4c3507bda3d869a9e426321983dc3fccbb3ea62da2dcca13484bb49a0f2d23a7

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 21:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4c3507bda3d869a9e426321983dc3fccbb3ea62da2dcca13484bb49a0f2d23a7.exe
Size

2.6MB
MD5

e7b110b1bf8c5cf55a35b79009a716e8
SHA1

be6faeea156d7659fc4e2e6496e15c7634caf7cf
SHA256

4c3507bda3d869a9e426321983dc3fccbb3ea62da2dcca13484bb49a0f2d23a7
SHA512

ebdbe1c6d903692d520cfd75d79c6dd930c64ae15d5fbe556e2f77516d4c99b338b2ba75289e43dfadced9a5e87c30da0ee13cb1426d30ff80cf6d6b59f570de
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bS:sxX7QnxrloE5dpUpxb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	4c3507bda3d869a9e426321983dc3fccbb3ea62da2dcca13484bb49a0f2d23a7.exe

Executes dropped EXE 2 IoCs

pid	Process
2968	locdevbod.exe
2648	adobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2688	4c3507bda3d869a9e426321983dc3fccbb3ea62da2dcca13484bb49a0f2d23a7.exe
2688	4c3507bda3d869a9e426321983dc3fccbb3ea62da2dcca13484bb49a0f2d23a7.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe39\\adobec.exe"	4c3507bda3d869a9e426321983dc3fccbb3ea62da2dcca13484bb49a0f2d23a7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxE2\\boddevec.exe"	4c3507bda3d869a9e426321983dc3fccbb3ea62da2dcca13484bb49a0f2d23a7.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c3507bda3d869a9e426321983dc3fccbb3ea62da2dcca13484bb49a0f2d23a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevbod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2688	4c3507bda3d869a9e426321983dc3fccbb3ea62da2dcca13484bb49a0f2d23a7.exe
2688	4c3507bda3d869a9e426321983dc3fccbb3ea62da2dcca13484bb49a0f2d23a7.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe
2968	locdevbod.exe
2648	adobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2968	2688	4c3507bda3d869a9e426321983dc3fccbb3ea62da2dcca13484bb49a0f2d23a7.exe	31
PID 2688 wrote to memory of 2968	2688	4c3507bda3d869a9e426321983dc3fccbb3ea62da2dcca13484bb49a0f2d23a7.exe	31
PID 2688 wrote to memory of 2968	2688	4c3507bda3d869a9e426321983dc3fccbb3ea62da2dcca13484bb49a0f2d23a7.exe	31
PID 2688 wrote to memory of 2968	2688	4c3507bda3d869a9e426321983dc3fccbb3ea62da2dcca13484bb49a0f2d23a7.exe	31
PID 2688 wrote to memory of 2648	2688	4c3507bda3d869a9e426321983dc3fccbb3ea62da2dcca13484bb49a0f2d23a7.exe	32
PID 2688 wrote to memory of 2648	2688	4c3507bda3d869a9e426321983dc3fccbb3ea62da2dcca13484bb49a0f2d23a7.exe	32
PID 2688 wrote to memory of 2648	2688	4c3507bda3d869a9e426321983dc3fccbb3ea62da2dcca13484bb49a0f2d23a7.exe	32
PID 2688 wrote to memory of 2648	2688	4c3507bda3d869a9e426321983dc3fccbb3ea62da2dcca13484bb49a0f2d23a7.exe	32

C:\Users\Admin\AppData\Local\Temp\4c3507bda3d869a9e426321983dc3fccbb3ea62da2dcca13484bb49a0f2d23a7.exe
"C:\Users\Admin\AppData\Local\Temp\4c3507bda3d869a9e426321983dc3fccbb3ea62da2dcca13484bb49a0f2d23a7.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2968
- C:\Adobe39\adobec.exe
  C:\Adobe39\adobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe39\adobec.exe

Filesize
2.6MB

MD5
9ad1609fb738a4c0887b8f58645ea022

SHA1
9771a104a761b4a054ad19283f668df57f7b2573

SHA256
ad955679275713cc806bba1ea9c7752bdee10b01abfb0ab600855c601cfa2754

SHA512
11feb950316983fceaec34a4390886cb6f9a17af465bd2796ab985cde52c2092bd470c31c9de619b2889b40f305f43802db0da0cdd5f9c2e29d71676251351a0

Download Submit
C:\GalaxE2\boddevec.exe

Filesize
2.6MB

MD5
540356429ebf07c0a35161366231552a

SHA1
16746269967bf0668957d98c51c020d82387fd9f

SHA256
8cf2f5147fd5ddd05fc09bc5c9c92a8104b2393e21ce3672d7ca2375207654ba

SHA512
04391960751748c4b30332ce15bc5a0f6a78ef8ed4b0f0e325ba9088cdf6e6b1e4dc3e4816bf093317831fbd3926df25440b3ba7f211903e8b052b938b573083

Download Submit
C:\GalaxE2\boddevec.exe

Filesize
2.6MB

MD5
a4e4f1bb3f3461c96e6dbf353687a412

SHA1
40e7bd81adaaaa8327370813c6d960966411d1dc

SHA256
1eb6b0d823697c5e9429a81488cb2af21569fe18862662542f38795cc4db05d6

SHA512
68e3bd83673c2063388422afe33cd7ab40302f4f4defe45ce7ebb9c58f73f224ac3d2e12ddb67bc99d28cadb420b73d3a5ad32956902c7517f00b82c804df10a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
431538359940425fe2a539960e37dcc7

SHA1
743f49486e2989c843849999f375f57b27de0c75

SHA256
2f5a93127a6f97f9d190684ff902a8d93ed03b4f212a11a8cc20c40578ac812d

SHA512
b63da1da6a9852283ba7328a684dfa160b13d537b2ce41e1cc0d369cfcd7cd7f8b50e547f178803fc24a90690016918c33fa66924ad6c612a2764efdf2ce7a5b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
9920c1bf6ba2d977b016811f51fee7a3

SHA1
697847682ea7f619cd8b1d2cdae29fb0557a8356

SHA256
504d67481085af847a944fdc3766f5db38958f94c149e834a78221c5ac0e993a

SHA512
7cf7a3b390f5b98cfd24d2417a26d1f29db89feeacae28d4e88ce4f174e2d7553d0331ea7962a328bcdec43e6f15c3b8b4958ea5ac695c29e82976ec3f031ece

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
2.6MB

MD5
d765babf6f28a589e146b799761e61d7

SHA1
e14f3aacf65a7ff8f2f03479ab30107f4313bc09

SHA256
ecc625ee0603eee31e8fdb768bf41919bfc10f9a4531701154a3721be845b30d

SHA512
25ad8c34f95d47d44abb337be857c1f2e273b82ad992f92610636fa73aa8cc8f161b93d0c5def65f37d46d185205be9b2e83a9880675fdb80b5c30b3606929a3

Download Submit