cb709e197edd5aaaeb940f757f8bb7e23a0b1e11d5e34561200b38635b0bddea

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

855dcca669144d13c8b07ea5bbfd6760N.exe
Size

2.6MB
MD5

855dcca669144d13c8b07ea5bbfd6760
SHA1

0d0350a79c13baacdf1bbf05ffdf0573692a45fc
SHA256

cb709e197edd5aaaeb940f757f8bb7e23a0b1e11d5e34561200b38635b0bddea
SHA512

81053959908c5d6b20f21cbd2063c9017cc4b4af1a8065b9a150bf87f4a8d4e0e010321621dc6ac09863f1f38778c6fcb30be32432a6403982661a54fef7036f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bS:sxX7QnxrloE5dpUpdb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	855dcca669144d13c8b07ea5bbfd6760N.exe

Executes dropped EXE 2 IoCs

pid	Process
2440	locxbod.exe
2268	abodec.exe

Loads dropped DLL 2 IoCs

pid	Process
1652	855dcca669144d13c8b07ea5bbfd6760N.exe
1652	855dcca669144d13c8b07ea5bbfd6760N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocYG\\abodec.exe"	855dcca669144d13c8b07ea5bbfd6760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax44\\dobaec.exe"	855dcca669144d13c8b07ea5bbfd6760N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	855dcca669144d13c8b07ea5bbfd6760N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1652	855dcca669144d13c8b07ea5bbfd6760N.exe
1652	855dcca669144d13c8b07ea5bbfd6760N.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe
2440	locxbod.exe
2268	abodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2440	1652	855dcca669144d13c8b07ea5bbfd6760N.exe	30
PID 1652 wrote to memory of 2440	1652	855dcca669144d13c8b07ea5bbfd6760N.exe	30
PID 1652 wrote to memory of 2440	1652	855dcca669144d13c8b07ea5bbfd6760N.exe	30
PID 1652 wrote to memory of 2440	1652	855dcca669144d13c8b07ea5bbfd6760N.exe	30
PID 1652 wrote to memory of 2268	1652	855dcca669144d13c8b07ea5bbfd6760N.exe	31
PID 1652 wrote to memory of 2268	1652	855dcca669144d13c8b07ea5bbfd6760N.exe	31
PID 1652 wrote to memory of 2268	1652	855dcca669144d13c8b07ea5bbfd6760N.exe	31
PID 1652 wrote to memory of 2268	1652	855dcca669144d13c8b07ea5bbfd6760N.exe	31

C:\Users\Admin\AppData\Local\Temp\855dcca669144d13c8b07ea5bbfd6760N.exe
"C:\Users\Admin\AppData\Local\Temp\855dcca669144d13c8b07ea5bbfd6760N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2440
- C:\IntelprocYG\abodec.exe
  C:\IntelprocYG\abodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax44\dobaec.exe

Filesize
2.6MB

MD5
a1118f0d75e30a40ffbeaa12015fb240

SHA1
88a93969373840f6c72880eb96da2c2c67e9aaf4

SHA256
38cffa408d9470a5b06af579be2294498b87ba311d8d91b5f5925203ecaa7231

SHA512
8b03bd3f47b370da80d6ee2bd68cd21fcf18a007602b5c496ed65b73e1b70865d2d31c4814c5b7da2fa6b6f2ea586eab8b068c872474786fab3cd806aab29e85

Download Submit
C:\Galax44\dobaec.exe

Filesize
2.6MB

MD5
d34e11675ac41098389140fd19e9cf30

SHA1
33d2adaeb8d8e77f1592beb9c5241d6da432fbf6

SHA256
63c1333ec68452826b1ed3801f7e453c4d098c3eb33a6329208c8c9bcb7a2db7

SHA512
5b5f7ee84ffbaf8d7900662bc586c46182ff0324a411432c3ad0141c2099acd8a5d4e9e9bddd4ce493ebc8df526a7d764247e7e00717d726cdbbd40b83c2b9e7

Download Submit
C:\IntelprocYG\abodec.exe

Filesize
69KB

MD5
aecc98b37d7f490adb3a54862b96df3e

SHA1
42f7ace5f99889bbbe721c5abdd736a72bdc54c5

SHA256
c19873eafd6b127da338fbb8e5ac49eb9fd2d6f976d053cea6ff021fba3eb459

SHA512
77a1ba45d06b3f2c569a5b77e519ae088133d115c0224924d8dd666cb850682079a706b885395bf48f7d76039310165ee9cebe3eebb6b6058d422545eedb382f

Download Submit
C:\IntelprocYG\abodec.exe

Filesize
2.6MB

MD5
28434db2d2df4d405e1e9d2b2c5dae33

SHA1
500e5d6ebdfac120d94255710da32d486ca74b33

SHA256
05ba80c1091cedbbba076f1e1d104d0b4f8794d9d909b71e2aa1376b0bc6161d

SHA512
fb7f7ff5987526a3c307127867d2b459d3181ede3a0f15f51c808e7865a6380112e3f31dd550dfd5c677a756d7a46fd83d903e37c4623793363ff76fa1446a7a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
1cf2a0f69312637c1370f53220cc35c7

SHA1
91701558ae0b57b7b5f47ecd4a45c39b75998711

SHA256
068581361f92c616e7f7de5f864a52ecf6570bce5de32019135a5e236127c8c3

SHA512
b6085e78a2ef5c54bc219033626b6668620ab2595a8214238b3ca7bd5b2f190449653b391e05631872fee27d52f3ce0c3e48dca6f4b15fae2cab7f3eac0120d0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
c14f118cc79831419a9de19ba9c0051a

SHA1
e7e412418c2b9bbd5cbeadf237926c784bfce53a

SHA256
f6ce17908c2c5afb1c0405a65b3cff0558d172e91b7706fa355a3feb29ebf9a8

SHA512
bf600b3a33fbe12103ca6e7cb945da4246abfab0097a6eaffbf2fca191674ecb5bf694274c88995ac06fe8a76da2c2287b91b6812bc522e98801178bf8abc1ed

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.6MB

MD5
783baafef436fe35a77748f53c029a2d

SHA1
cfc06f708055faa1ff42ae98d01c069bba38c2d4

SHA256
dcf5d33d9696f69166bf7fd8a8b5f42b07cceee991308f1c85bb8f7b564c2ef8

SHA512
b9a51f664069f71bc5abeed3663e31e528d68e9b711fa6487b65ff34dcd33244e3c6fee62e2396aefb88993f3960bdefaf05e216fbf3b280062ab607c4482a6b

Download Submit