f180a32eefd8457ed56096a6a3d91e4972906053ffefed33dd5f0f967ef214d5cb87f75f7b95dd

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
198B

MD5
e6647934d5ac0d39f49581aa09b7baac

SHA1
6616f3b3c99d1b0a1db5e83cc9f5163cec61d4a1

SHA256
8e0086ceef0944fd9e00d9c4172084774a77d15eebae04ac98f00807dd57f3a7

SHA512
580a17c261504667b9022662e7fd90bd6b33cbaafe7a54b2c06f40898ff2d7ffc08143e1a277314de1d5574d5b361697bfa9fd5508c2954d81357455956450c5

Download Submit
C:\VidM2\dobaloc.exe

Filesize
2.6MB

MD5
177a6f47f5177f29415767c6d90be32d

SHA1
a3c41455264bb624be01c75c71bcc0dd97336cbf

SHA256
202461085f318a95b6211993e4e922968eeb813da205935f3cb1b877644b49b9

SHA512
0f24a4b22b4e09a23f2dff271d5318b2318644c27d39fd4a4004485a75fe16d5cc6de75f1c73a59ed117fa97dff17c90d68fad0fc41783ee8467712a7c99810f

Download Submit
C:\VidM2\dobaloc.exe

Filesize
331KB

MD5
69c4341ae2eb7f25039a9c98e22d7685

SHA1
d609aac16024fb0db0fa20895a44e9c9367ab905

SHA256
ee53d4ed415ca134fa7358a5f6e323ac0d8f672c9a61b92d3ea7bcbbf0ce6b6b

SHA512
83057d4a1095ef857c89ff511ccf07e6a168ce26fde259aee6cc73a676c42c52645a907de219c1a0d0b2bdbb815627d2c7e2a77d6c50221947d3cb67fd3190bc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
2.6MB

MD5
5ddb2ac12b339c260ae5de059a0545eb

SHA1
406bcd2abc026646184399cbdcf3438e03ab6610

SHA256
6fba7734dac9bcc2756c9502703fe55ee0bee23f287cf922206151aefa3e7c31

SHA512
32f34ccd100234a13d8b4c2d61d4579df8fa19e1d58df574bfac2337e6a091acbef7e08551ce6093836d33cf7dcf971ec14246e91a27a6a921b7d61f14b4dca6

Download Submit