Analysis
-
max time kernel
119s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 04:02
Static task
static1
Behavioral task
behavioral1
Sample
e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe
Resource
win10v2004-20241007-en
General
-
Target
e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe
-
Size
2.6MB
-
MD5
5a24aab9c57efbeeeddf8a3ab6fa1830
-
SHA1
806fd05f97b00c41e8f22905e1b9eaccf8d75af1
-
SHA256
e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952
-
SHA512
841d09a3b7c3d91936b1574dc2264a9b54a0177d949836ea8944e9fa6f31a77df0a32b049aa68919cc7139ceba699f2449d2430d2e582363d7235a52530bf4fd
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSq:sxX7QnxrloE5dpUprbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe -
Executes dropped EXE 2 IoCs
pid Process 4780 locdevbod.exe 4868 abodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocQ6\\abodec.exe" e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBHT\\boddevec.exe" e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1372 e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe 1372 e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe 1372 e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe 1372 e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe 4780 locdevbod.exe 4780 locdevbod.exe 4868 abodec.exe 4868 abodec.exe 4780 locdevbod.exe 4780 locdevbod.exe 4868 abodec.exe 4868 abodec.exe 4780 locdevbod.exe 4780 locdevbod.exe 4868 abodec.exe 4868 abodec.exe 4780 locdevbod.exe 4780 locdevbod.exe 4868 abodec.exe 4868 abodec.exe 4780 locdevbod.exe 4780 locdevbod.exe 4868 abodec.exe 4868 abodec.exe 4780 locdevbod.exe 4780 locdevbod.exe 4868 abodec.exe 4868 abodec.exe 4780 locdevbod.exe 4780 locdevbod.exe 4868 abodec.exe 4868 abodec.exe 4780 locdevbod.exe 4780 locdevbod.exe 4868 abodec.exe 4868 abodec.exe 4780 locdevbod.exe 4780 locdevbod.exe 4868 abodec.exe 4868 abodec.exe 4780 locdevbod.exe 4780 locdevbod.exe 4868 abodec.exe 4868 abodec.exe 4780 locdevbod.exe 4780 locdevbod.exe 4868 abodec.exe 4868 abodec.exe 4780 locdevbod.exe 4780 locdevbod.exe 4868 abodec.exe 4868 abodec.exe 4780 locdevbod.exe 4780 locdevbod.exe 4868 abodec.exe 4868 abodec.exe 4780 locdevbod.exe 4780 locdevbod.exe 4868 abodec.exe 4868 abodec.exe 4780 locdevbod.exe 4780 locdevbod.exe 4868 abodec.exe 4868 abodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1372 wrote to memory of 4780 1372 e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe 87 PID 1372 wrote to memory of 4780 1372 e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe 87 PID 1372 wrote to memory of 4780 1372 e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe 87 PID 1372 wrote to memory of 4868 1372 e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe 90 PID 1372 wrote to memory of 4868 1372 e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe 90 PID 1372 wrote to memory of 4868 1372 e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe"C:\Users\Admin\AppData\Local\Temp\e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4780
-
-
C:\IntelprocQ6\abodec.exeC:\IntelprocQ6\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5d386c7a016a8a20759831d8496c7aa54
SHA12c223f074a8642b74ac0ab7fef206f94ad766b46
SHA256a2e5331437e98e39aa7890227da0067dc439680601ab8fe804983e34043ed53b
SHA512d85ea3180d1d76c4d252f2e27932f66db83c2a4649d6c032f24693efafde6c1c2cf326f043dece5e3f8f00b65e781a086d636f10e09ed2d7b605dcc8a1bc6f9c
-
Filesize
1.5MB
MD56dbbf1f907c56e4cad9f07068b1440d2
SHA188a01d378c85aac6c6b673ffbb426e22d5188b20
SHA256bb422b4f32d37c847a7a35f14c89f9432bf2f26cf9f9bf68c0cdf60b9be7c48d
SHA512e939ee70eb8fa18c6e718f7209fd15a01ed7cfcb49e08a26e730236146505be58f77ef0cc5a64dc27ad0d6f4d01d430cd83c8708d4c2d3f5c88b6b3870e1f742
-
Filesize
70KB
MD5b404c7aaa8aa55b523a16fae6df249de
SHA1fbf4c29f207fc0b9d9ca8a8bd5aa67256c7d94b4
SHA256d92748d084a832eea50c136997ecad3dae55d3ddb228417ba2a85ff99276895e
SHA51224a56e9a78fa2275b43c1b04521d20088c32df7e25060e5443d0fabfcb71ec6f63e723520a553dfe1d8856aa1e8e10a73d8a2b3333f6ea4c9c0aee9c173d105d
-
Filesize
206B
MD52949afaf12b4c4cd32e13bbd3cd56373
SHA17cf84e327f890e9ad10aefae872270152f84692a
SHA256c760abe583d5de093110940a03c281fca70eb9244ef8b3a6e10f15c3870265c5
SHA512fe94410b95de3c991b236ed651ae926133a6ba4b3c44b123eedd20b18c8f2b84a2ec4f68a7246358e9a4136e69a8f136461c97b1f594bc5a0cb9dca307027703
-
Filesize
174B
MD55bdde765657dee266953a6c2e4aaabd7
SHA1c44c93e80e00d0b179fe702a0d0faa5a794ae04b
SHA2567f3b58914f9b6728823f3eda46ee94559eb2b4fabba09e11d9e1dee1198e30da
SHA5128e22c2e6ff2b6b2fb66ab170cff6e108ada5ff654a5fc3881750b1bc6e71a366aca6dbc51b40bab70b06f329f0c61b8b261d9f37159801b0d9c8492153722380
-
Filesize
2.6MB
MD5ee2310887b30bf0a05bec8bc7e37171d
SHA146aee67fc1facff25bb8fced054c9ab42e5714e5
SHA256ca5f0940c0cd6ca1c812d03821795cf36e7ba1d6abcdcc29f78d0313db561024
SHA5123bd0c171ae3f0c3a2e9315bb9ff1afce2068046b82b8b760987da1441b882c3a57ea9e0143bbdaf9e02b774de547ab08e22cf2b9779fec5cb68db191c1121697