c44dc0b47baa5cf2e0d61ea3dacd8d2104f4a6df2114922a25811149fe459c72

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c44dc0b47baa5cf2e0d61ea3dacd8d2104f4a6df2114922a25811149fe459c72.exe
Size

3.0MB
MD5

2c602f25023f515858ec1ac290ea2300
SHA1

f46959cea0469f325b293310b7e87e4a7396b889
SHA256

c44dc0b47baa5cf2e0d61ea3dacd8d2104f4a6df2114922a25811149fe459c72
SHA512

0e032ffeedd589d1850dd4387eea8a22be815efeefab0dceb01e505b0c7bfbdc8076d8133d1ab97945f08e8c2bef36108a54229fa8d4f84028c010e3ccb6ceb3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bSqz8b6LNX:sxX7QnxrloE5dpUpBbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	c44dc0b47baa5cf2e0d61ea3dacd8d2104f4a6df2114922a25811149fe459c72.exe

Executes dropped EXE 2 IoCs

pid	Process
1396	locabod.exe
1920	devbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvNS\\devbodloc.exe"	c44dc0b47baa5cf2e0d61ea3dacd8d2104f4a6df2114922a25811149fe459c72.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZA8\\boddevsys.exe"	c44dc0b47baa5cf2e0d61ea3dacd8d2104f4a6df2114922a25811149fe459c72.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4288	c44dc0b47baa5cf2e0d61ea3dacd8d2104f4a6df2114922a25811149fe459c72.exe
4288	c44dc0b47baa5cf2e0d61ea3dacd8d2104f4a6df2114922a25811149fe459c72.exe
4288	c44dc0b47baa5cf2e0d61ea3dacd8d2104f4a6df2114922a25811149fe459c72.exe
4288	c44dc0b47baa5cf2e0d61ea3dacd8d2104f4a6df2114922a25811149fe459c72.exe
1396	locabod.exe
1396	locabod.exe
1920	devbodloc.exe
1920	devbodloc.exe
1396	locabod.exe
1396	locabod.exe
1920	devbodloc.exe
1920	devbodloc.exe
1396	locabod.exe
1396	locabod.exe
1920	devbodloc.exe
1920	devbodloc.exe
1396	locabod.exe
1396	locabod.exe
1920	devbodloc.exe
1920	devbodloc.exe
1396	locabod.exe
1396	locabod.exe
1920	devbodloc.exe
1920	devbodloc.exe
1396	locabod.exe
1396	locabod.exe
1920	devbodloc.exe
1920	devbodloc.exe
1396	locabod.exe
1396	locabod.exe
1920	devbodloc.exe
1920	devbodloc.exe
1396	locabod.exe
1396	locabod.exe
1920	devbodloc.exe
1920	devbodloc.exe
1396	locabod.exe
1396	locabod.exe
1920	devbodloc.exe
1920	devbodloc.exe
1396	locabod.exe
1396	locabod.exe
1920	devbodloc.exe
1920	devbodloc.exe
1396	locabod.exe
1396	locabod.exe
1920	devbodloc.exe
1920	devbodloc.exe
1396	locabod.exe
1396	locabod.exe
1920	devbodloc.exe
1920	devbodloc.exe
1396	locabod.exe
1396	locabod.exe
1920	devbodloc.exe
1920	devbodloc.exe
1396	locabod.exe
1396	locabod.exe
1920	devbodloc.exe
1920	devbodloc.exe
1396	locabod.exe
1396	locabod.exe
1920	devbodloc.exe
1920	devbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 1396	4288	c44dc0b47baa5cf2e0d61ea3dacd8d2104f4a6df2114922a25811149fe459c72.exe	89
PID 4288 wrote to memory of 1396	4288	c44dc0b47baa5cf2e0d61ea3dacd8d2104f4a6df2114922a25811149fe459c72.exe	89
PID 4288 wrote to memory of 1396	4288	c44dc0b47baa5cf2e0d61ea3dacd8d2104f4a6df2114922a25811149fe459c72.exe	89
PID 4288 wrote to memory of 1920	4288	c44dc0b47baa5cf2e0d61ea3dacd8d2104f4a6df2114922a25811149fe459c72.exe	92
PID 4288 wrote to memory of 1920	4288	c44dc0b47baa5cf2e0d61ea3dacd8d2104f4a6df2114922a25811149fe459c72.exe	92
PID 4288 wrote to memory of 1920	4288	c44dc0b47baa5cf2e0d61ea3dacd8d2104f4a6df2114922a25811149fe459c72.exe	92

