Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:33
Static task
static1
Behavioral task
behavioral1
Sample
7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe
Resource
win10v2004-20241007-en
General
-
Target
7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe
-
Size
2.6MB
-
MD5
ed3cb1d16d0b67b5b30f72731d353745
-
SHA1
d27e62b376ac0bd8d24587fd40ffb2d0c7a25034
-
SHA256
092d2e1ad6c85ba0bbfc8a65245cfdb155b91139c6812c5c8f4068ede8401099
-
SHA512
b1ebfb36f3374946b91249de82c0c4d28ef303808e0561748d6af6ce45d0476e05483120921de0fdea667aa7b79ab7575f5a7ea964b592c32344f4e127747cba
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSQ:sxX7QnxrloE5dpUpfbZ
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe -
Executes dropped EXE 2 IoCs
pid Process 2368 locxbod.exe 2016 abodec.exe -
Loads dropped DLL 2 IoCs
pid Process 2532 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe 2532 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotMU\\abodec.exe" 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidOT\\bodaloc.exe" 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2532 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe 2532 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe 2368 locxbod.exe 2016 abodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2368 2532 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe 31 PID 2532 wrote to memory of 2368 2532 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe 31 PID 2532 wrote to memory of 2368 2532 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe 31 PID 2532 wrote to memory of 2368 2532 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe 31 PID 2532 wrote to memory of 2016 2532 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe 32 PID 2532 wrote to memory of 2016 2532 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe 32 PID 2532 wrote to memory of 2016 2532 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe 32 PID 2532 wrote to memory of 2016 2532 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe"C:\Users\Admin\AppData\Local\Temp\7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2368
-
-
C:\UserDotMU\abodec.exeC:\UserDotMU\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2016
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD51b0a495cc5c7a844b24316842be71386
SHA16cd1dcced7c1850a186431a638242d988d866487
SHA2566e727b1ae17b504043adf8f38e281bd0972ce90f29457618cada2f3fae46f23d
SHA5129b5ed4775422a727e9f71335342a63ead897342ad54f40f162f7ecc780cb38bf316b0aefe150b89a723ccb618378150d2a1f7b9d3f77482fb2f9a0fef9f15976
-
Filesize
168B
MD5309d8cc8f40a9aedc7ec7ee631bd6701
SHA15fb6b0b9aa44089a2b5ee439be6b28963fb88e24
SHA256bd7f484cbababa216047328b4d69a9c26c39f9de53328886bd545a0657059155
SHA5122df37a72a4e324257577fbd34652c16dae48816d63a303e2c54fcc752c138021a8eba43348e63c8781e0dfb278f2edaa2ad299fcc766790c799f68c33d806d70
-
Filesize
200B
MD56b8f7f2f98253e763a145cefa8649e2e
SHA15d75c57750b9435d825b00c95634a91e59bd3c70
SHA2563ee570752356688cd31b57e3194df044776bdaf257183091888d197dac07a738
SHA512e2589754ec7e6e661d29e5aa17f440ca0a31a32d9e09f772c3a6a68ff477b1e583ae0125211e2145298c3ce63d789dd049b0548c34ebbcca36e88fae4359f5e5
-
Filesize
2.6MB
MD56c8fc2713f7b94c8ed28aea51c70db78
SHA1edfbb7139c7bbb9521997cfa8754880755ad4307
SHA2563790853bbe8a78e50dbcd6d8e362ceb77e1552608af1f9677e0eac0297def5cc
SHA512d396f282c69bbb788db6e1634a95ccc9fa44a0ad7c926f98ece9890a2c0a72d10a4728d1fc213ce6a35849f936d42eb5b73419ddb434118234c1a83ff778fd89
-
Filesize
2.6MB
MD5d43203d843deaa9613234ac08967125b
SHA12a30913b0b1797d1c276c81619bed5af724cf5ef
SHA25611976b63814594f6fdece5a349de3674aacdc8b9a9fbbd758b0deef5ecce3995
SHA512234409939b043c6ebfb6888346fc422dcefa74198dc8e0fb7bafffe45487754c87fded7ec9c2fdcf23306bc6517cbdfd9d0ddf880b8c4971c26490dd39cb42fb
-
Filesize
2.6MB
MD516b1fc60d105dc0b77f8ec3de4696c66
SHA1fa6e79fb147412ef61e70202c89e42959b5c8807
SHA25689bc1db28b52b56c9bd2d72d1fb720559c9c41d141f9572710bb920f5ec61482
SHA5122d09e589fb0fe4950e5fcd0bec59c936e5e7cb971150c463fd1bed2bf40ba18c0bb18695b77010f4376ec9e958f9fa099bd895cbcff1bd6f661bb4590ba43039