Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 20:17
Static task
static1
Behavioral task
behavioral1
Sample
9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe
Resource
win10v2004-20241007-en
General
-
Target
9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe
-
Size
2.6MB
-
MD5
a46fff217cd67e6b4b2a8d002a4ebbae
-
SHA1
24d021c8243f86ada13c4b0decbe48fd1eef2193
-
SHA256
9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb
-
SHA512
4584c397529138996ad1379d71496f28fd32d1fedf5b8c43eccca9d4dd81841a21f9c81754e4634e5ff41c69f2c3d7542eaf8631906f0bb7c92a23a978cab9d5
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSy:sxX7QnxrloE5dpUp6bV
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe 9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe -
Executes dropped EXE 2 IoCs
Processes:
sysabod.exeabodec.exepid Process 2456 sysabod.exe 356 abodec.exe -
Loads dropped DLL 2 IoCs
Processes:
9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exepid Process 2348 9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe 2348 9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesA3\\abodec.exe" 9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidM2\\dobaloc.exe" 9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exesysabod.exeabodec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exesysabod.exeabodec.exepid Process 2348 9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe 2348 9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe 2456 sysabod.exe 356 abodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exedescription pid Process procid_target PID 2348 wrote to memory of 2456 2348 9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe 31 PID 2348 wrote to memory of 2456 2348 9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe 31 PID 2348 wrote to memory of 2456 2348 9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe 31 PID 2348 wrote to memory of 2456 2348 9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe 31 PID 2348 wrote to memory of 356 2348 9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe 32 PID 2348 wrote to memory of 356 2348 9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe 32 PID 2348 wrote to memory of 356 2348 9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe 32 PID 2348 wrote to memory of 356 2348 9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe"C:\Users\Admin\AppData\Local\Temp\9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2456
-
-
C:\FilesA3\abodec.exeC:\FilesA3\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:356
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD50bff6a8bffb6b865fbe4908d666b07ee
SHA15e176ff62c86ebbdaab5e545079308f50395f3f6
SHA2561eb6a2dfe3b351441008aee76bdb1d3a3300807adc21d0dad4766ded0fe17855
SHA5126a6d353a1d440a17b0b10022744e48ce835c6b0a92b97224dff9d7f00f6e0a619ae3c0ecaeb891c68baa42a686e14df25712d05c5893b56d84075279e3cf1a2e
-
Filesize
166B
MD58c610cd2b35c12835561c889daeebd5c
SHA1a1e5b91cabd4d98e6e743994f5f7d674d5e5799f
SHA256a6f00d03fee5065eed46f67b7c9a2693564a49a22860a2329942893bb3a35658
SHA5128df3300205afeccfc0ef205b2e67256d23d76fceb2d0114a10f180a32eefd8457ed56096a6a3d91e4972906053ffefed33dd5f0f967ef214d5cb87f75f7b95dd
-
Filesize
198B
MD5e6647934d5ac0d39f49581aa09b7baac
SHA16616f3b3c99d1b0a1db5e83cc9f5163cec61d4a1
SHA2568e0086ceef0944fd9e00d9c4172084774a77d15eebae04ac98f00807dd57f3a7
SHA512580a17c261504667b9022662e7fd90bd6b33cbaafe7a54b2c06f40898ff2d7ffc08143e1a277314de1d5574d5b361697bfa9fd5508c2954d81357455956450c5
-
Filesize
86KB
MD575391c55397dcf2fb66511ca0ced7d9d
SHA144748bdad55bfe6e4737f0c5773d553f0b147f8c
SHA2566dd6eb6910674b58e1dbc95ef28172ad543500a01111509c373ea0a7d72439b1
SHA51201ddec563de678a0bd819caf9c87cbb98ffcf400eec9f0dfc83b065644b38732cba4404dae173f58cbb6b52f6c184fd63f71c7af575839dcd119ad8b8b145d71
-
Filesize
2.6MB
MD56746f55a50529721cb8630ad83781e43
SHA1245c1db4f90a798f34d37ac4583265a8968c1dbe
SHA25616e22a66dea9f478c918b274282d8481f86f2b32a73abb8cc7e970c848c681e6
SHA512a2340f4ef24fc6266713d311f5836ab3f9bc8c14b05cdb5bf8735aa6a11fd6b54d08826a6ff6ce46dcc1aa9862fc121ad0a779aacebdf667e75b9b6bf7810a80
-
Filesize
2.6MB
MD5e95537f0c5b92d503ff2d34bf38c5bd9
SHA152364b0057bea242c7d372e3dda99d0477776881
SHA2567bb09a67a7c7315927c523a7403ad7cbf49d3996ff5c6920fe60e88d8740f1cb
SHA512b8c018157d918abae25d4ba64301e9b5d622530d979d41e729c879953fd1d06286c209c5707f2ac93c5d8ea9fe961dd984b39c9b8304006d180da9a4128cbaed
-
Filesize
2.6MB
MD5afc6bdc1eaae4b337ab9b1e085817643
SHA18443ec339aed6cf38128f4fe873f5860c8536106
SHA256201731fc485f4d19d6a6bad77e08cad1b2bbd90d6216119b7a0b33fd9e2365ac
SHA512f7e517603bd9ebeb3928c4eef9e5b764811c239f8c886a9e0fd4bdfe884d5257d967d01eeea53c7300b5acea36dbf511b4e0e23fa5f239354717b0d82550b617