ce44012912833505b760872edc5dbba96864c9370ed14eca4f0c399ef81d848c

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce44012912833505b760872edc5dbba96864c9370ed14eca4f0c399ef81d848c.exe
Size

2.6MB
MD5

a15c0b3b51052822dd5895c36ff5ce35
SHA1

7df7018acf47b5884d515fd3785322ac7f45e369
SHA256

ce44012912833505b760872edc5dbba96864c9370ed14eca4f0c399ef81d848c
SHA512

f01b2eaff88b83b393146664652b9f945537240033ee0cb7c3985181a77135c635defe62ab17e1cf1119764d6e5471092b33f0234f4e771a14dc08b31bf18213
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bS:sxX7QnxrloE5dpUpkb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	ce44012912833505b760872edc5dbba96864c9370ed14eca4f0c399ef81d848c.exe

Executes dropped EXE 2 IoCs

pid	Process
2236	sysadob.exe
2308	abodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
3060	ce44012912833505b760872edc5dbba96864c9370ed14eca4f0c399ef81d848c.exe
3060	ce44012912833505b760872edc5dbba96864c9370ed14eca4f0c399ef81d848c.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesUC\\abodloc.exe"	ce44012912833505b760872edc5dbba96864c9370ed14eca4f0c399ef81d848c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBN7\\dobxloc.exe"	ce44012912833505b760872edc5dbba96864c9370ed14eca4f0c399ef81d848c.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce44012912833505b760872edc5dbba96864c9370ed14eca4f0c399ef81d848c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3060	ce44012912833505b760872edc5dbba96864c9370ed14eca4f0c399ef81d848c.exe
3060	ce44012912833505b760872edc5dbba96864c9370ed14eca4f0c399ef81d848c.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe
2236	sysadob.exe
2308	abodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2236	3060	ce44012912833505b760872edc5dbba96864c9370ed14eca4f0c399ef81d848c.exe	30
PID 3060 wrote to memory of 2236	3060	ce44012912833505b760872edc5dbba96864c9370ed14eca4f0c399ef81d848c.exe	30
PID 3060 wrote to memory of 2236	3060	ce44012912833505b760872edc5dbba96864c9370ed14eca4f0c399ef81d848c.exe	30
PID 3060 wrote to memory of 2236	3060	ce44012912833505b760872edc5dbba96864c9370ed14eca4f0c399ef81d848c.exe	30
PID 3060 wrote to memory of 2308	3060	ce44012912833505b760872edc5dbba96864c9370ed14eca4f0c399ef81d848c.exe	31
PID 3060 wrote to memory of 2308	3060	ce44012912833505b760872edc5dbba96864c9370ed14eca4f0c399ef81d848c.exe	31
PID 3060 wrote to memory of 2308	3060	ce44012912833505b760872edc5dbba96864c9370ed14eca4f0c399ef81d848c.exe	31
PID 3060 wrote to memory of 2308	3060	ce44012912833505b760872edc5dbba96864c9370ed14eca4f0c399ef81d848c.exe	31

C:\Users\Admin\AppData\Local\Temp\ce44012912833505b760872edc5dbba96864c9370ed14eca4f0c399ef81d848c.exe
"C:\Users\Admin\AppData\Local\Temp\ce44012912833505b760872edc5dbba96864c9370ed14eca4f0c399ef81d848c.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2236
- C:\FilesUC\abodloc.exe
  C:\FilesUC\abodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesUC\abodloc.exe

Filesize
2.6MB

MD5
4b60e9a4bb7dba01f15181013063677c

SHA1
1a2567a8577072675ee9b519af6996ae01cb3bd7

SHA256
84d0603f2a3e35d9a45a7fa1e8314da9716b4187131330826b905a2f31ce60e2

SHA512
ced2fb8e919853a410b94efcce5125839d4e3cbf6f319273ba701f1f4c86e7370dc722e66c1551675aa10a22a3e96247a6d1c6b00175cb7baf6d4441fa1e1c90

Download Submit
C:\KaVBN7\dobxloc.exe

Filesize
2.6MB

MD5
ae4f81770381d7a10b274915f6676ef3

SHA1
2ab500cdd3ad5efc6a8708d2cc715833307b8c91

SHA256
33bc620cc063764404041473d5c277ba1c88c078251a4ecf0820ab93862a23f8

SHA512
e56ffe284199d20963f4e02394d0e94aa6f852981df5463d929b0b1dac0fee1ae9a61e700a11f7794a390f84a7e9b7f9e7b7a14acfcd59b4276d7c980c8014d8

Download Submit
C:\KaVBN7\dobxloc.exe

Filesize
2.6MB

MD5
c3b8d2667e0c55a589ecf3ff0a545fc6

SHA1
e5d32f6090ab7a3c8b39fb53c9c2f079c5ef962d

SHA256
5b9cb2171304c17540fe0700b4a6b4df46ad2d0690cbffb173935f21ceb7472e

SHA512
6b9c0abd1ec31716bb3ecaf6e7d68d9ae46daeca63452820db6cc76a2407b376826bc31202015c72ff0dbf73242f6060a4fde7be180056d90c624edb88929c69

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
cecb94a228c1addcbc1bf11af4e6e74b

SHA1
9cd49e2b2050e4221212c424bcc338816447b5d4

SHA256
df16a5310a9bc5feed37bbf318da4723d79a891007b9c9d144b86a84e3a364d3

SHA512
2e7f9d7073c09e50e97d1b75acf4abea1a078e8f8695d1edd4e7850855d7e69975ecb52c04ad3d5771464620d098706fd83c0c9d325475c01e8262374e634e9b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
c9d67834c407e37a537310ae5898983b

SHA1
992852648d7089ceee69b5704c67ed08b2004e85

SHA256
a1a9f19bdb064a9b617964152148fd01434ce87003a553e40eefad82c86730bd

SHA512
72c5d9400ee8b4cfe55ac13ed2450d27581e1df9e047eb4400b3fd7eb6ad4c341b2da604431869a85ea09a698ba4d9c60b8e8da264d17daddf2f2f72af211a51

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
2.6MB

MD5
e2d881ddc8afc75fe44f2c64bdde251e

SHA1
a66440446ccfb741692b1049a151657a0f95bb52

SHA256
e54d5ccb1943ec994b684e0498b7736b6902b46a82e0f37023604e1686e7cd05

SHA512
27d065e7bbf431af2b54f7ed876df2fb2980fcb090e28141f567ad82a51cf3fb9f043d84165afaf795191bd25d2ffe21045600c6d8f82c4300b7f1912df548e7

Download Submit