17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152c

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe
Size

2.6MB
MD5

0914143e1282401f23d0b5f072f8ee60
SHA1

cf2df366c40c1e38621da27eae9bab47a80d0f80
SHA256

17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152c
SHA512

3eab0f2f6f75e3b65f01a245cccef81463d06d8bc4b507dcc2a525bed07494ae1c2896561c5994626eb53b867e4c5b9a4e91bce7ea346f9d07b4fbcedfcaebc4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUpGb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe

Executes dropped EXE 2 IoCs

pid	Process
2972	locabod.exe
1780	abodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2112	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe
2112	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvMV\\abodec.exe"	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintRV\\optixec.exe"	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2112	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe
2112	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe
2972	locabod.exe
1780	abodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2972	2112	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe	30
PID 2112 wrote to memory of 2972	2112	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe	30
PID 2112 wrote to memory of 2972	2112	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe	30
PID 2112 wrote to memory of 2972	2112	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe	30
PID 2112 wrote to memory of 1780	2112	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe	31
PID 2112 wrote to memory of 1780	2112	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe	31
PID 2112 wrote to memory of 1780	2112	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe	31
PID 2112 wrote to memory of 1780	2112	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe	31

C:\Users\Admin\AppData\Local\Temp\17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe
"C:\Users\Admin\AppData\Local\Temp\17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2972
- C:\SysDrvMV\abodec.exe
  C:\SysDrvMV\abodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintRV\optixec.exe

Filesize
2.6MB

MD5
cf38fc2f6d44dc298f8b6156f49c0e9b

SHA1
f769e6ff3779ac39a03f90ab01f133228c535165

SHA256
ed0a3b7cde2ad8ef612ec7b589ed201e71e85d00b48b961c2bba90c8ca56af1b

SHA512
ae3f1d99c74a0276f7b654c2657d761e4d0bd97376a7c5d7877d8c077386c48240c3d9dacd7d3282f4fbfff4f6db0b38c48ff63c6b10bc40d0f6e877a57d1a06

Download Submit
C:\MintRV\optixec.exe

Filesize
24KB

MD5
027547010286212d6a3acbd7bf152ce4

SHA1
d432f1f032efd81a41f763f3b795ee3de446879a

SHA256
f9fe4498177f63547ced689f454c9348557877a1df910231f0d7a51ddaac92ca

SHA512
387f526bfc40f8911e4e93ec9c56268efb0d5e8b734e2ae0ba2599d5187be7d9cf15fcf8fc86b146d9dfa8faef8b59c12fa1d34e659b66b802d5e84276c9f766

Download Submit
C:\SysDrvMV\abodec.exe

Filesize
2.6MB

MD5
c80b7ba17aca7469ea526c8675bce9e7

SHA1
9a12a096b758c1d7c9663a18bf537b04cb00c4c7

SHA256
5af73e5995793127052cc5ee84c225394437c4a4e334c2d55c2b57962d3fbff1

SHA512
c0d3238823d5148f8d5934d013bc0e399f9a712ab25c3708e8caa0d82b55839881ffab98fb926e0c0decf14e333961c16b2bde6980364f1bebe067dc50e00cc3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
5f5289366680cb922843b1cc8b6f274c

SHA1
af919c1166cc59facc157d9f9071514db22cb024

SHA256
e71e8213c28391bdc72114483093307f681ad5ef7d9e3bdc6eb95a989e7a8ac1

SHA512
e42b30717f54f8f36195511baa7e8155e9f224874ef7ae23fac4f56c952b45cff878a5147273a79b34bd74014f92530053c55c6d93f8c42827e8579a9c071bdf

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
6fed7191051eafb5046242e3144e3076

SHA1
22f368a6a963ac4b88cb491304291d552075b373

SHA256
42c0b78e6db9131c95925e62d74f87076cd3cec4c65d1f0c4ff0ef1659633b96

SHA512
9088fe07e58371c4945d85788719e5078b2f2df54bc945afdcf732f8dbbbad4efa689042390338acfba21726c0fc6f2a51f240eb0d4113658c5fcf454c0a019b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
2.6MB

MD5
e162b1c18c1a0bdf01b566d1dfb69c02

SHA1
cef63031299772d63237d213d36205297eda6a03

SHA256
c9afe0c2b70a8b9c37cf58e7e70f0495a810c3475c4b3d600d7a839926b62293

SHA512
47ea621173010b8a1b7351e86b1c71b5b63af3507ab7627330c31da8d5d649c29dc45d405afdd6d53ffc306859c13a14f8faeb2b26ced3da4962e6bc1e8d38b0

Download Submit