Analysis
-
max time kernel
119s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2024, 14:06
Static task
static1
Behavioral task
behavioral1
Sample
81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe
Resource
win10v2004-20241007-en
General
-
Target
81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe
-
Size
2.6MB
-
MD5
9d752bdae09a495d85880ae91a3a6aa0
-
SHA1
ec619537bebd9e9bd52918f4c95cbfb3fe98b634
-
SHA256
81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281
-
SHA512
5d6a717459ad495c5416919201e8c4df624c931eb9e05dccaed776d956087768f757c542be407d925a52db1614efb9360c2b8177109f409934d8106cec5438c7
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bS:sxX7QnxrloE5dpUpsb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe -
Executes dropped EXE 2 IoCs
pid Process 4772 locdevopti.exe 2596 abodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintWF\\boddevsys.exe" 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeHA\\abodec.exe" 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1580 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe 1580 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe 1580 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe 1580 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe 4772 locdevopti.exe 4772 locdevopti.exe 2596 abodec.exe 2596 abodec.exe 4772 locdevopti.exe 4772 locdevopti.exe 2596 abodec.exe 2596 abodec.exe 4772 locdevopti.exe 4772 locdevopti.exe 2596 abodec.exe 2596 abodec.exe 4772 locdevopti.exe 4772 locdevopti.exe 2596 abodec.exe 2596 abodec.exe 4772 locdevopti.exe 4772 locdevopti.exe 2596 abodec.exe 2596 abodec.exe 4772 locdevopti.exe 4772 locdevopti.exe 2596 abodec.exe 2596 abodec.exe 4772 locdevopti.exe 4772 locdevopti.exe 2596 abodec.exe 2596 abodec.exe 4772 locdevopti.exe 4772 locdevopti.exe 2596 abodec.exe 2596 abodec.exe 4772 locdevopti.exe 4772 locdevopti.exe 2596 abodec.exe 2596 abodec.exe 4772 locdevopti.exe 4772 locdevopti.exe 2596 abodec.exe 2596 abodec.exe 4772 locdevopti.exe 4772 locdevopti.exe 2596 abodec.exe 2596 abodec.exe 4772 locdevopti.exe 4772 locdevopti.exe 2596 abodec.exe 2596 abodec.exe 4772 locdevopti.exe 4772 locdevopti.exe 2596 abodec.exe 2596 abodec.exe 4772 locdevopti.exe 4772 locdevopti.exe 2596 abodec.exe 2596 abodec.exe 4772 locdevopti.exe 4772 locdevopti.exe 2596 abodec.exe 2596 abodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1580 wrote to memory of 4772 1580 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe 87 PID 1580 wrote to memory of 4772 1580 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe 87 PID 1580 wrote to memory of 4772 1580 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe 87 PID 1580 wrote to memory of 2596 1580 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe 90 PID 1580 wrote to memory of 2596 1580 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe 90 PID 1580 wrote to memory of 2596 1580 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe"C:\Users\Admin\AppData\Local\Temp\81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4772
-
-
C:\AdobeHA\abodec.exeC:\AdobeHA\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2596
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD5541fec65455d5b34bd07a7b314994d2c
SHA155079bcde6bbc149b17389609709433e60bfb3d4
SHA256a426abba53e984d2d5760dc5deb76e09ebbb0d0d03e5cd262861f7afb8f71d4c
SHA512da54133de62360679354767fa7c44ea7c6e60cadc731344357b797e71a220936653e216b468a97b415fa4082ee2e3120ff9ebb80aac7b9a7238c6b8da7769b1e
-
Filesize
2.6MB
MD5c2b2acf0f8e200ca1969f8b7a2703454
SHA15cd716b21080599f03a555919207831c2ccdb5f7
SHA256c83ba2cd444c995b05d8d9b93040da48415066844c3166510c5dd27ff3524b36
SHA512d0e0bdd53eca43f361e8bf9230879293585eb1bc2f926e5944d0eb371b46712da7df02f49a50296dac8977442184c706643897d6c33708184ef2a73454b6c078
-
Filesize
279KB
MD59d1ab53997f65bc5185b49b6e2479ef2
SHA1cb532aa628a2837e0752bd57d69b4451291e9f2d
SHA256833d0577c3514dc8d97bc71854a30666efcc5ad75334cde6ade2f634c6ca0416
SHA51268ff0256151067ddddd4d98e0d075a3b5c7197dc87c2c65a12e0de39931c65a5d9b8f70f0c35857130625c6c4b51d2f212f5c74864e5f8a3b52afca76ecec0cc
-
Filesize
19KB
MD55244a0d911bd0209858fb5dd73f185bd
SHA1bad354400dd074b1f428dfd77bb1e9d0fa33eae0
SHA2563f18d1d03400c4d710f34982399fe5eeb8c6a1ec26c52f5e60d3fbdbb38a176d
SHA512bb44dae1f47d312ba70fb07f3f78f118fc54476508654d8c920ccb2764e193de902fd13dcd82f6c9f4e48de5c8921272062cdb118ddd04725d702df7195b6d9d
-
Filesize
204B
MD5bcc190c9fd19871f6cbac75c66a5d935
SHA17d549713e91c2114d4d46b9ed569d5c73eeadf09
SHA256559be818e05fd6ba84f5de614955bf3bcc429659026f3ebbb7535b978ceebe05
SHA5122f63c823ecd949ac46f1341c958febc4c92a24510114c494813c709ea925449a95e1cb0d6117d1d0a925eb5b6e6e31a9a174380c8872aad79be772206bb4c616
-
Filesize
172B
MD5bf3ac8f721c346a999b35651af86d8e2
SHA143d3a2c14abfb970a1577c32d6c74b107d4f31b0
SHA2565bb0921bfb7da3aea4a40eca1253afd55b895846bf8506d2ecb841ff1c59b653
SHA51275059437184a3fb5d64eae6b619477750f4abbb59483153854a8d3b8364b8596862c6297638dc01ac98e75e783419dcb9fb83b40e99dca389de95f08b45e4d3b
-
Filesize
2.6MB
MD5c9cf926f245f36c4d22b62db54335ec2
SHA156a9b9b0e6098f560a27bd08f0f65f63c0a87ddc
SHA256c86747233a5ccbe6ddd3a490454f7f385c3ed806bf00da85242017324401a7db
SHA512834db0551c3de6e77812fbd57d93216ebb1057436789a33121004300d898a75b825cad442d6fc6ce18f3a3b6ddc66326fa3f47d5b982941adab90540dcb37840