a31ead333aa7b97f839a5707f7c36667cfa724dca841f453fe08c46e5d559dad

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a31ead333aa7b97f839a5707f7c36667cfa724dca841f453fe08c46e5d559dad.exe
Size

2.6MB
MD5

1f08fc51760141f8fcc0241621d294dc
SHA1

f0b46968bfb2b9d8018bb03eae64e87fec953c9f
SHA256

a31ead333aa7b97f839a5707f7c36667cfa724dca841f453fe08c46e5d559dad
SHA512

20a47be284ec924902aa09435c5103a512fc8ae86404ab1e1c0dec372d5f277ac06661a341ad341591efde06357ea712c9f8cd248e792ed9832b3064f4a16a73
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bSW:sxX7QnxrloE5dpUpIbv

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	a31ead333aa7b97f839a5707f7c36667cfa724dca841f453fe08c46e5d559dad.exe

Executes dropped EXE 2 IoCs

pid	Process
2764	sysdevbod.exe
3036	abodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2632	a31ead333aa7b97f839a5707f7c36667cfa724dca841f453fe08c46e5d559dad.exe
2632	a31ead333aa7b97f839a5707f7c36667cfa724dca841f453fe08c46e5d559dad.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv7F\\abodec.exe"	a31ead333aa7b97f839a5707f7c36667cfa724dca841f453fe08c46e5d559dad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBSL\\bodxec.exe"	a31ead333aa7b97f839a5707f7c36667cfa724dca841f453fe08c46e5d559dad.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a31ead333aa7b97f839a5707f7c36667cfa724dca841f453fe08c46e5d559dad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2632	a31ead333aa7b97f839a5707f7c36667cfa724dca841f453fe08c46e5d559dad.exe
2632	a31ead333aa7b97f839a5707f7c36667cfa724dca841f453fe08c46e5d559dad.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe
2764	sysdevbod.exe
3036	abodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2764	2632	a31ead333aa7b97f839a5707f7c36667cfa724dca841f453fe08c46e5d559dad.exe	30
PID 2632 wrote to memory of 2764	2632	a31ead333aa7b97f839a5707f7c36667cfa724dca841f453fe08c46e5d559dad.exe	30
PID 2632 wrote to memory of 2764	2632	a31ead333aa7b97f839a5707f7c36667cfa724dca841f453fe08c46e5d559dad.exe	30
PID 2632 wrote to memory of 2764	2632	a31ead333aa7b97f839a5707f7c36667cfa724dca841f453fe08c46e5d559dad.exe	30
PID 2632 wrote to memory of 3036	2632	a31ead333aa7b97f839a5707f7c36667cfa724dca841f453fe08c46e5d559dad.exe	31
PID 2632 wrote to memory of 3036	2632	a31ead333aa7b97f839a5707f7c36667cfa724dca841f453fe08c46e5d559dad.exe	31
PID 2632 wrote to memory of 3036	2632	a31ead333aa7b97f839a5707f7c36667cfa724dca841f453fe08c46e5d559dad.exe	31
PID 2632 wrote to memory of 3036	2632	a31ead333aa7b97f839a5707f7c36667cfa724dca841f453fe08c46e5d559dad.exe	31

C:\Users\Admin\AppData\Local\Temp\a31ead333aa7b97f839a5707f7c36667cfa724dca841f453fe08c46e5d559dad.exe
"C:\Users\Admin\AppData\Local\Temp\a31ead333aa7b97f839a5707f7c36667cfa724dca841f453fe08c46e5d559dad.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2764
- C:\SysDrv7F\abodec.exe
  C:\SysDrv7F\abodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBSL\bodxec.exe

Filesize
2.6MB

MD5
e9d66eb68bec2ad8fac7539d7799a71b

SHA1
df3df1dac7bc41c290a0cf30024d3f286b795580

SHA256
ed68ecd7788b61fd31218f65d4ccbb2a6574329e6e5db4c1b4593460a065695f

SHA512
ae1e36880cb22b5fac4d72980c106c054909905b460f37c9bfebeea02c649b36590f5123787c9f72b70f00ef90b3cd12b3e0be8b6f8047d016405d15dcf52ac6

Download Submit
C:\KaVBSL\bodxec.exe

Filesize
982KB

MD5
65d94c71c088ab9a54931afc4234be71

SHA1
f3a4a1cf2166f94a302cd0bd3187e7e8201ba4e2

SHA256
919b960573f46c66faec2e92d9facdb15f06e58ab486675ff8b69dc2fddcd942

SHA512
d5ff628b7b12d224b2ef315a12e169f34c5ff80466b179e280c543543fc1c44a8f72bc12de8e2fdebcbf9931a887aeea2e3327ea381a969a5c9261c9cc84bf90

Download Submit
C:\SysDrv7F\abodec.exe

Filesize
2.6MB

MD5
b05c48f474d2c62bc48030185d0873c8

SHA1
b7e3dcd81adc3a540e12070f769a5ee0b2711116

SHA256
026a754c13b62421f1d21c04b9865e2b66d3841a69ee94c712bcf0389e2bb618

SHA512
9aac7c490cdc192ed7514b7017d12baba7cf35108a970ec164d4b02ea18f768671583d87ad38aa6b5efdcd5a6e40dc8c8b60c2f1f0ffc65776744c8c6f992434

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
b392702cdec4641323a9164773fdc203

SHA1
7987515cedb1e0084f110ee1a242acc84683929d

SHA256
ce945bcc74848b375f1a8b5cbcd270b8bf97fc4a632ebd11c364f7a0e14516a7

SHA512
cf2072d763966c86e2cb51b40b583461bff351b744d5c11ed3752b31e2e42056ae2af0b2db75569887dd2a2a31e78278b336da1cbba4e3176f48d6cf60281ec3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
266c2614b7e71475e1f6120abb81581c

SHA1
3730f53d09cdb44e2b41628c5289b19a15fa2b57

SHA256
580afb82fbbbc1328949ef2dec2b0c3debe6126d483dac9c4310250ee695cc8a

SHA512
c6b7cbc3bf4d1d30be242f8c14089d205dba883093600db0011680d0feb6a24c833c47da7d5d72770f4883915be02e83dfa60b09bd12b299a99a0ac27438782b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
faf986a244d83a5c5198f2f3f50bc4d6

SHA1
499158e584cf85a0ef12232d2a329c9a839734a8

SHA256
91151872cd0802a28a1b6382d4e03fb67313d6ca3f3fa50ff08c0dde66e448ff

SHA512
d792bda8c3dc9f8db6db022e204ec758eab2efd8ecad71e7fe52cf04c3f05d720362418c710ffe2f984c1d5e3949176bfac39bcc225318fecda6269b36f57f75

Download Submit