Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
09/06/2024, 07:51
Static task
static1
Behavioral task
behavioral1
Sample
bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe
Resource
win10v2004-20240426-en
General
-
Target
bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe
-
Size
3.0MB
-
MD5
523fbd55cca2fe1441d09a1ebae2511d
-
SHA1
30ad07a2b2cd23c40e12acc6b7517f615844b0c0
-
SHA256
bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14
-
SHA512
14534a35d7ff83c538caeb1c5c38193cf10468dd8c7e740861a020815a8c94e678b59d53e97c5e09911a31d168a113c2f3d4d745447ab4989efcef6e8c716fd0
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bSqz8:sxX7QnxrloE5dpUp5bVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe -
Executes dropped EXE 2 IoCs
pid Process 2204 locdevdob.exe 2940 xbodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 1276 bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe 1276 bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvNQ\\xbodsys.exe" bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidJA\\bodxec.exe" bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1276 bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe 1276 bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe 2204 locdevdob.exe 2940 xbodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1276 wrote to memory of 2204 1276 bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe 28 PID 1276 wrote to memory of 2204 1276 bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe 28 PID 1276 wrote to memory of 2204 1276 bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe 28 PID 1276 wrote to memory of 2204 1276 bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe 28 PID 1276 wrote to memory of 2940 1276 bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe 29 PID 1276 wrote to memory of 2940 1276 bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe 29 PID 1276 wrote to memory of 2940 1276 bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe 29 PID 1276 wrote to memory of 2940 1276 bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe"C:\Users\Admin\AppData\Local\Temp\bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2204
-
-
C:\SysDrvNQ\xbodsys.exeC:\SysDrvNQ\xbodsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2940
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD511ca2abb1f93a74ff54b9a1fe3cf73ed
SHA119a572bf821da3ca1169c608e63b875f89b520a0
SHA2565a71b8e5658f7ef5f14eb3043b3a6e1130344ba2ed0e1752636b7f805ac5e24e
SHA512abee3685bb789e00d61639a0e74ec142d045008ba24b8fad861f4d79835b326f928e312aeb330e76c8e2a3d891b5bbf77d4d238844df421884a289a6d390aec2
-
Filesize
169B
MD541282c20d3df78ecb481da4c2718483f
SHA14296bb39acd9197d5617f78714a8cdeb67cb1584
SHA25623fec033385630b471dc04f5a10e9cfe1a8d83ee607a66c6144c9a44d2a871a4
SHA51223585ddef017220545aae8473d80c963890a2dafa69af71c515a8d2df74b228d01d73a4b7ac384d20d5e6d9519ea352ea9204160f80ddda3be2a690de544d5ab
-
Filesize
201B
MD5bca3f281bab7d60bf8679c9e300fd3ba
SHA1b219c8b8d5c1c146e27ab9af2a1c9399e20c1876
SHA256f47b731b871d96b98e1e46161ba4413b3b03bd557a3321339a96416c757af65e
SHA5124cab0f3d798d42cf21729e22c4166a95ef39b0205b7a214ba49518e13e5a1874c447a4b690871da3253bb5cfc388305a408b4f1b59256b2d3e3de72cdac1e75a
-
Filesize
3.0MB
MD51df72a5f419cd989749cfa257427ac64
SHA1199d60c902e06a09678d38af241deb9094b9326b
SHA256ffb6ae638d3c49a3583b6efc778ba3bff2e36d4dc4d671fc8bce79311394de32
SHA51280455f7d288ee46d06b47c82600c78cb11a0fe750f7067d4bbdd6f9e65e91241c473e6dea7556c639c0222c15c2fbbf5d1e7b537a10eb2bcf2083719dd5aa33a
-
Filesize
3.0MB
MD534d1a616b06664d0cb471894df8aa2d2
SHA1009337a68583b5a82611dafc98f158a1491aff62
SHA2565dac4e202b7310781a55babf92d95a9a055a4d1723c113883b66ff1b2a99eeae
SHA512f21ee2cb7acd68d1ab0501ef14275da6b8839990a12d522fb645e0e93144e1cf859b830772be055155ccca7ecfaa0afc3172969d2f267cf85470dd1d4e282d31
-
Filesize
3.0MB
MD5bc852c432427b7acfd75b5629944d6c9
SHA12cf6ba6de334055bbb3fdf7b3af4ababa8050bdd
SHA25643f512e6a4daadc3eea9fca3f71747905de8e672798dde0120acbe10d6904b73
SHA512bdb67d84b16fa2f74b03a3e4a7774f51724ba3b86a7224bc57a3873ac0b141e6dfbcb0d9f68f212897f14ea9fb8014ba3abd985ae7ca4104ec8d86014e057a78