Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 20:55
Static task
static1
Behavioral task
behavioral1
Sample
2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe
Resource
win10v2004-20241007-en
General
-
Target
2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe
-
Size
2.6MB
-
MD5
757fd4a96075124bd1bfe506f6fff955
-
SHA1
c035eeb5e726d7515b76a17431c63e83868bc627
-
SHA256
2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7
-
SHA512
fdd75ea3a80a8eceb66da72918976c57d29b8b9c015fa212fc5041b23e54e96a8dc239dcf04a6af82332ceac6e8854eaed02581b79ea5fc7bab580f0388ab6bd
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bS:sxX7QnxrloE5dpUpRb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe -
Executes dropped EXE 2 IoCs
pid Process 1240 locxdob.exe 2896 abodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2692 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe 2692 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesE7\\abodsys.exe" 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid9D\\dobdevloc.exe" 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxdob.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2692 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe 2692 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe 1240 locxdob.exe 2896 abodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2692 wrote to memory of 1240 2692 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe 30 PID 2692 wrote to memory of 1240 2692 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe 30 PID 2692 wrote to memory of 1240 2692 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe 30 PID 2692 wrote to memory of 1240 2692 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe 30 PID 2692 wrote to memory of 2896 2692 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe 31 PID 2692 wrote to memory of 2896 2692 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe 31 PID 2692 wrote to memory of 2896 2692 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe 31 PID 2692 wrote to memory of 2896 2692 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe"C:\Users\Admin\AppData\Local\Temp\2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1240
-
-
C:\FilesE7\abodsys.exeC:\FilesE7\abodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2896
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5c008f82098d0fc86d6d97b06931ed1e9
SHA1d6ff2bf29202294dc3d9f0b5cea1c43d597456a8
SHA2569a782330ee77bf9befd1b459ec49cac1d8fad95f90899dd703ed854109200c0d
SHA5123d7711f384bef8cd8202edda611ac0c4bd5e7c71fe62510beff7d57952eb68523599dab94a584c25935a66915791d04d51b4f7b842ccb6ac9d41eef7a19acde5
-
Filesize
169B
MD50cf379b8a788f24c886168a4b0ab0667
SHA150f83fb912415bb3e897dfe558071429e6791e13
SHA256a457df7bde4e48561fd87e9fca3df7044fc3a9a924568fe38615c45cee958741
SHA512a722db24992af509c55f09c923e803be385b5006fdc494bfbfa45855b819afafb34305de35d5a7adfa292e453aae9f257debc8dae9362bfce7b8f41e4afc4d3b
-
Filesize
201B
MD5694ce1056ba8e3b8b3c1d6fc30ecb7b4
SHA10d390eaa282c51d3bd94ae4e1ed2c6c91d669f1a
SHA25614fb9cb969e4ca1dd6e494baff55de93475eacecfd23b75f4106f0ab901653d8
SHA512c4e4f18a22029e489eca4a034db2820be796dceafffd2922d59edfd9258fc81e77ec077d5ada8e64e2c6813fcc97a52830d787197ae5635c64528429c61588e2
-
Filesize
2.6MB
MD52eaea640c6ca3c6436663edd759a3c1f
SHA1616234afae3afee7e55ba7f2c3e57c4253bd8fe8
SHA2564f36c8304845010c35af64302515f4d08c93924c9075c6421437b92e267442c3
SHA512648ff818cd55cdb6304b895925336ef78aa14393d19064e71a42677edbb67cc79ead803d5ee867ee61f894df7895904deb6a1f48c7e83faf5dbd878842270dce
-
Filesize
2.6MB
MD50019475ee865cecb0012b5ae9e8b2645
SHA11aa62475d2857430fb9515238eb0e3b18968e225
SHA2566584feffc09cd03a2f75c80a3d36463d8e7e18993485ed822b030833a6917c0a
SHA512ddba0e3a0549043f1205ad8b68770c3e260b7d5c5d8b8bcc5376bbee3d8f892bbe63e64ebfec2b403bb3e66f7392a9bddb0dff66147cbff812af3458e908dd03
-
Filesize
2.6MB
MD5e538c5b2ae4ef7159d430b149a46bae8
SHA1b7edf37155c2889eeb08ab2db3eae447985ceea0
SHA256202cac51887c7853421e3ef163da2126d8b233801c3d73d54275c0f5de03f497
SHA512ea5da3192b6ad903d3eb3298eb87420760a84dc2f8552d5ad7b6b10fdcde09e57c26b56a71888e8e3801b9e67505147506aac31fb9fbf06c85968162b30448f1