Analysis

  • max time kernel
    120s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 14:56

General

  • Target

    6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe

  • Size

    2.6MB

  • MD5

    660feb1886398baf42ac5e6c1d7fb930

  • SHA1

    edeb7f81eb514b3a68e9cc08037f2ddaa65d5a28

  • SHA256

    6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23

  • SHA512

    0d4b79c99462c84731facf301a593836a29ab179eaa3dc3d0ab02e4830130ed8d5f26d091f9ab16f5a3109d8ba17bf71bfc72a0d2e65addf8c4056f058e32d24

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bS:sxX7QnxrloE5dpUpMb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe
    "C:\Users\Admin\AppData\Local\Temp\6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2224
    • C:\Intelproc8A\abodec.exe
      C:\Intelproc8A\abodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2704

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Intelproc8A\abodec.exe

          Filesize

          326KB

          MD5

          e573bd162c4d54879610c0e99707fdb5

          SHA1

          05b8abef898e170a73851cd05cf916dd3b7756ab

          SHA256

          ac9ef65265e3d49b86741fd7f3059af1c3928778d8d9488f7ad2e54b665a5ceb

          SHA512

          8178500d06d2f9b0adf987cfed0a4becb8409939b024339acc8805c534d1376b84185ed9f9e7b1450a5ad9b4e520029f9e89d5e257bbb23f4aad084548936c66

        • C:\Intelproc8A\abodec.exe

          Filesize

          2.6MB

          MD5

          6697a5129a0672d29ef88229004e0222

          SHA1

          ef72c3251ff5eff95fe923d607a66a6cc49a7a34

          SHA256

          88eb9a1882838809ec7f2e869fc77be97c69d45851c0e3ae9abf8032ad6124c9

          SHA512

          a7ef3f3982c45feeee3c8a1f957e8992e5d274ca9c81a23fcf518bb9c9b12069e607becc25d1cf41a72a6ca72e2dd44709b3c0a863d0058f5f351654c4fb3938

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          201B

          MD5

          de169059d63173a479a4efe76853d905

          SHA1

          fe86741bbf3d34bd8cdd3e9d1441d68082ce970f

          SHA256

          ff9c67b4ceafba3f29b1d819e049cfc3ce5d93c6c4977233e6f294b378a9b481

          SHA512

          f5170c0e859710edafd1e81ec0e373e98a1b0431d24cf6250967ef53e3f10dd58edcc04df6947db300c1577ce147bf35abb3b6fcce8f57d5dc5c9b11728b6456

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          169B

          MD5

          3021fc6cf8fc95e3b759b1a4bdfd5415

          SHA1

          37f10a70fc1e2362dd386ed2b9c76dc3bda6c124

          SHA256

          fb77e6c2759f9f6062866b8276dff445a9faba631608eff75c755214dc17f755

          SHA512

          4cb89ccc6444bfc320628f83184cfa1528a5391a783eee3301a83086a95881896ff5fbfabb1971c5cc42f8d0343e1b748a883d5277ae40d64ed2db864ed09a5f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

          Filesize

          2.6MB

          MD5

          467bef1383199eea710c217e8e57ad4f

          SHA1

          21faaf7e32f555e55014e91b4b9a2fce1bce441b

          SHA256

          17034150504b931a0d57b166c581a5c418ae169b587c96b1803e5946fb401d13

          SHA512

          dab74dc1105f4b4ef56763820ebc502e5f170f81c5a71e9a6fbf0069ef2a8ee407e45cb564e27378efdd4123616cd774049e6f28ebdb0501ec57644afa8513d3

        • C:\VidAY\dobaec.exe

          Filesize

          594KB

          MD5

          7ec70bd93cb66bc2fba6e5cb45afd693

          SHA1

          9537ff0398b4862936dab2514e7ad2bb22e7d2d6

          SHA256

          4aad5282a3673bc7f255658c183f9a3f6c401f185a1c292dde46ffd8231b2a20

          SHA512

          914a2c508ce5006ed8eac6ec5141c969a557f8d9e63f772620609dbf4d56862bc9843c2d61c07a00cab6b6622aab671a90301b1b5c79978be48c8d4c3edabed9

        • C:\VidAY\dobaec.exe

          Filesize

          2.6MB

          MD5

          85d694a3758666506acf6f461d49ae44

          SHA1

          6c8364f254275ef356239e3329d87e3b4e338020

          SHA256

          e1147d982f7c55e1bfaba3eb6965c54d3edfacb4e9e1f93f9aa24f557b9780c9

          SHA512

          2d619d45775be3ab54b7d87c3f94129db319dce8b3b36f0c94d3e6a2a385377022c81c06a67ecf84f2b6088aeb1931bf12ccdd8980cc5476eea27bd5e244aea8