Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 14:56
Static task
static1
Behavioral task
behavioral1
Sample
6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe
Resource
win10v2004-20241007-en
General
-
Target
6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe
-
Size
2.6MB
-
MD5
660feb1886398baf42ac5e6c1d7fb930
-
SHA1
edeb7f81eb514b3a68e9cc08037f2ddaa65d5a28
-
SHA256
6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23
-
SHA512
0d4b79c99462c84731facf301a593836a29ab179eaa3dc3d0ab02e4830130ed8d5f26d091f9ab16f5a3109d8ba17bf71bfc72a0d2e65addf8c4056f058e32d24
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bS:sxX7QnxrloE5dpUpMb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe -
Executes dropped EXE 2 IoCs
pid Process 2224 sysabod.exe 2704 abodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc8A\\abodec.exe" 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidAY\\dobaec.exe" 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1876 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe 1876 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe 1876 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe 1876 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe 2224 sysabod.exe 2224 sysabod.exe 2704 abodec.exe 2704 abodec.exe 2224 sysabod.exe 2224 sysabod.exe 2704 abodec.exe 2704 abodec.exe 2224 sysabod.exe 2224 sysabod.exe 2704 abodec.exe 2704 abodec.exe 2224 sysabod.exe 2224 sysabod.exe 2704 abodec.exe 2704 abodec.exe 2224 sysabod.exe 2224 sysabod.exe 2704 abodec.exe 2704 abodec.exe 2224 sysabod.exe 2224 sysabod.exe 2704 abodec.exe 2704 abodec.exe 2224 sysabod.exe 2224 sysabod.exe 2704 abodec.exe 2704 abodec.exe 2224 sysabod.exe 2224 sysabod.exe 2704 abodec.exe 2704 abodec.exe 2224 sysabod.exe 2224 sysabod.exe 2704 abodec.exe 2704 abodec.exe 2224 sysabod.exe 2224 sysabod.exe 2704 abodec.exe 2704 abodec.exe 2224 sysabod.exe 2224 sysabod.exe 2704 abodec.exe 2704 abodec.exe 2224 sysabod.exe 2224 sysabod.exe 2704 abodec.exe 2704 abodec.exe 2224 sysabod.exe 2224 sysabod.exe 2704 abodec.exe 2704 abodec.exe 2224 sysabod.exe 2224 sysabod.exe 2704 abodec.exe 2704 abodec.exe 2224 sysabod.exe 2224 sysabod.exe 2704 abodec.exe 2704 abodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1876 wrote to memory of 2224 1876 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe 89 PID 1876 wrote to memory of 2224 1876 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe 89 PID 1876 wrote to memory of 2224 1876 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe 89 PID 1876 wrote to memory of 2704 1876 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe 91 PID 1876 wrote to memory of 2704 1876 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe 91 PID 1876 wrote to memory of 2704 1876 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe"C:\Users\Admin\AppData\Local\Temp\6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2224
-
-
C:\Intelproc8A\abodec.exeC:\Intelproc8A\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
326KB
MD5e573bd162c4d54879610c0e99707fdb5
SHA105b8abef898e170a73851cd05cf916dd3b7756ab
SHA256ac9ef65265e3d49b86741fd7f3059af1c3928778d8d9488f7ad2e54b665a5ceb
SHA5128178500d06d2f9b0adf987cfed0a4becb8409939b024339acc8805c534d1376b84185ed9f9e7b1450a5ad9b4e520029f9e89d5e257bbb23f4aad084548936c66
-
Filesize
2.6MB
MD56697a5129a0672d29ef88229004e0222
SHA1ef72c3251ff5eff95fe923d607a66a6cc49a7a34
SHA25688eb9a1882838809ec7f2e869fc77be97c69d45851c0e3ae9abf8032ad6124c9
SHA512a7ef3f3982c45feeee3c8a1f957e8992e5d274ca9c81a23fcf518bb9c9b12069e607becc25d1cf41a72a6ca72e2dd44709b3c0a863d0058f5f351654c4fb3938
-
Filesize
201B
MD5de169059d63173a479a4efe76853d905
SHA1fe86741bbf3d34bd8cdd3e9d1441d68082ce970f
SHA256ff9c67b4ceafba3f29b1d819e049cfc3ce5d93c6c4977233e6f294b378a9b481
SHA512f5170c0e859710edafd1e81ec0e373e98a1b0431d24cf6250967ef53e3f10dd58edcc04df6947db300c1577ce147bf35abb3b6fcce8f57d5dc5c9b11728b6456
-
Filesize
169B
MD53021fc6cf8fc95e3b759b1a4bdfd5415
SHA137f10a70fc1e2362dd386ed2b9c76dc3bda6c124
SHA256fb77e6c2759f9f6062866b8276dff445a9faba631608eff75c755214dc17f755
SHA5124cb89ccc6444bfc320628f83184cfa1528a5391a783eee3301a83086a95881896ff5fbfabb1971c5cc42f8d0343e1b748a883d5277ae40d64ed2db864ed09a5f
-
Filesize
2.6MB
MD5467bef1383199eea710c217e8e57ad4f
SHA121faaf7e32f555e55014e91b4b9a2fce1bce441b
SHA25617034150504b931a0d57b166c581a5c418ae169b587c96b1803e5946fb401d13
SHA512dab74dc1105f4b4ef56763820ebc502e5f170f81c5a71e9a6fbf0069ef2a8ee407e45cb564e27378efdd4123616cd774049e6f28ebdb0501ec57644afa8513d3
-
Filesize
594KB
MD57ec70bd93cb66bc2fba6e5cb45afd693
SHA19537ff0398b4862936dab2514e7ad2bb22e7d2d6
SHA2564aad5282a3673bc7f255658c183f9a3f6c401f185a1c292dde46ffd8231b2a20
SHA512914a2c508ce5006ed8eac6ec5141c969a557f8d9e63f772620609dbf4d56862bc9843c2d61c07a00cab6b6622aab671a90301b1b5c79978be48c8d4c3edabed9
-
Filesize
2.6MB
MD585d694a3758666506acf6f461d49ae44
SHA16c8364f254275ef356239e3329d87e3b4e338020
SHA256e1147d982f7c55e1bfaba3eb6965c54d3edfacb4e9e1f93f9aa24f557b9780c9
SHA5122d619d45775be3ab54b7d87c3f94129db319dce8b3b36f0c94d3e6a2a385377022c81c06a67ecf84f2b6088aeb1931bf12ccdd8980cc5476eea27bd5e244aea8