463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30/11/2024, 05:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe
Size

2.6MB
MD5

4bf8998655e04dc685c19baef7702420
SHA1

53b15a56d24bbe44c9d395916666fb328cf562ca
SHA256

463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07
SHA512

b57a20acb3affb07f9c70f4b6c6fee762e588b87f6745ca2c18806969bc9b493b5ae199244311f39b11e300f9f42de95ddab00bbdb057ee1c12b77eb48206348
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSq:sxX7QnxrloE5dpUpNbV

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe

Executes dropped EXE 2 IoCs

pid	Process
2564	sysdevdob.exe
2128	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2568	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe
2568	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotHU\\abodsys.exe"	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintN2\\dobaec.exe"	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2568	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe
2568	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe
2564	sysdevdob.exe
2128	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2564	2568	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe	30
PID 2568 wrote to memory of 2564	2568	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe	30
PID 2568 wrote to memory of 2564	2568	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe	30
PID 2568 wrote to memory of 2564	2568	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe	30
PID 2568 wrote to memory of 2128	2568	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe	31
PID 2568 wrote to memory of 2128	2568	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe	31
PID 2568 wrote to memory of 2128	2568	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe	31
PID 2568 wrote to memory of 2128	2568	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe	31

C:\Users\Admin\AppData\Local\Temp\463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe
"C:\Users\Admin\AppData\Local\Temp\463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2564
- C:\UserDotHU\abodsys.exe
  C:\UserDotHU\abodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintN2\dobaec.exe

Filesize
2.6MB

MD5
d6658fbbcde80859ae29dc8e67818895

SHA1
830cc065ced639d014b7ad6d4ba8e03a5f838a93

SHA256
de75c00e59bfc092b0f5cd934bb5447d9230c10bf73d5db7b7320bb55cb899b8

SHA512
3b0fc78289c7e338d6c75e10de642dc59e7d2850ed10bece679196e38a6ce65b513e1276be14ff3590e4651e608872d7898affbc40bf83dabcf2cd1e2d99497d

Download Submit
C:\MintN2\dobaec.exe

Filesize
118KB

MD5
7600ee9fdbab39235bec021de1a3f95b

SHA1
565f35fc08e71f6cd028e6bf4d7303f0c8bb9781

SHA256
60de1a80c70a3c20c7afdbb4a503bcac8c348a77fa86456bea06518757c525ba

SHA512
eca857d978dab34f3be27ec800becdb18e2368f0a02b997a258131b703c641710f8ee712a086919bb8b2989e58041082e5134d7af4bc423aefd16c9344865a42

Download Submit
C:\UserDotHU\abodsys.exe

Filesize
2.6MB

MD5
e3a056021011d94e7c4b666506109644

SHA1
14e7b52588b0614929b6512e64e85260a4aacf24

SHA256
9102889141b1f6d8c621949f1e93ee3222c1aa9d7f771e3aebab461afd8d13e7

SHA512
e1eec1b18a65c47a0d053dc5e9624b77809541423939d0f56b501096bf68f148a18d65978eb5e98c735e926aeef22f4f45a09ac96e523c9e5cfa9ed0a306dcfd

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
f4ebca77c1eac5c1811b0bf95cabac89

SHA1
69fb38571ae639bc05318b0e85fb697f4b13b5a0

SHA256
75fa42fe04b2a3a67a55ada2820ec32aeb49877fa4606c43dc4eeed68f78876d

SHA512
ef6dc54f522abd1f9fbea68c71a71f3f22029edd2cfb60835f41dde099f54e263d938314ba1fa9cf6cdd36039d0f538e9c4ea52adee400244deb4ed0647a29da

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
3d3ce5f4cd55da355ecf74517526fdcd

SHA1
8a010d2231bc8318dbbbc597e206eb93f15b0aaf

SHA256
184ea314e5d68c644963c26aee02fa5872da7381d3b961d68dcb461062880cb8

SHA512
172fcd90edc61dc85fc6de4a7d61d204d4273db7237a79aec20d5ffaa608c6d38ed1a8e2fc96c9245d9af32c518f2e2054b39a214c9d046e0666ce1158071e75

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
2.6MB

MD5
ce9ff8223b831c8be36c0c6e7fd852ba

SHA1
3bd3e248fce6586b6d18723620fa5dc9b178204d

SHA256
1b522218fdc787b04fe5d31db8eaca51dab5398038cea87d2c72161c18f973e0

SHA512
65e0fb8a21a7921296a06463ee07ba15ae80e59034aaeebd904894884f91e50c81b1339e8551be4c774372b62a4e212bacef48efbbe3eb440448d6d6aa64df85

Download Submit