d6038ef8a530d31133afaf55a9ea480e6206c7c0bdb2e99d063cd2587146244a

Analysis

max time kernel
119s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6038ef8a530d31133afaf55a9ea480e6206c7c0bdb2e99d063cd2587146244aN.exe
Size

2.6MB
MD5

93df5df669552083afc6646ac4843440
SHA1

e020625ec2f2b289b26253d1ae7b8898fe9207bb
SHA256

d6038ef8a530d31133afaf55a9ea480e6206c7c0bdb2e99d063cd2587146244a
SHA512

a294402ae70816263feead167ab976d16fefc097fd70072186a76fe4ea812e8a2a8b4e37715cd1d43ff1eb32aa354962cdaec92d8a5ff944de57044e8c945045
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBtB/bS:sxX7QnxrloE5dpUpub

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	d6038ef8a530d31133afaf55a9ea480e6206c7c0bdb2e99d063cd2587146244aN.exe

Executes dropped EXE 2 IoCs

pid	Process
4732	locxdob.exe
4980	abodec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotE0\\abodec.exe"	d6038ef8a530d31133afaf55a9ea480e6206c7c0bdb2e99d063cd2587146244aN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid3M\\boddevsys.exe"	d6038ef8a530d31133afaf55a9ea480e6206c7c0bdb2e99d063cd2587146244aN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6038ef8a530d31133afaf55a9ea480e6206c7c0bdb2e99d063cd2587146244aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2572	d6038ef8a530d31133afaf55a9ea480e6206c7c0bdb2e99d063cd2587146244aN.exe
2572	d6038ef8a530d31133afaf55a9ea480e6206c7c0bdb2e99d063cd2587146244aN.exe
2572	d6038ef8a530d31133afaf55a9ea480e6206c7c0bdb2e99d063cd2587146244aN.exe
2572	d6038ef8a530d31133afaf55a9ea480e6206c7c0bdb2e99d063cd2587146244aN.exe
4732	locxdob.exe
4732	locxdob.exe
4980	abodec.exe
4980	abodec.exe
4732	locxdob.exe
4732	locxdob.exe
4980	abodec.exe
4980	abodec.exe
4732	locxdob.exe
4732	locxdob.exe
4980	abodec.exe
4980	abodec.exe
4732	locxdob.exe
4732	locxdob.exe
4980	abodec.exe
4980	abodec.exe
4732	locxdob.exe
4732	locxdob.exe
4980	abodec.exe
4980	abodec.exe
4732	locxdob.exe
4732	locxdob.exe
4980	abodec.exe
4980	abodec.exe
4732	locxdob.exe
4732	locxdob.exe
4980	abodec.exe
4980	abodec.exe
4732	locxdob.exe
4732	locxdob.exe
4980	abodec.exe
4980	abodec.exe
4732	locxdob.exe
4732	locxdob.exe
4980	abodec.exe
4980	abodec.exe
4732	locxdob.exe
4732	locxdob.exe
4980	abodec.exe
4980	abodec.exe
4732	locxdob.exe
4732	locxdob.exe
4980	abodec.exe
4980	abodec.exe
4732	locxdob.exe
4732	locxdob.exe
4980	abodec.exe
4980	abodec.exe
4732	locxdob.exe
4732	locxdob.exe
4980	abodec.exe
4980	abodec.exe
4732	locxdob.exe
4732	locxdob.exe
4980	abodec.exe
4980	abodec.exe
4732	locxdob.exe
4732	locxdob.exe
4980	abodec.exe
4980	abodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 4732	2572	d6038ef8a530d31133afaf55a9ea480e6206c7c0bdb2e99d063cd2587146244aN.exe	89
PID 2572 wrote to memory of 4732	2572	d6038ef8a530d31133afaf55a9ea480e6206c7c0bdb2e99d063cd2587146244aN.exe	89
PID 2572 wrote to memory of 4732	2572	d6038ef8a530d31133afaf55a9ea480e6206c7c0bdb2e99d063cd2587146244aN.exe	89
PID 2572 wrote to memory of 4980	2572	d6038ef8a530d31133afaf55a9ea480e6206c7c0bdb2e99d063cd2587146244aN.exe	91
PID 2572 wrote to memory of 4980	2572	d6038ef8a530d31133afaf55a9ea480e6206c7c0bdb2e99d063cd2587146244aN.exe	91
PID 2572 wrote to memory of 4980	2572	d6038ef8a530d31133afaf55a9ea480e6206c7c0bdb2e99d063cd2587146244aN.exe	91

