Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:40
Static task
static1
Behavioral task
behavioral1
Sample
b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe
Resource
win10v2004-20241007-en
General
-
Target
b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe
-
Size
2.6MB
-
MD5
782bc029e917158d9dc2d3af1462493f
-
SHA1
231172651917f321cabd4532b993d1fc6cce977e
-
SHA256
1a103394edcd5e659330eb4db0b7c2f6af6979238a46c71fd9f31e7647dfcec8
-
SHA512
6630c41ee88582001e04e491cfc1a7329f2bd5fbcb781dcf3924c1a0753d4daeb445a4340d312aa5ded8283b627393d43a2687afaca47afc3a4011674697b34a
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bSqw:sxX7QnxrloE5dpUpKbVw
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe -
Executes dropped EXE 2 IoCs
pid Process 4056 locdevdob.exe 4564 abodsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc7Z\\abodsys.exe" b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBUX\\bodxec.exe" b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4804 b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe 4804 b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe 4804 b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe 4804 b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe 4056 locdevdob.exe 4056 locdevdob.exe 4564 abodsys.exe 4564 abodsys.exe 4056 locdevdob.exe 4056 locdevdob.exe 4564 abodsys.exe 4564 abodsys.exe 4056 locdevdob.exe 4056 locdevdob.exe 4564 abodsys.exe 4564 abodsys.exe 4056 locdevdob.exe 4056 locdevdob.exe 4564 abodsys.exe 4564 abodsys.exe 4056 locdevdob.exe 4056 locdevdob.exe 4564 abodsys.exe 4564 abodsys.exe 4056 locdevdob.exe 4056 locdevdob.exe 4564 abodsys.exe 4564 abodsys.exe 4056 locdevdob.exe 4056 locdevdob.exe 4564 abodsys.exe 4564 abodsys.exe 4056 locdevdob.exe 4056 locdevdob.exe 4564 abodsys.exe 4564 abodsys.exe 4056 locdevdob.exe 4056 locdevdob.exe 4564 abodsys.exe 4564 abodsys.exe 4056 locdevdob.exe 4056 locdevdob.exe 4564 abodsys.exe 4564 abodsys.exe 4056 locdevdob.exe 4056 locdevdob.exe 4564 abodsys.exe 4564 abodsys.exe 4056 locdevdob.exe 4056 locdevdob.exe 4564 abodsys.exe 4564 abodsys.exe 4056 locdevdob.exe 4056 locdevdob.exe 4564 abodsys.exe 4564 abodsys.exe 4056 locdevdob.exe 4056 locdevdob.exe 4564 abodsys.exe 4564 abodsys.exe 4056 locdevdob.exe 4056 locdevdob.exe 4564 abodsys.exe 4564 abodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4804 wrote to memory of 4056 4804 b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe 89 PID 4804 wrote to memory of 4056 4804 b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe 89 PID 4804 wrote to memory of 4056 4804 b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe 89 PID 4804 wrote to memory of 4564 4804 b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe 90 PID 4804 wrote to memory of 4564 4804 b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe 90 PID 4804 wrote to memory of 4564 4804 b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe"C:\Users\Admin\AppData\Local\Temp\b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4056
-
-
C:\Intelproc7Z\abodsys.exeC:\Intelproc7Z\abodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4564
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
277KB
MD5ca19464d7a0745e69831e036f9433af7
SHA1ea4cc82861e4b3b327c21eb4b50ee3dae27f3438
SHA2565352f9c5d0d24fc9c7f1cf693681928d19cb7b2d0dfbf1d89d6c2dcbf50eaf50
SHA51217e551e3896f678dc97ad87db02adf7ccf7887b0a2d7a9a47485fe74e6e792b430010a4477a10da9c8871c08f395b09f127611e8792b5172a11b4878c7171e1c
-
Filesize
2.6MB
MD55503271a899bf7569c30ca5cb735b1fc
SHA1c9bed33b6dd70fda2058191e33ea0aeead5c7e40
SHA25667210a7e5b1678bac07860a65781d2e763f27a6bb43d9c8592c3a0efdc8dd5cc
SHA512b5596f65c6c18ada1c31b7e221207ae27cb855470005af1e14948a457d3c1a24509a80c2e0447df1ee33c25925a9673a572ebd7b20b136f475ca16b6a3ba54b6
-
Filesize
2.6MB
MD548f805b7d06218f08adcdfc7dc4cff32
SHA1fdf34bab3f639607a6fa8bdda358e9a7877d7248
SHA25634a30a8664e1832b7616a9b10b9b7b28f1fdbafac4e22e54db1b1f556d5dfb64
SHA5120bcea93c4d5efd09217e7938c254d03ff758c8b066280c1735e970287c1acc579a016bbf8737242b6ac7ce5be8393a44c179defb6c9606850052c524b86bb60c
-
Filesize
858KB
MD529b2ae0e13ab7ceba24dd078951245b5
SHA10777602131df34a6bc094a712f3b916bb96604be
SHA2562a2b8a7f689f30b282dfa807f09256f427ae99ddf8145ae6726ba8a6f07f845a
SHA512e412a05336831e835fba5129c60644bc250be17af5052214470d91a134415e4676a0f8d34c932170f811b0e1d25efd117ac15d3bfa1841f2be12ca534c628180
-
Filesize
205B
MD5b8541d68cd4714b1048cbb39e194b092
SHA1129ddd79233f73e96061c0997166b6d4bac063ab
SHA256c9b2ddc8117c8be0834202a19004cc09e609b09b58d132995e0de61cb423aa7e
SHA512cf00f51c8bd58af7dac4d8aaf4f72bd860523599b3a580581c614228abe4721e7814b92080dfdcfaa4f8a02d4e5b089e18e49557672dbd57c8cfcae26eb5a2e8
-
Filesize
173B
MD5d375844367e3f417ed3d7a15e80eb050
SHA1020e6acb873b7b1556136e720fd6d44b02cb5769
SHA256d81069b80450fa307fa959ca8164e4ecc9cd3b4c041ee7074fb1fa0292af0295
SHA51237c206f27ea2fbebdca4aa24f21a92e80986c18591d89f0212fe5213d7f8f0420856fe9a12473b26298e40ab525602b2d1291b71a7fc220c32815964216ab2c1
-
Filesize
2.6MB
MD5330d205e3ddebbbb6dce7683cd1661b2
SHA18ed60bc6e10e7577ddf4368792e88789bc647738
SHA256fcf2c91fcb9ece4f2802fde13665ea9f5dfe72f06777b38976addb4982500cac
SHA512ad3ffec47a30648778b10680527c72dd55bd18b5370eb6542a59f3026a7be64ffd3bf935c27c75c1f81c73a72a1038b1548b0f67f7482f4a295754adef94aa01