Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 20:17

General

  • Target

    9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe

  • Size

    2.6MB

  • MD5

    a46fff217cd67e6b4b2a8d002a4ebbae

  • SHA1

    24d021c8243f86ada13c4b0decbe48fd1eef2193

  • SHA256

    9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb

  • SHA512

    4584c397529138996ad1379d71496f28fd32d1fedf5b8c43eccca9d4dd81841a21f9c81754e4634e5ff41c69f2c3d7542eaf8631906f0bb7c92a23a978cab9d5

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSy:sxX7QnxrloE5dpUp6bV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe
    "C:\Users\Admin\AppData\Local\Temp\9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2456
    • C:\FilesA3\abodec.exe
      C:\FilesA3\abodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:356

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesA3\abodec.exe

    Filesize

    33KB

    MD5

    0bff6a8bffb6b865fbe4908d666b07ee

    SHA1

    5e176ff62c86ebbdaab5e545079308f50395f3f6

    SHA256

    1eb6a2dfe3b351441008aee76bdb1d3a3300807adc21d0dad4766ded0fe17855

    SHA512

    6a6d353a1d440a17b0b10022744e48ce835c6b0a92b97224dff9d7f00f6e0a619ae3c0ecaeb891c68baa42a686e14df25712d05c5893b56d84075279e3cf1a2e

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    166B

    MD5

    8c610cd2b35c12835561c889daeebd5c

    SHA1

    a1e5b91cabd4d98e6e743994f5f7d674d5e5799f

    SHA256

    a6f00d03fee5065eed46f67b7c9a2693564a49a22860a2329942893bb3a35658

    SHA512

    8df3300205afeccfc0ef205b2e67256d23d76fceb2d0114a10f180a32eefd8457ed56096a6a3d91e4972906053ffefed33dd5f0f967ef214d5cb87f75f7b95dd

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    198B

    MD5

    e6647934d5ac0d39f49581aa09b7baac

    SHA1

    6616f3b3c99d1b0a1db5e83cc9f5163cec61d4a1

    SHA256

    8e0086ceef0944fd9e00d9c4172084774a77d15eebae04ac98f00807dd57f3a7

    SHA512

    580a17c261504667b9022662e7fd90bd6b33cbaafe7a54b2c06f40898ff2d7ffc08143e1a277314de1d5574d5b361697bfa9fd5508c2954d81357455956450c5

  • C:\VidM2\dobaloc.exe

    Filesize

    86KB

    MD5

    75391c55397dcf2fb66511ca0ced7d9d

    SHA1

    44748bdad55bfe6e4737f0c5773d553f0b147f8c

    SHA256

    6dd6eb6910674b58e1dbc95ef28172ad543500a01111509c373ea0a7d72439b1

    SHA512

    01ddec563de678a0bd819caf9c87cbb98ffcf400eec9f0dfc83b065644b38732cba4404dae173f58cbb6b52f6c184fd63f71c7af575839dcd119ad8b8b145d71

  • C:\VidM2\dobaloc.exe

    Filesize

    2.6MB

    MD5

    6746f55a50529721cb8630ad83781e43

    SHA1

    245c1db4f90a798f34d37ac4583265a8968c1dbe

    SHA256

    16e22a66dea9f478c918b274282d8481f86f2b32a73abb8cc7e970c848c681e6

    SHA512

    a2340f4ef24fc6266713d311f5836ab3f9bc8c14b05cdb5bf8735aa6a11fd6b54d08826a6ff6ce46dcc1aa9862fc121ad0a779aacebdf667e75b9b6bf7810a80

  • \FilesA3\abodec.exe

    Filesize

    2.6MB

    MD5

    e95537f0c5b92d503ff2d34bf38c5bd9

    SHA1

    52364b0057bea242c7d372e3dda99d0477776881

    SHA256

    7bb09a67a7c7315927c523a7403ad7cbf49d3996ff5c6920fe60e88d8740f1cb

    SHA512

    b8c018157d918abae25d4ba64301e9b5d622530d979d41e729c879953fd1d06286c209c5707f2ac93c5d8ea9fe961dd984b39c9b8304006d180da9a4128cbaed

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

    Filesize

    2.6MB

    MD5

    afc6bdc1eaae4b337ab9b1e085817643

    SHA1

    8443ec339aed6cf38128f4fe873f5860c8536106

    SHA256

    201731fc485f4d19d6a6bad77e08cad1b2bbd90d6216119b7a0b33fd9e2365ac

    SHA512

    f7e517603bd9ebeb3928c4eef9e5b764811c239f8c886a9e0fd4bdfe884d5257d967d01eeea53c7300b5acea36dbf511b4e0e23fa5f239354717b0d82550b617