4351bbc0418b60fcc602b978c3fac8e41211e72a885888e73b5692e06614ca5f

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4351bbc0418b60fcc602b978c3fac8e41211e72a885888e73b5692e06614ca5f.exe
Size

3.2MB
MD5

36daa91015e4d10276de98908e3c5fb0
SHA1

2493b6a6ead8d3062aa352c903bcc4f5b9dae25a
SHA256

4351bbc0418b60fcc602b978c3fac8e41211e72a885888e73b5692e06614ca5f
SHA512

4e4b8703f1a00be5ae73d905c29ca744666c2a73518beb545f97931d80f9a6e0afeb231c4e607aaa3af6f98dbffd6b64f5404229ca5d56ad5842dfab11a278e1
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpUbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	4351bbc0418b60fcc602b978c3fac8e41211e72a885888e73b5692e06614ca5f.exe

Executes dropped EXE 2 IoCs

pid	Process
4356	locdevopti.exe
752	xbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesVS\\xbodloc.exe"	4351bbc0418b60fcc602b978c3fac8e41211e72a885888e73b5692e06614ca5f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidFO\\bodxec.exe"	4351bbc0418b60fcc602b978c3fac8e41211e72a885888e73b5692e06614ca5f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4388	4351bbc0418b60fcc602b978c3fac8e41211e72a885888e73b5692e06614ca5f.exe
4388	4351bbc0418b60fcc602b978c3fac8e41211e72a885888e73b5692e06614ca5f.exe
4388	4351bbc0418b60fcc602b978c3fac8e41211e72a885888e73b5692e06614ca5f.exe
4388	4351bbc0418b60fcc602b978c3fac8e41211e72a885888e73b5692e06614ca5f.exe
4356	locdevopti.exe
4356	locdevopti.exe
752	xbodloc.exe
752	xbodloc.exe
4356	locdevopti.exe
4356	locdevopti.exe
752	xbodloc.exe
752	xbodloc.exe
4356	locdevopti.exe
4356	locdevopti.exe
752	xbodloc.exe
752	xbodloc.exe
4356	locdevopti.exe
4356	locdevopti.exe
752	xbodloc.exe
752	xbodloc.exe
4356	locdevopti.exe
4356	locdevopti.exe
752	xbodloc.exe
752	xbodloc.exe
4356	locdevopti.exe
4356	locdevopti.exe
752	xbodloc.exe
752	xbodloc.exe
4356	locdevopti.exe
4356	locdevopti.exe
752	xbodloc.exe
752	xbodloc.exe
4356	locdevopti.exe
4356	locdevopti.exe
752	xbodloc.exe
752	xbodloc.exe
4356	locdevopti.exe
4356	locdevopti.exe
752	xbodloc.exe
752	xbodloc.exe
4356	locdevopti.exe
4356	locdevopti.exe
752	xbodloc.exe
752	xbodloc.exe
4356	locdevopti.exe
4356	locdevopti.exe
752	xbodloc.exe
752	xbodloc.exe
4356	locdevopti.exe
4356	locdevopti.exe
752	xbodloc.exe
752	xbodloc.exe
4356	locdevopti.exe
4356	locdevopti.exe
752	xbodloc.exe
752	xbodloc.exe
4356	locdevopti.exe
4356	locdevopti.exe
752	xbodloc.exe
752	xbodloc.exe
4356	locdevopti.exe
4356	locdevopti.exe
752	xbodloc.exe
752	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 4356	4388	4351bbc0418b60fcc602b978c3fac8e41211e72a885888e73b5692e06614ca5f.exe	98
PID 4388 wrote to memory of 4356	4388	4351bbc0418b60fcc602b978c3fac8e41211e72a885888e73b5692e06614ca5f.exe	98
PID 4388 wrote to memory of 4356	4388	4351bbc0418b60fcc602b978c3fac8e41211e72a885888e73b5692e06614ca5f.exe	98
PID 4388 wrote to memory of 752	4388	4351bbc0418b60fcc602b978c3fac8e41211e72a885888e73b5692e06614ca5f.exe	99
PID 4388 wrote to memory of 752	4388	4351bbc0418b60fcc602b978c3fac8e41211e72a885888e73b5692e06614ca5f.exe	99
PID 4388 wrote to memory of 752	4388	4351bbc0418b60fcc602b978c3fac8e41211e72a885888e73b5692e06614ca5f.exe	99

