59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1d

Analysis

max time kernel
119s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe
Size

2.6MB
MD5

914005ba9c41c73f44f7ae9e58ddd310
SHA1

abbd268a9e14d207502da3623540b3054a0de783
SHA256

59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1d
SHA512

3f023b245549dff6f932af3a39934e54045fafaf807d359dcda663f29c7a31c51a0f0986981fcf6175f2a64e12fb315605b05ec9d2012200357a7516fd95a8e3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUpyb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe

Executes dropped EXE 2 IoCs

pid	Process
2396	locxbod.exe
3036	abodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2488	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe
2488	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint1H\\optidevloc.exe"	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocBN\\abodec.exe"	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2488	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe
2488	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe
2396	locxbod.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe
3036	abodec.exe
2396	locxbod.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2396	2488	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe	30
PID 2488 wrote to memory of 2396	2488	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe	30
PID 2488 wrote to memory of 2396	2488	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe	30
PID 2488 wrote to memory of 2396	2488	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe	30
PID 2488 wrote to memory of 3036	2488	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe	31
PID 2488 wrote to memory of 3036	2488	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe	31
PID 2488 wrote to memory of 3036	2488	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe	31
PID 2488 wrote to memory of 3036	2488	59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe	31

C:\Users\Admin\AppData\Local\Temp\59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe
"C:\Users\Admin\AppData\Local\Temp\59dcbf84eba3faff5d10bc1037fe4d804be732830a0417aaa9b4443715552a1dN.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2396
- C:\IntelprocBN\abodec.exe
  C:\IntelprocBN\abodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocBN\abodec.exe

Filesize
2.6MB

MD5
bc126858dd8e12ccc3ee648ab5674186

SHA1
3cbcd2ab15bb3c7127cf148b0eb32d0eea1f848b

SHA256
48ca76d2584001a2e45c38de2768f1644af451b44ff33b3ff610b1a7f41fdf1e

SHA512
e15140ffb6959d235258d5327236ecd6b11fe2aa7f39cc8d68ca8eeb513738f675f5136caf6c00c6198261169a9ad6215910c562eca4b2e5f89874a29f16b8e9

Download Submit
C:\Mint1H\optidevloc.exe

Filesize
2.6MB

MD5
887cedec341b0fbd827dbc879748c680

SHA1
68ab920b7610cc7d32d0e6ded5578e3595626d89

SHA256
cddbecfb445b08f7f4dd6b3509c2a959e1d496af3ff5a37195034b979762f6a3

SHA512
cad2ee860967a0f014b1550cee41b4ac97368b13fd0d4969c516ab4e33888827ca5afb3d4d81698efdaa2899dfe1ec83efa1d9cf3e389af4064b7031a54134dd

Download Submit
C:\Mint1H\optidevloc.exe

Filesize
2.6MB

MD5
a127f0f2cb78d7a0421e9249de2e121e

SHA1
7d3f8708fc7325b0579cb192ea53bc172ce34f02

SHA256
ad96e63107d77f59f620185f1795cfe64b17556bee161e6c184e30714c08ca6e

SHA512
d359e9a5be0ad009da3e2dc09b1788a7ec580763355d45de2285605df5b6a126cd75b193ef8e752010cc3312eddb83d3a0b81d94da7ee1250c4a7cdacc71286e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
21571caa66b6c294e7c3c33e12fdd73a

SHA1
2e669ba46710d02bba79cf8c0bbcad94de7bbb1d

SHA256
dc2da8414beaaa78ecc720edf7238ebe2d5f06d311ef1cb72b3d4dfcbda68d3e

SHA512
4f1d1efae5345d8dbcb513fd07f1fbfc6576694b01f673a7424c94344faea8076d3f8113295aefb8c16c759fb99f9bd19523ca3356f524c7859331b328a5e4d4

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
966bf509397823c468d8bb3061d3b39d

SHA1
be33a954fc15c3eedb6e8a062b2fa4333021064e

SHA256
f27859285c2947c832b3282e8c3ae9de3f973c0de4d97934b6d443ada076d282

SHA512
d5d83465d92c6aac032f20aef26d48c8efccd3557e1615b0bb2ce98fb1168a4039a774327e8872a18bf9591c225495efb4d9a83f458f4143a8a4990386552666

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.6MB

MD5
098a579ddb3679b0ddab0df0bed61d8d

SHA1
9b125c866d132aaea4f11310550de68961900699

SHA256
d7d7e61953c07ad438149ee771fddd5fc143130ab13614698cde1e5c1ad40590

SHA512
a28825b40748f02217bdeadc993c89780f729a6f30400f7ce557306a6e16bf1c53cf29753a20e0d5c01c15ef026752da498e5c953aaa872319434e447d2c58d5

Download Submit