4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe
Size

3.6MB
MD5

77c84bcdb8342762271a6bad343f6b72
SHA1

112ce87c47a648954fb86dd02978017601fa0912
SHA256

4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039
SHA512

f0925264c81568ae5300fb186ce1f56bab20bbc68f864f7d398d1df40e216ab005462558cc252ea7ea122ad469e264ccc9610505c27100af01426aff07b29ddf
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpkbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe

Executes dropped EXE 2 IoCs

pid	Process
1572	ecdevdob.exe
3224	devbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesP0\\devbodsys.exe"	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxTR\\bodxloc.exe"	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1692	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe
1692	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe
1692	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe
1692	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe
1572	ecdevdob.exe
1572	ecdevdob.exe
3224	devbodsys.exe
3224	devbodsys.exe
1572	ecdevdob.exe
1572	ecdevdob.exe
3224	devbodsys.exe
3224	devbodsys.exe
1572	ecdevdob.exe
1572	ecdevdob.exe
3224	devbodsys.exe
3224	devbodsys.exe
1572	ecdevdob.exe
1572	ecdevdob.exe
3224	devbodsys.exe
3224	devbodsys.exe
1572	ecdevdob.exe
1572	ecdevdob.exe
3224	devbodsys.exe
3224	devbodsys.exe
1572	ecdevdob.exe
1572	ecdevdob.exe
3224	devbodsys.exe
3224	devbodsys.exe
1572	ecdevdob.exe
1572	ecdevdob.exe
3224	devbodsys.exe
3224	devbodsys.exe
1572	ecdevdob.exe
1572	ecdevdob.exe
3224	devbodsys.exe
3224	devbodsys.exe
1572	ecdevdob.exe
1572	ecdevdob.exe
3224	devbodsys.exe
3224	devbodsys.exe
1572	ecdevdob.exe
1572	ecdevdob.exe
3224	devbodsys.exe
3224	devbodsys.exe
1572	ecdevdob.exe
1572	ecdevdob.exe
3224	devbodsys.exe
3224	devbodsys.exe
1572	ecdevdob.exe
1572	ecdevdob.exe
3224	devbodsys.exe
3224	devbodsys.exe
1572	ecdevdob.exe
1572	ecdevdob.exe
3224	devbodsys.exe
3224	devbodsys.exe
1572	ecdevdob.exe
1572	ecdevdob.exe
3224	devbodsys.exe
3224	devbodsys.exe
1572	ecdevdob.exe
1572	ecdevdob.exe
3224	devbodsys.exe
3224	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 1572	1692	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe	87
PID 1692 wrote to memory of 1572	1692	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe	87
PID 1692 wrote to memory of 1572	1692	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe	87
PID 1692 wrote to memory of 3224	1692	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe	88
PID 1692 wrote to memory of 3224	1692	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe	88
PID 1692 wrote to memory of 3224	1692	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe	88

C:\Users\Admin\AppData\Local\Temp\4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe
"C:\Users\Admin\AppData\Local\Temp\4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1572
- C:\FilesP0\devbodsys.exe
  C:\FilesP0\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesP0\devbodsys.exe

Filesize
525KB

MD5
50aa6bee3d2e8e5a31452b940658dab9

SHA1
fb60967691aa2ff769740e0abc6cdbb6ccdcc8f8

SHA256
3bb90b2609f8e20e3947ea98f051a1b46819148418a83a47bf730524cacbcce9

SHA512
24cc2510c0b4465ed3c713e6dc7f3e38a3b9567b6f88a7cae81e1aefb4e5c33aa40d774347ec165252ed6d76d174b8229ee55e0982cf02c19d3f04a9966661c3

Download Submit
C:\FilesP0\devbodsys.exe

Filesize
3.6MB

MD5
51ad7ec32ca540378f89634e44b99917

SHA1
009cb69856cac31e53d80637f09a6b511aba11fd

SHA256
e921bf1793edf9e4321e9515484b27cbc6cfe2fb01ba28641d229f658108347a

SHA512
8619dc707cc31f211de3362d041ce071f91aa4b8830f7b8df0fdead3339caea86967c23f47371baabdaee1500de6ac9725ffb24f6189186ec9bccd6a6075d132

Download Submit
C:\GalaxTR\bodxloc.exe

Filesize
10KB

MD5
211c211281a83cae04ba8989e177223a

SHA1
2c6a912a90ce71ae095e8f16a97222e28964a271

SHA256
c2beca0f3cf592fda96ba710769ff2d67fd97592da9df195990bf22499d20a4b

SHA512
10dbfb3c33737e1b9a691fdbb89cea3f018443e481d57887d53a605597bc3ba56db26480f2efdbf443c71b4f4a0b594257d8f34f4cbd7826ff71936f4b5487eb

Download Submit
C:\GalaxTR\bodxloc.exe

Filesize
1.4MB

MD5
22283b11de359826c014e1871de3f383

SHA1
83b42d1f4680b1d6b6004b23307e805595a40746

SHA256
3f456dfc167a113cbb554919c1f3a14a0b3089fb626ee0c24b92baa72a8fc91c

SHA512
970605edede5533a7ac90ba06b018b29b7c393a7f3191d9cc124f450119dd2f38d76eb88c65c88b1af32fb727404fa7f48ab963799e8b603b42ffe472e976244

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
590bbc03bea59ca5eec167e87d81ec63

SHA1
286454970195b190514d3c52badfafb4be07a082

SHA256
5eb17119a80045c2d9d07fec509c4e31d30d5a7513aced8b51032551d6ed3822

SHA512
5153bea746079bd40547ae9c72e3de9f0f772321f2851259edbace6a3b178ed09e7c598b4cd31ea25450843656eb044423e96e30980927693ee13d5db20a419c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
6a64c9ba46a6f32dc6b2aeca90b309cb

SHA1
432e0de09b22ac58f64943e0160910909380f96e

SHA256
c546265db78c4cc30e0e2dc8352823d715cc121b70b501ad100729030e61d7b7

SHA512
1246202a58cc63ef5bcfaa9ad7e67556e5e23a68e3eaac0ff95077d5ceef62fc2f1e562ad340e9574027db6507820e88e096160cb11860d3ddac4903f0b4deda

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
3.6MB

MD5
7b944908946614b731d06c0ce28e132f

SHA1
287034597413a005ba0db6d970de0b47ccf7c32a

SHA256
a6449fb97ff90bb8877b46d0835f4a71e56ba60f9d44ad3a13f913329bff56f2

SHA512
80ffef77934f2a9161937841a2136894a10a4e32357d27758ab9c28705145fd44f642af11394c6e79f0483b18d0fc8851312cc685ff7e8d03d893723e3d68394

Download Submit