C:\Users\Admin\AppData\Local\Temp\4351bbc0418b60fcc602b978c3fac8e41211e72a885888e73b5692e06614ca5f.exe
"C:\Users\Admin\AppData\Local\Temp\4351bbc0418b60fcc602b978c3fac8e41211e72a885888e73b5692e06614ca5f.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4356
- C:\FilesVS\xbodloc.exe
  C:\FilesVS\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4488,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8
1⤵
PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesVS\xbodloc.exe

Filesize
30KB

MD5
f178be048c500a608712f57e281be52b

SHA1
e7f066cb781d37ccbee9c8cbb803cd106b6a6cf3

SHA256
0592bf14d1ffb5ba7f2912c29cb41bcb7960c176f60c409570155b0a2aa68736

SHA512
02775f06193d67ff3e6c201ebe5b18a698dde0c8a944b8ddeba26772d5035f844817bd6e8d1933b2d09cab508cc64ef97654f7f891b664efc663275b97cda1d1

Download Submit
C:\FilesVS\xbodloc.exe

Filesize
3.2MB

MD5
f1907c58206ea58fd889ec847c38ab4e

SHA1
1d7bd17c1c6362ee9f5da319077dfb53d451aef3

SHA256
72758f3a364ca0e1eb451396dae33b389f3e3aa1dfd17b556d088ea8bce913bb

SHA512
bbc52396bffd290afa56e6060b520d5412916b8eea23b8eb1dbb24c8d2625640ef781a25c74571fceb0da6888b88b66e6b33ec3bd9fcd32cf79fca8cce996b00

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
6654e57de0222dd06126187b58210eed

SHA1
1a4b93e321f5e93a7478eeda6bbc7fa577be6f58

SHA256
1ce41c508f75e2e08d7f3e0317657ae6b722217017bfad69eec7bb8310761b92

SHA512
493d6c37a4a0317e1557afcb0ba32a9d09dbb5a6f75a2c5c008145c85d0ad61930d46d0e2dd8284bbe6fb1c2fc10c07d926170e6d89f4f765a42eeb86fcaeb74

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
6856cf017dcb498e67b5db2586f3c5d9

SHA1
5c246e0c64f424f2505e535095e417c405e1aa7d

SHA256
816a91cea79a9dc76aeae58cd597b39cf4f35095d52141491d1d34d3f7a74087

SHA512
4b0d3635529c753ca01e5a9471e3baa8f13a994ac243809002f70cc277ca8869bd75895b343c3683c2540b3835977d5b237a0c00f8462e76e0d6d1af6dddf381

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
3.2MB

MD5
96b7d816ace29c801639c4ba17d9a0eb

SHA1
6ee3d8d77593d765505181bc051599cebc0d6f62

SHA256
5cc590f800a42a6eefc3c9a9681430f43d4f3e01b8905bd60510540d40129edd

SHA512
fb4f6337d849f964f2d59ae96a3eda17c9ab82174589daa55118a1f50e65194800a039810365d2d42eaed1c51989559968b9a13a78f2781cc0b3bb6ff2948ec0

Download Submit
C:\VidFO\bodxec.exe

Filesize
496KB

MD5
ab0d79b01ce601db5e02c5e3bef4a06f

SHA1
85b9a29b3ac7553eb7aa6be301fc71e8d028df51

SHA256
d88bf04ec4395fdb5cf421f72bd26981baeb997fdfb5dcc1ac69237f91531265

SHA512
7d7789b98b9274f1427a686115886bbd8a080449b9dd4dd07aa7849c8db8406f46797a58163d5fa1ff45d51796d8935684ee5fd5e838ae1d18a918d7b1998272

Download Submit
C:\VidFO\bodxec.exe

Filesize
3.2MB

MD5
49b9ef16dd0e878237e14ef302eb737a

SHA1
cee2b878790865f5d03857deebce467f6e11752f

SHA256
9b6a3effb28eceb3711290681a751df21356c227905e56fed2800ffdceb0c985

SHA512
e07e6d852223e17605eb114bac5c7336fdd77ac06cbf1649cadce495d92cf75cd954fba6e7b7fc47c1aaa43b45f9b3d3620f79f2263a2f33e3db66ce03374fac

Download Submit