Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
27-10-2024 16:58
Static task
static1
Behavioral task
behavioral1
Sample
fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe
Resource
win10v2004-20241007-en
General
-
Target
fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe
-
Size
2.6MB
-
MD5
472bd8b04f1ef850d7444b945f4b4b10
-
SHA1
369f37738c50768e1092c6abe618d6023d484e65
-
SHA256
fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3
-
SHA512
83272470b2d06ab3dc2e67afc7b224f6ba9df5b8ccebf9c3dc9f8755d1fd9d3d7b4eddac4f18d145cdbb57dc8c479316bdd87df09dc5325ef2b45c1420b9c117
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUp2b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe -
Executes dropped EXE 2 IoCs
pid Process 2412 locdevbod.exe 2836 abodec.exe -
Loads dropped DLL 2 IoCs
pid Process 1244 fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe 1244 fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobePE\\abodec.exe" fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintP7\\bodxsys.exe" fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevbod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1244 fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe 1244 fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe 2412 locdevbod.exe 2836 abodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1244 wrote to memory of 2412 1244 fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe 30 PID 1244 wrote to memory of 2412 1244 fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe 30 PID 1244 wrote to memory of 2412 1244 fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe 30 PID 1244 wrote to memory of 2412 1244 fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe 30 PID 1244 wrote to memory of 2836 1244 fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe 31 PID 1244 wrote to memory of 2836 1244 fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe 31 PID 1244 wrote to memory of 2836 1244 fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe 31 PID 1244 wrote to memory of 2836 1244 fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe"C:\Users\Admin\AppData\Local\Temp\fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2412
-
-
C:\AdobePE\abodec.exeC:\AdobePE\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5e895e667bf68e89ff37fed6cf19605d1
SHA10b3d87a0556d0cc2b6f445f6cc93d05607b3398d
SHA256d78f5779f21b217770e6add6f045d9e3d0afa4821b5d5d8565668061fcb8ddda
SHA5122be9db3dfad74c77f8ad02084ab7bf6a500ef0a13af51fa33772343390d4a9d97f6093352c3686632e16228918f3b6c25dff1726643c6851ea1d8dc5b38e9768
-
Filesize
2.6MB
MD506510a26bee2ed170962571fccf9bffc
SHA1acae196b6875532c9dde736a885cb4c252f9d6cf
SHA2564e4fb896431ab770ebea75879259afdb506ec4acb58b5426e2ff1d4e2cd9a6d2
SHA512c4c9cb21604fdf3b4917a463f2cab475b6fa5f2ee5a3d34aeee88c6fbd9584b372f6bda24cd69b9484c503c1996393d79f0b1f005dc6f91fe0eb7a6d3461e18d
-
Filesize
2.6MB
MD5646338675afa7f4f916cdd19f15e7ddf
SHA1481738d4670f9a998e173e3dee5be78b50eed8af
SHA256c8cb6a65fde8e9237185db6b793d9d4445649617cd227f5389789a2f6d22c572
SHA5127bb8050808ba437a5ecc33cf54dc7cfe6c3502f71f6c56e8a8863acfddb0fce67d823bd915614310f64709dd00e1674906b2fdc3f2e575a647f9d54a4542f7da
-
Filesize
169B
MD54c903d255c80a955bcfd09767da75318
SHA148bcc10d56aaae2af16483d8e34bf5bb0ce813cc
SHA256aa98593121332bba01772abc258832b83dd06988b28d147935ab9951b0ac9fec
SHA512cf6f425ca957bf53151dfca2bb3b0c469e0806e7716f46a63c6c19e2db7f9948d82b8172d52c261645175cea1189b90287507a7314dfa3476d46eced34b0fa7e
-
Filesize
201B
MD5a60363e2819832539c98a6b384ce52ca
SHA1e91dc1abc3dbff47635d91ee90be0fd63ca4f9fa
SHA25643a56088484ccf4b1e810a0c71db22b447925fa634fd4b2d8bdc8210d8099cd1
SHA5122c345eca41866dc4972f959b8a96f35cb7f96d78b5a14b9679079e4da99c99e0e6a87381cdc2e7ad6de818fca50506ac6a2a21af301569dfba400b27ba1b77e8
-
Filesize
2.6MB
MD5433da50c4114d276ebd94f86c1e34c02
SHA1f2dd02ab08a1c7e45860dfe32a589e49498d0767
SHA256cdb59dd2d708f3685e7f4c813da6c0d00f248885f48613c2e8e95f2311c1ed04
SHA51204d9781eb779301970c27facb92740eba8d6fb49039520056800ba777b133a3d0160ee1c04a3251963b12236c02878bf796cb0e7d612d4e5efc381f128542ee5