C:\Users\Admin\AppData\Local\Temp\c44dc0b47baa5cf2e0d61ea3dacd8d2104f4a6df2114922a25811149fe459c72.exe
"C:\Users\Admin\AppData\Local\Temp\c44dc0b47baa5cf2e0d61ea3dacd8d2104f4a6df2114922a25811149fe459c72.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1396
- C:\SysDrvNS\devbodloc.exe
  C:\SysDrvNS\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZA8\boddevsys.exe

Filesize
3.0MB

MD5
5063daabd81424d047c8816d73b04f42

SHA1
bde49c3c462e7027c3e2e5fe017bb8ac495add4a

SHA256
25eb96033c08ee6b98344876f72000e6ed54f6e8192efa867351f273e8357991

SHA512
1ed073f7a080bf11ba509cedc0b4b088407b2e00c7a0bcfe92707cc7abc8f26551f05165b3cd420297c3f42dad21985a3c401321846d1a8def31af8dc0fd9209

Download Submit
C:\LabZA8\boddevsys.exe

Filesize
3.0MB

MD5
f727d310682ae996185aae4d0dfcef6a

SHA1
5b7f4e9fd90e3ae880e97568a7e1a4e971ccd0fa

SHA256
82be411a1dc18ca277a14e9e94759ad78ed42ae8f4622a60d198a1de350c46ed

SHA512
33ffafde32e89a96fc13100fcda7ea0d5dad91ebed6ef849e74789ad294631cbd259e790955823ad244491e9904b04b7a64355b375d9bd0db4606330b51d4fe8

Download Submit
C:\SysDrvNS\devbodloc.exe

Filesize
3.0MB

MD5
825d94a0510b6e1295bb80d1957a96ba

SHA1
dbde11c3e12a5d4dca2f924d2f8738d923eee8ad

SHA256
ca454facb135b42ad708923cfdcb654f947cde5310571de472ac82f8853ecac2

SHA512
d355db638592cb21b1f79427b027e0a7eb808f97fb065409c75fc83d80cf32ef761b526afaf14db2f6a76a1d2913f22174bce36d4fb713776b5abf8ac9b32cd0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
9e81f75e05943e7195cc68a0f787b3a8

SHA1
149858c6f8cd05eb00533f5dc13bd4a5eb0d1f7e

SHA256
b16560dc1414daf0ab64a6801742e8fe8b7c65dfef5c14ef8f52ec69848cd2ea

SHA512
066d1f508d519df6e8b5421edc80efe08ba8a36aec41cd98e5cb1874bec0a1383ee51bd3f4573dbced7df957cc89aab71d0db83a1810a965d61b2004b8095296

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
b00d39a3a22ab9d61393e8802df79ecb

SHA1
75bdcc630976feccd001773d77cef56bbd9da963

SHA256
b48f4aba93c047cbae1e1a7ab0ba378439df0881b8164426f757ba56c53e3243

SHA512
0417fef56a17cc374f5294aee25e8e2daa4fa950b0cf2409108dda1e1663b45d94151c81621c93bbeedb8ef2a477c7b42464ae84dc6edb93469e64aa28e63fce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
3.0MB

MD5
998063463982bb48ddee093d60d65ad4

SHA1
520412856b60f8e3e11447d8da64972714db6c03

SHA256
a97e60284ec8db06b2392780356a60ba9706af8940976738254b258475e47597

SHA512
e77c44f31339c1b16b943b43a365eb485dd132e3d391e6c218af21e560cc12c7277470f614bc6ad9d0fc425e57b0a5f74fcc1f641ec0ba69aa464b6d57df5da1

Download Submit