4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe
Size

2.6MB
MD5

d2964565021e5b414dbb62339f1f9b2c
SHA1

33db008120a7ba5c2c2995cd29ba2abe988b592e
SHA256

4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48
SHA512

be64b1dd1f2931310a4a5f1bdc28cb1f29bc2466f0a4342171249a3918034ea194558dd418369c8c6f48ca77f636debe16ae7a47c263e1d49284205abdf17315
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUpxb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe

Executes dropped EXE 2 IoCs

pid	Process
2304	locxopti.exe
2056	abodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
3024	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe
3024	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvY0\\abodloc.exe"	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBTZ\\dobdevec.exe"	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3024	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe
3024	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe
2304	locxopti.exe
2056	abodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2304	3024	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe	31
PID 3024 wrote to memory of 2304	3024	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe	31
PID 3024 wrote to memory of 2304	3024	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe	31
PID 3024 wrote to memory of 2304	3024	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe	31
PID 3024 wrote to memory of 2056	3024	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe	32
PID 3024 wrote to memory of 2056	3024	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe	32
PID 3024 wrote to memory of 2056	3024	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe	32
PID 3024 wrote to memory of 2056	3024	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe	32

C:\Users\Admin\AppData\Local\Temp\4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe
"C:\Users\Admin\AppData\Local\Temp\4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2304
- C:\SysDrvY0\abodloc.exe
  C:\SysDrvY0\abodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBTZ\dobdevec.exe

Filesize
2.6MB

MD5
7f437ea726494e3811c5fda7f5b5e435

SHA1
b3af2ef7d4d36604341187ff099382bc5ad16604

SHA256
e5375b3275a7af16f8f9817212fb80da7844804dc719801ba72b78a4f5b00f74

SHA512
d9aec130301102eb2d64f91b749667054d11de60c128578e457bb44f7a15c5a7743a4efef2c0efb915f3f30c35cf51e3cb73877c4c886490ce50b5772d74cafe

Download Submit
C:\KaVBTZ\dobdevec.exe

Filesize
2.6MB

MD5
373dfafc7b4c390a13153f364c69782f

SHA1
e00420207005547f264d38216ba9d93e97474e88

SHA256
0ec56b70c35c9d5292f48852236e6c7774364ef1e87cda3992648a2ec8b906ce

SHA512
d388d2cb65ac46d114fec083f9beafff18000e6f3cad5919e2874887d8d4a0316b49310aa5c54e6fca78ca71e394a60d85f526301abe01671dc041fc1e57caa9

Download Submit
C:\SysDrvY0\abodloc.exe

Filesize
2.6MB

MD5
495dab6e6e5268b4e693c1e6e22106f5

SHA1
b8f2c84644d1972a168f0cfe3db53a1d2bde7d10

SHA256
5f555ade63eebb68a016d28fd5d6f03e6470c08cca9b947fcdc38a7bc553316f

SHA512
b315dc726188a59dbeee59e4086acaf57321d3119c759b73aef19eeb257f4db25c1d990687d20784283ddab9775ceabfc6c32fe6147ffc1b3c8bfad8a15d47ac

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
39761de07e100f33ef699cd2346af760

SHA1
2928809862e8b403aab49d8f2a7dd1c7510a99c0

SHA256
754dc38212d9c7303ae758695dc659124570b538a09e3952c59e6faddd5a43c2

SHA512
ff94dee7d984a2e5b2ed52da942bb84892855d688be3bc0a68ed8dc8804d501abe39b0b56b4bafc99bf6b021e67f13c1fd2be1bb2445d27b59c0d21966c37b6d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
b34f824e2bead0184c4f29becc8d1cb0

SHA1
0596f07105d7d41ba12dc7516676c2c26b487f26

SHA256
01473298137c2260ecffe325ecd129019940b2ca13a20975ef8a7f3a74686519

SHA512
24d83501a1de4845f15b35b5af48d422eef80472a339b67d242fe9bb907bdd444986577dc3f66369287f79124162ab1456e30aeeb6bc59edc8aea34f9643cd89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
2.6MB

MD5
b870888c40c4fc1a7d1dbba0a1056c50

SHA1
407101a440fae9cac75ec1dd16394140b1a695f7

SHA256
92686075b2dd41cdc81a19598a17f7d9664ffc47bc063ca8f9e8324064685883

SHA512
c1e5f6780bf3c5d6bfa9c522a0e9a5c73adc6c50e2438fce3168aab74badfa44dedb8b8b36ae4051a506c1365489c6d0d7dcadc0afce3e5d444757a794d8d450

Download Submit