Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 12:57
Static task
static1
Behavioral task
behavioral1
Sample
b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe
Resource
win10v2004-20241007-en
General
-
Target
b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe
-
Size
2.6MB
-
MD5
23e5741a9817b7a6135e8fe7c1cf6110
-
SHA1
a3e03c16f065cd045e2ee5b7e27b046aa2c75ed4
-
SHA256
b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03
-
SHA512
c7085468fad9ddbe62b5aad2b316813bf6bab358041dbcd7ed05542d5d7477825a28bc6fdac6eb90b02b7833d205126bf147bed93272a3ee77b8e2cee44462c0
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUpjb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe -
Executes dropped EXE 2 IoCs
pid Process 1648 sysabod.exe 2600 abodloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2584 b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe 2584 b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot1O\\abodloc.exe" b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZE0\\dobxec.exe" b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2584 b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe 2584 b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe 1648 sysabod.exe 2600 abodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2584 wrote to memory of 1648 2584 b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe 31 PID 2584 wrote to memory of 1648 2584 b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe 31 PID 2584 wrote to memory of 1648 2584 b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe 31 PID 2584 wrote to memory of 1648 2584 b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe 31 PID 2584 wrote to memory of 2600 2584 b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe 32 PID 2584 wrote to memory of 2600 2584 b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe 32 PID 2584 wrote to memory of 2600 2584 b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe 32 PID 2584 wrote to memory of 2600 2584 b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe"C:\Users\Admin\AppData\Local\Temp\b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1648
-
-
C:\UserDot1O\abodloc.exeC:\UserDot1O\abodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD537ec865423324808010f44da53a04a7e
SHA1f7b6574c6068a87742ae65eb65631dcc7037af85
SHA25637b1fff7af08fc01d50d8d0375b08d9a12b69c5f0e6ecf1740e6162205880d1c
SHA51285a83aa58bef7f4173ab0164bc63d45541136b09f650177f709f3c36e0fae7a5c12c39fa00be2519e4e6dadb701c717defe08678f9c4d60c75dde27aa33fe789
-
Filesize
315KB
MD5a5f5abe78aea816256f1a9c58d2d67d8
SHA1daf3591b038d8c6dd42c9337374100c7a612e917
SHA256bb0c2e66b816aa8d8b5d3be885824cf1de8135434684977b680d07b596f40c28
SHA512ae2f8567cc511e9651c44bab0676603f918da71bb07d91f9ffd6bd474213823187d7a4b601509d172ca67ad5a5db265e53bc0a779d35cfea42e99d4ae2245eb1
-
Filesize
2.6MB
MD5cd72d52aee41a314165a81b867c196dd
SHA19f410976532d24c0aa7fbcaadfe4d576618646f5
SHA25681529b8dd4e9112798fd294e91e5df72adcbdd2472f353652446d14d099b1826
SHA512125e9f5065471a1ea47b8f85bd6ea7d65c51324f76c1342beeebdfc802648a81a1ec837d7dfc40b6ce7aeedbeb10816672fa649d4617d863d7b3c680b80e05dd
-
Filesize
169B
MD57930e14bd379acee77c00ed13dbd967d
SHA17e631b89003c26e724fd62c3007f666eff38bcff
SHA256de1df46f215ad921f6c5ca6c9eed067cf7d0b1099bfc2c13f1b282c8e8c37066
SHA512086cc633ad69db5d31b56e82e1237cf8a09f2b134a1d1e62b575ab35b56b779a643e9a6164389bb916457d33ec47e92cf208442905556b38394379ecf57d05a3
-
Filesize
201B
MD51cd7d8cdb61dbc52e1784d38c5b3bc67
SHA1e370d312acd9f80c51f9c5ca4fae96405ba207a2
SHA2564d6faab6a156e9370d0dde5e8107d4a409f7bb971a487090331da75dcde394c2
SHA512857cec9b63cf9398af334577c7ccb393524fd7c94d6a2a40adaa2fcded8e034d3d28a36c64e58324f97b3c05b40a0ba83d3e8bd22ea077c567c239ea40b43d02
-
Filesize
2.6MB
MD580532a04a71c95a9db1b22527f664f5f
SHA1df917a4f7dd1e04bd2e8e03a047fedbe791212b6
SHA25643cc6d7d57eb2be88831c9aa65d4aee6cf3ae0cbac6230508e99e58f9906fd0f
SHA5126eb52e19d4e29a254c0609a47b4e2ee2879505ed8617389613e89a53248a731648ea092a43fa546580959b9378e9663c7caccd945cd2f327393e78143e80f586