Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:16
Static task
static1
Behavioral task
behavioral1
Sample
92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe
Resource
win10v2004-20240508-en
General
-
Target
92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe
-
Size
3.2MB
-
MD5
101bf38e1feb37972931495c5944a871
-
SHA1
0e8d5d211d5e772899a73af292879be003979620
-
SHA256
92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540
-
SHA512
dd214a0eaa868e860cdadf465d6957e61f693e351682f5090a6c89f9e2d3621bf3d930ca279294346ca47460690c36b2dbddf3422f9c9de5c80a76e16a5032c7
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpkbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe 92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe -
Executes dropped EXE 2 IoCs
Processes:
locxbod.exedevbodsys.exepid process 4112 locxbod.exe 628 devbodsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesI7\\devbodsys.exe" 92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint8A\\dobdevsys.exe" 92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exelocxbod.exedevbodsys.exepid process 4352 92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe 4352 92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe 4352 92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe 4352 92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe 4112 locxbod.exe 4112 locxbod.exe 628 devbodsys.exe 628 devbodsys.exe 4112 locxbod.exe 4112 locxbod.exe 628 devbodsys.exe 628 devbodsys.exe 4112 locxbod.exe 4112 locxbod.exe 628 devbodsys.exe 628 devbodsys.exe 4112 locxbod.exe 4112 locxbod.exe 628 devbodsys.exe 628 devbodsys.exe 4112 locxbod.exe 4112 locxbod.exe 628 devbodsys.exe 628 devbodsys.exe 4112 locxbod.exe 4112 locxbod.exe 628 devbodsys.exe 628 devbodsys.exe 4112 locxbod.exe 4112 locxbod.exe 628 devbodsys.exe 628 devbodsys.exe 4112 locxbod.exe 4112 locxbod.exe 628 devbodsys.exe 628 devbodsys.exe 4112 locxbod.exe 4112 locxbod.exe 628 devbodsys.exe 628 devbodsys.exe 4112 locxbod.exe 4112 locxbod.exe 628 devbodsys.exe 628 devbodsys.exe 4112 locxbod.exe 4112 locxbod.exe 628 devbodsys.exe 628 devbodsys.exe 4112 locxbod.exe 4112 locxbod.exe 628 devbodsys.exe 628 devbodsys.exe 4112 locxbod.exe 4112 locxbod.exe 628 devbodsys.exe 628 devbodsys.exe 4112 locxbod.exe 4112 locxbod.exe 628 devbodsys.exe 628 devbodsys.exe 4112 locxbod.exe 4112 locxbod.exe 628 devbodsys.exe 628 devbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exedescription pid process target process PID 4352 wrote to memory of 4112 4352 92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe locxbod.exe PID 4352 wrote to memory of 4112 4352 92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe locxbod.exe PID 4352 wrote to memory of 4112 4352 92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe locxbod.exe PID 4352 wrote to memory of 628 4352 92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe devbodsys.exe PID 4352 wrote to memory of 628 4352 92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe devbodsys.exe PID 4352 wrote to memory of 628 4352 92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe devbodsys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe"C:\Users\Admin\AppData\Local\Temp\92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4112 -
C:\FilesI7\devbodsys.exeC:\FilesI7\devbodsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD50a15c6e3981868c0424de6ad7d093fb4
SHA11f2d2af2c24bd1adcd307916134727f39e17641f
SHA256058b3b5d9e87fbe7b9d598e27519861e9c387b4ef1d7abdb00e35f7f4c407564
SHA512ceb4fd60ed7c4ef8a8c713370111e885c8141fadaeaafb5e3a7c6163c58c87567abf07543e20f595422f4ba1642f4796a11ea26d13348949022e1ac86966b52b
-
Filesize
3.2MB
MD5976001ce9292b5870f5043c7c5616523
SHA14ea445df2a5e1ce383ef61defc43374ebb42b775
SHA256893c6623996fffd89d27308ea6d4406b12193239d28ddcad5ac0a074a039ef20
SHA512018c038a8afe05b417234b8dcf9b1e929dbd04018a8d7b865fc6f24421829983903729d8eb1992fec69514dea1c96485fb9cb74faff03a5949cc088fd7e11a15
-
Filesize
3.2MB
MD5de9ad993bb6ce983af736a980ab2c509
SHA1fe6a9f83c74de1814a8f72e0835ab9e6e5a77d52
SHA2560974cf88e8cc6738010ba48e9eddf600d7dfe30c1291672c10922b0e690d446e
SHA51231ef6985bc4cef0da57427dd705101b142a4fb04ab94a586d27c678ca4103d734cf91e8119fc703d0f1c8fa7040a256f2621babd73dc9371f80da6674f4def21
-
Filesize
204B
MD5cfd9de7b64639a08f4f3b919e3a4469a
SHA145a22e9d7666ca1c0b38f9f2920ec8131fb9efe1
SHA256410c273fef158718972a3a3df7487642cb41594816ea586bde45fcd89ec0a8d1
SHA51253b66e9b322d65ebce7505bf3013ef5f167c4eaa51b0f536ddb7df38ae8dd1511dd6e907c47632601610fdcced32a895c562d4bbcad00f1dca24a2fa82cf3cdc
-
Filesize
172B
MD537312b02e9d0d0505548249612130e33
SHA1f7fb9367c74aa7ed2620f91021340a6524b69ebd
SHA25670d5708dc2e20a6256b60eef23a7183a4c26c0f8a07b04cacd30c5fe86a14fb7
SHA512db228758e42bfaa2cdf150395c034cd0bf77a7f8f4c258ca4531978bc12552ad08654f4b8df7b21ad492f056a34f7c79c3ab6bca20e201481727023b164e58df
-
Filesize
3.2MB
MD5d93b351d15aef16320acf10cf3d60e82
SHA1c63aa624e875cbf702c25fefa6f7f2c9c8f81ff6
SHA256ec3dc5684af8ef34fa6a4061c39354a7d3057e0e308ede1e1660216f2a7404a3
SHA512f12a292399558810a0bd276234ee423034b3990d35d69be369abfbeaabf4e53641a7102ea33b44e5a84ceb28224b156e53687936299760be022018231663468e