C:\Users\Admin\AppData\Local\Temp\d6038ef8a530d31133afaf55a9ea480e6206c7c0bdb2e99d063cd2587146244aN.exe
"C:\Users\Admin\AppData\Local\Temp\d6038ef8a530d31133afaf55a9ea480e6206c7c0bdb2e99d063cd2587146244aN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4732
- C:\UserDotE0\abodec.exe
  C:\UserDotE0\abodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotE0\abodec.exe

Filesize
119KB

MD5
6cae796b7bf8bba7d08c8dfbc631a3bc

SHA1
527b27ee32fb278fc8369b100f915d12b8fd024c

SHA256
c1dee1fbcdff3db5d4d19a2b69ff9b5c47d0f974df613acdb5435bf51177ccb3

SHA512
c02fb72b4af870e9de4cf73f9f32309014ec8199d26f8db52cc9c9262bc6e2899b009d62c294284aba21c2361eef0e8c2cfa91c5ea69bdf664bcbe6dbe496f7b

Download Submit
C:\UserDotE0\abodec.exe

Filesize
2.6MB

MD5
db20151748369b5b2b079a6c68767c02

SHA1
2165ed33da2e36148ec1386d308ce789ce0d6557

SHA256
b1a890c151d730df6bfd8271e4adb7ecb5b96bbca8c83d9c911c608aa6b3f60d

SHA512
1dcd070afee9eefd6dceca32ad9d6472182de894e223a5b735e8917af8285716deff6f535f61d7d1acb7e33be6f969dc2b7d19c9eeca21009553ddb83664db3e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
75a33102fbe1184ff2561c2c98c770ab

SHA1
16b51778fe2e2921581baf1d41622797ddef4693

SHA256
609a382e7d3c84d87a62bfc3247d8f771221cfe4099713f6b7b196e6a7d0165d

SHA512
fa545bb629c7ab952e665dccc4d492c790dd6effc04dbd7ee406b64871c26d5742859363a044a3806f31809623caf672cbeff3603841b979f9f0382eac5c743f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
484dfb8d03ad94be9ee547e38b66893c

SHA1
f61a95a03f1a0b49fd728695a74b732852b9f35a

SHA256
65eea1289d84278dad7dccfd5e85811503fbed69d8b951812dce2c32faa913b9

SHA512
b9589a1a6e83d50ee79c331dc9ccd131efcb8a398b8aca011775433677f1ad51557ee75ff5a42374559628e9c6ae45ab627b386daffc17262a2d78160d16d2c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
2.6MB

MD5
04b969e93675082d86c693116cbba53e

SHA1
5ad45f05ba392465fb16da3bc2b21c1fca2b12d5

SHA256
b5227455ae245d9a824d6bb58f055dbe99f991fb04a302337139ebb9e5dc9105

SHA512
ed0e93759f91cdedac153efb14956e7e8b147b58297ac6ba76354e3cf91b241bb86c4c6756459cc7ab05a1a390efb8c19501c2459f2fe1045b1722dbc950695c

Download Submit
C:\Vid3M\boddevsys.exe

Filesize
1.5MB

MD5
55c9a9a07a505ad770d1dc9f8dbd2490

SHA1
9651e0453d2bef2f3a2e04924e19d79f3918661e

SHA256
a0495f0547f5885fb076cebe352ef9a30dcdab91e8ad27d45dbf981f778b6ae8

SHA512
06d2404869fa06344ed748c254af61bfdf5dd365b55164c77112b7bfd50ee7ec81390ee33b4d4d6b2095a9dea7a6ee2a2944ca6489bb536974de3be947c3dada

Download Submit
C:\Vid3M\boddevsys.exe

Filesize
2.6MB

MD5
03624737b5e678f7c443f8dd4ced914d

SHA1
7f889e1b6ec41569ffe2b0cdf4a4c15b971dd838

SHA256
d40833996639e66f909cb00e1f88d0ef78c39221c3a597110c342fde0961a474

SHA512
bee0a3c000448906ebf179338c00a5f3f8f28e9270c1c54f0f41f2b9ca5f33269278448608b64295c0fd1084159134bbd2b370ee15ce7bbf6991e4c51a2efddb

Download Submit