920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe
Size

2.6MB
MD5

c677c0396196001bab66b9ff929a81ad
SHA1

52226cbc09cedad1ba7b86f89eb31b24b4b40800
SHA256

920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4
SHA512

8f413459d1de9e079321212c60d2387b197d3ee1f0b4ab720ad533906d749ad877c41f138e91f780ed97728464f5b86aa29890957c4b149e070371a9e8183581
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBzB/bSqW:sxX7QnxrloE5dpUpIbVW

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe

Executes dropped EXE 2 IoCs

pid	Process
2164	sysabod.exe
2316	abodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1480	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe
1480	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot1O\\abodloc.exe"	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZE0\\dobxec.exe"	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1480	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe
1480	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe
2164	sysabod.exe
2316	abodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 2164	1480	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe	30
PID 1480 wrote to memory of 2164	1480	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe	30
PID 1480 wrote to memory of 2164	1480	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe	30
PID 1480 wrote to memory of 2164	1480	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe	30
PID 1480 wrote to memory of 2316	1480	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe	31
PID 1480 wrote to memory of 2316	1480	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe	31
PID 1480 wrote to memory of 2316	1480	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe	31
PID 1480 wrote to memory of 2316	1480	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe	31

C:\Users\Admin\AppData\Local\Temp\920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe
"C:\Users\Admin\AppData\Local\Temp\920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2164
- C:\UserDot1O\abodloc.exe
  C:\UserDot1O\abodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZE0\dobxec.exe

Filesize
2.6MB

MD5
dd203947204adfa156f9a8982d1feefa

SHA1
571a65847aed5c79d8c9bcf764349425195dfa18

SHA256
57fa0e4d6032d90b3546f3c12da779cec9ac90f752f575b1d717af302c5577ae

SHA512
c6a92421fd7dcacfedf0543bce6e17a217f25ea0b90dd46ea78d70e5d88a2dae996e96eb153b0f9f1ae56a7eb3bf289d771da817953f9a8cc68e9ef5f73650c3

Download Submit
C:\LabZE0\dobxec.exe

Filesize
7KB

MD5
20ec6effd447fb35f7db816f8c616148

SHA1
c8c9edd9f30b93dc161fc035c69b57e7af305dce

SHA256
43b6a06c6d792569dc3a4b802a1882bcef34d458cb6c626267bf303fc8dc3fa7

SHA512
6a01a317698e30eec8ab65c628488a1e6108d6eb9dd6bdef9a769d497807ace3b68a23452d40d010b95f19759903bb9bc1910e8d7e46fa618aaa3fbf6a80fecf

Download Submit
C:\UserDot1O\abodloc.exe

Filesize
2.6MB

MD5
6e0805aad52f9c83eb74a2ed73d9fbdf

SHA1
69e1c19ad0bc9ded7a316b4f6a7247bac2160f4f

SHA256
0ea5175a7f270d6bd76187a49d9755129a33ae4b69f4c078180caa768d4487c7

SHA512
b6eed73053e451daa13a4e99657a20a2474011067eda4076114e2c440326f77d25363b386b0d7d492f946304130c55ff144c5ea9b77c38cc5e0a743e19f02541

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
7930e14bd379acee77c00ed13dbd967d

SHA1
7e631b89003c26e724fd62c3007f666eff38bcff

SHA256
de1df46f215ad921f6c5ca6c9eed067cf7d0b1099bfc2c13f1b282c8e8c37066

SHA512
086cc633ad69db5d31b56e82e1237cf8a09f2b134a1d1e62b575ab35b56b779a643e9a6164389bb916457d33ec47e92cf208442905556b38394379ecf57d05a3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
1cd7d8cdb61dbc52e1784d38c5b3bc67

SHA1
e370d312acd9f80c51f9c5ca4fae96405ba207a2

SHA256
4d6faab6a156e9370d0dde5e8107d4a409f7bb971a487090331da75dcde394c2

SHA512
857cec9b63cf9398af334577c7ccb393524fd7c94d6a2a40adaa2fcded8e034d3d28a36c64e58324f97b3c05b40a0ba83d3e8bd22ea077c567c239ea40b43d02

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
2.6MB

MD5
cdee46cfb5df063cdc82567902a68192

SHA1
1f0e3284878b0210c9e2b4fd4c6f973a930a3a2a

SHA256
65c52d40191397fa456fa5e99cef410f43f21c25a9600e2cb59e0c64b28b9103

SHA512
1ddf2cc05b395ee9fac9fa1612874c2d92f2175e8cdf2c9e458fbe1c8bd87e97bc51fc792b3419ee3aaef57daeda78fcd5b50f7313ce25e9edd952716278c6e2

Download Submit