Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 16:58
Static task
static1
Behavioral task
behavioral1
Sample
9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe
Resource
win10v2004-20241007-en
General
-
Target
9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe
-
Size
2.6MB
-
MD5
5aca2c1a262bdf9ddd1d1406af5f0c40
-
SHA1
a33af90e123e64ae31624c0337d80a6f20bb3171
-
SHA256
9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7
-
SHA512
b483cdc3844af019757b285d5aabacbf41d36d790cf0d85a841d3c5cb44c5bea781481c585a0e1b3ec3cebf51d2d2b1fe670877cd8806e8f48cc0c1d335582b2
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bS:sxX7QnxrloE5dpUpgb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe -
Executes dropped EXE 2 IoCs
pid Process 2424 locdevdob.exe 2044 abodec.exe -
Loads dropped DLL 2 IoCs
pid Process 2420 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe 2420 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesM4\\abodec.exe" 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintSC\\optixloc.exe" 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2420 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe 2420 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe 2424 locdevdob.exe 2044 abodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2424 2420 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe 30 PID 2420 wrote to memory of 2424 2420 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe 30 PID 2420 wrote to memory of 2424 2420 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe 30 PID 2420 wrote to memory of 2424 2420 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe 30 PID 2420 wrote to memory of 2044 2420 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe 31 PID 2420 wrote to memory of 2044 2420 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe 31 PID 2420 wrote to memory of 2044 2420 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe 31 PID 2420 wrote to memory of 2044 2420 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe"C:\Users\Admin\AppData\Local\Temp\9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2424
-
-
C:\FilesM4\abodec.exeC:\FilesM4\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5ccd479d4fa28eda3d977b64e196d812d
SHA1f0df62176324ad05231bcc0427a0733f451beae7
SHA2563e32d921b590b24fc4a76b482221ec9072728e6fb44d174b4c4d8678d23305dc
SHA51220746cd63bb94fe3c42c661997a19a20a69433be8845452d46281e8fd91933d909e1a9bb69e622ac8c333f8c3e5766bdfb738614d96d0f8d522aacffdf8de128
-
Filesize
2.6MB
MD543ff907af645e6154c981c1c1651bb8b
SHA12a4f2b3f2c73a0ad149f40163a73513148a56ee6
SHA2561bc79f9af65d4d0740135bb8d9cd59193f200a270a030742e5383597124c1be6
SHA512f32f68fefad50f29382b3e042419d0a91b90487c588fa7a72bc74f42d41eb91f50bac7c7c08d7b42b6211741f61b207912a2e36a00efd573dcc639645ec1b172
-
Filesize
2.6MB
MD5ccd4cdf08fba67c70073b8173b0c3de9
SHA15eed234c984e512c5a348ab75ff627bf55c54a8a
SHA256979af6a4ec69b0202ad8456533fe344738c6466433659697683038e1314e4de2
SHA51210b0ce5c0edb8fcc84ace866af854f6676f95c85d1204475ab484a51a5f2b09aa30787e42df29b7614f86926833884cf8be296759351cb28cbf7652d49b66272
-
Filesize
170B
MD5ce293a451f54f817baa88cec4fe3404a
SHA1c7eb629243561dda0d514b9e2aa681f67ac651b5
SHA2562000787312bcf5f9743e0ada643c153f0d3bc083333205596dd9b291277d9750
SHA51281d26a1d6d0616b306a240663faa5f3f343221396bfc55392e06fe74f4ff90d4fdbeba56c0ee7b9233a7f023e9d02426111cb7cf39ef4c1a2edd7ebdeef83ffc
-
Filesize
202B
MD56c7f40f3a78b44c680defabf9c3fa758
SHA1e96b3eee6cdeb9723ece107d19bfd986e90f2ea5
SHA256387603d41eaa8bb38006ca4e5182c81527b433ade991dbabece040695e9d8d89
SHA5127d983c2037068fb0352a6afbe812c74bf1ffd2d11893ef95ea6b00ec320d800e0c7ec12db61c1938de2acb9df2ec4a19516fbd719d638084afb5284ad0505617
-
Filesize
2.6MB
MD50eb6c6742160d9ae8025af3cee11d239
SHA1aff5292226ad96c80384dc31b8327b5378be97e1
SHA256779be9749648355102c691c4e93f0a48842e2de38571b48aec08f8f59c1f2e4a
SHA5129b2d5617af325e8a4703d1c6bf8153939bdedfa875ed07cb15cba46e7c2bb88cade4a616ce57936c83f49066f112718a3ecfec895f35e3cd5c4352cecbaa8bbc