Analysis
-
max time kernel
120s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 14:15
Static task
static1
Behavioral task
behavioral1
Sample
b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe
Resource
win10v2004-20241007-en
General
-
Target
b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe
-
Size
2.6MB
-
MD5
bc4c0a71addfe6f7740b88d9795c86f0
-
SHA1
f576d9f33c789bc91515a2e5bd44770ad7134d41
-
SHA256
b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3
-
SHA512
4f2f047e03ebd4fbc8dd101f8592f7fd887252c39157bc4b9c18db2a7b5ec2a14197a36829d2d3363a6b7b13026b905175574643468148ab656c36321770a355
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bS:sxX7QnxrloE5dpUpZb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe -
Executes dropped EXE 2 IoCs
Processes:
locdevdob.exeabodsys.exepid Process 3948 locdevdob.exe 4648 abodsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc7Z\\abodsys.exe" b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBUX\\bodxec.exe" b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exelocdevdob.exeabodsys.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exelocdevdob.exeabodsys.exepid Process 4572 b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe 4572 b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe 4572 b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe 4572 b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe 3948 locdevdob.exe 3948 locdevdob.exe 4648 abodsys.exe 4648 abodsys.exe 3948 locdevdob.exe 3948 locdevdob.exe 4648 abodsys.exe 4648 abodsys.exe 3948 locdevdob.exe 3948 locdevdob.exe 4648 abodsys.exe 4648 abodsys.exe 3948 locdevdob.exe 3948 locdevdob.exe 4648 abodsys.exe 4648 abodsys.exe 3948 locdevdob.exe 3948 locdevdob.exe 4648 abodsys.exe 4648 abodsys.exe 3948 locdevdob.exe 3948 locdevdob.exe 4648 abodsys.exe 4648 abodsys.exe 3948 locdevdob.exe 3948 locdevdob.exe 4648 abodsys.exe 4648 abodsys.exe 3948 locdevdob.exe 3948 locdevdob.exe 4648 abodsys.exe 4648 abodsys.exe 3948 locdevdob.exe 3948 locdevdob.exe 4648 abodsys.exe 4648 abodsys.exe 3948 locdevdob.exe 3948 locdevdob.exe 4648 abodsys.exe 4648 abodsys.exe 3948 locdevdob.exe 3948 locdevdob.exe 4648 abodsys.exe 4648 abodsys.exe 3948 locdevdob.exe 3948 locdevdob.exe 4648 abodsys.exe 4648 abodsys.exe 3948 locdevdob.exe 3948 locdevdob.exe 4648 abodsys.exe 4648 abodsys.exe 3948 locdevdob.exe 3948 locdevdob.exe 4648 abodsys.exe 4648 abodsys.exe 3948 locdevdob.exe 3948 locdevdob.exe 4648 abodsys.exe 4648 abodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exedescription pid Process procid_target PID 4572 wrote to memory of 3948 4572 b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe 89 PID 4572 wrote to memory of 3948 4572 b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe 89 PID 4572 wrote to memory of 3948 4572 b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe 89 PID 4572 wrote to memory of 4648 4572 b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe 92 PID 4572 wrote to memory of 4648 4572 b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe 92 PID 4572 wrote to memory of 4648 4572 b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe"C:\Users\Admin\AppData\Local\Temp\b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3948
-
-
C:\Intelproc7Z\abodsys.exeC:\Intelproc7Z\abodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5250db7c6f417c691769ce23d48f0d886
SHA127933c5dd12d32aabc758a24ed44185141d7495c
SHA2561ed78969f54069a5803df4c5aa2aed55bc3e71afc57fbb03628a9636c3ec6020
SHA512a47136aa2539957d868e8b07afbfc546244c36715750eec8eaf4f46d12f9895a78c79fd4a3e8f7f160144ca25c079013483a43f7fa2f99c10f76e9efc7b16778
-
Filesize
2.2MB
MD5b1a65dc6265439b27cf5a228ec888e14
SHA18d16e64c078beb23e5ea488966097203debf485e
SHA256e372887ba607bed8a4e07f0fad47e293845c33acaf1df155f0ebca0bdd69d866
SHA51207e8707017613d528f7060da43c64ca87b395306c94759977e57c2a36039ca4f5dec5058971778e06a31c2487a0e338c37037a0a45ecc066485932545e6d93b7
-
Filesize
2.6MB
MD5b30d44289695511470e4de44dc4f978f
SHA17296e716ed996f4fd6520db130789344ad3e9962
SHA256f51abcab5b1461ac5114463fc56aa1babe17efe2c6150f51ec64ce18fa9f0b16
SHA512285fcebbf20dd221a1837b64bbe11499dbd2ee95ddd0d91e8dc02837279dc0c95354ce58236236119ef174f97cb2e834a9d9a074c9839abc7915a57e57b3b95d
-
Filesize
205B
MD5b8541d68cd4714b1048cbb39e194b092
SHA1129ddd79233f73e96061c0997166b6d4bac063ab
SHA256c9b2ddc8117c8be0834202a19004cc09e609b09b58d132995e0de61cb423aa7e
SHA512cf00f51c8bd58af7dac4d8aaf4f72bd860523599b3a580581c614228abe4721e7814b92080dfdcfaa4f8a02d4e5b089e18e49557672dbd57c8cfcae26eb5a2e8
-
Filesize
173B
MD5d375844367e3f417ed3d7a15e80eb050
SHA1020e6acb873b7b1556136e720fd6d44b02cb5769
SHA256d81069b80450fa307fa959ca8164e4ecc9cd3b4c041ee7074fb1fa0292af0295
SHA51237c206f27ea2fbebdca4aa24f21a92e80986c18591d89f0212fe5213d7f8f0420856fe9a12473b26298e40ab525602b2d1291b71a7fc220c32815964216ab2c1
-
Filesize
2.6MB
MD50f0000172b831455c287c4fc3b93f4aa
SHA1e556774b87aadac4a76a5e2f2e0e7e42d2d759ee
SHA256f2d29313a7b33f7fbd9eb6c3559eae872291b7b607a6b808b7d83840c91df8c7
SHA512de8b45303bf1ae92787ec3f030433e1e14dccfa82231b8f89bc12b46ab854edfa4013f2f83f433e21f050c0fcc5cf826167c0d7a14eed0cf6f56e48bdc92a201