Analysis
-
max time kernel
119s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 13:52
Static task
static1
Behavioral task
behavioral1
Sample
88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe
Resource
win10v2004-20241007-en
General
-
Target
88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe
-
Size
2.6MB
-
MD5
49333303d89ee476bb4c0530413e26f0
-
SHA1
20e7e5e65bf92a7566f733c9b1abf5253e56bcf9
-
SHA256
88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109
-
SHA512
1befd8176f259a8bf390c0901a26ee350b046877318cc626e1c82e3a03eb2745d867f3d64b3450d7ac391b8f834d6e32ee3d680081c677ac6c6f15a246827601
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSq:sxX7QnxrloE5dpUpUbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe 88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe -
Executes dropped EXE 2 IoCs
Processes:
locdevbod.exeabodloc.exepid Process 2552 locdevbod.exe 2140 abodloc.exe -
Loads dropped DLL 2 IoCs
Processes:
88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exepid Process 2248 88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe 2248 88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv4T\\abodloc.exe" 88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidFG\\bodxloc.exe" 88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exelocdevbod.exeabodloc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exelocdevbod.exeabodloc.exepid Process 2248 88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe 2248 88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe 2552 locdevbod.exe 2140 abodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exedescription pid Process procid_target PID 2248 wrote to memory of 2552 2248 88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe 29 PID 2248 wrote to memory of 2552 2248 88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe 29 PID 2248 wrote to memory of 2552 2248 88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe 29 PID 2248 wrote to memory of 2552 2248 88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe 29 PID 2248 wrote to memory of 2140 2248 88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe 30 PID 2248 wrote to memory of 2140 2248 88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe 30 PID 2248 wrote to memory of 2140 2248 88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe 30 PID 2248 wrote to memory of 2140 2248 88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe"C:\Users\Admin\AppData\Local\Temp\88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2552
-
-
C:\SysDrv4T\abodloc.exeC:\SysDrv4T\abodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2140
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5a6b70624db72357bc7f2753e3f4c895f
SHA1297e4c3986d53aeea385f299c352131ff6ed64d3
SHA2562b8c8b8dcb5c5170ad0988131774b5a23bfe3016f4cf1522686b88f7138ba65d
SHA51224b53f7fa3a2a4268b68f6391c9c11953b4c1e906afdef3c1b4a98968ea0eff2f02701f3851fb5d363d8d1320b1eecf4fcfa3edc9fb359ffc1109611fcbfa51d
-
Filesize
170B
MD5f89f6efbbfa7a8e2dc21c781f72c59c2
SHA150de7d6feb87c66dd53d97eba97e179c6b8ffaa7
SHA256dbda1a9673975c515e599dfe9e60fc7133a2c4d04aa28aee011f6d8588027d96
SHA51242aedb72083eb0382829eab199628817a359c16a95fe5431edce99039edf753ca817ff80ff679376bd3131a64a239c9521691363fd2d04701c900b5793029978
-
Filesize
202B
MD5a13c89395d2437687795fb42fe2dd089
SHA1b3373bee8de2c71b2569c5fce8f0d55aaa6acf9f
SHA256c12c46958996c19a8e9d56d3bbfc305ef4f1d7cfc3ff104ed6e5c07b57dcc445
SHA51279b88aa43d099204375ce8c083c44e6b9fb5b54c2254b22bc15e4fa277a2b8aa7207e21b6df1e9d0dc4cafc77c5bf56d94c22eda3263e095806fdb5a71b67281
-
Filesize
2.6MB
MD568b3c5bb08141c9475075002142f6c4c
SHA115324ee1ea079363f5ee1d2db87c07e9be05fe7a
SHA25682fe3cf5891275833a4c26394b47f595df69fb73a3b45d41fa16d99dd5002177
SHA51207b6b5e4050eb0d0971406f02d12c7185f164244d7ae212a73ce2e367ac247faf3243d558dbe7eb76b203fcedffff17cfb05d8a04bdd53aa9a7cf0e99dec39a4
-
Filesize
2.6MB
MD5eaa87037017d3173f95e7dc71ea5c998
SHA1d30452b5f25962e9558d547277cfae8170ec54dc
SHA256996498e5c16dee0540c8dc2a8081653201b8298580acfd34ab6bfe0cd8bc6538
SHA51222031c3d38275b7ce3ae07d262e870d36f5f4ede1e3b135b9c00a357a25a96939ecb0d047012eabf514cdf1619c0d6d43de582543de2e3cd1dc04b920be78a32
-
Filesize
2.6MB
MD5fb0e91eb5ffa25b47b302ab073cfc18e
SHA19a786ac9d12afde29e7db803bfa7ffd113076341
SHA256a2ebcfcdf9afddf00a0dde56740fabef8fc8779f8ae0a121281ec2e20c27c851
SHA512321158a69ff6aa3d9fd05cd24b14ca069e5b22e6b262ba48004e93bdb6e53232d4caaac54cb1376250c9e0c59ea581186257d91b780cbd2360ba251b0dc60759