8343bd388dfab8ac612ae9067a2f63e658aef3a91cc985ae8ae75ab8a3088b16

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d6b0e109146cb1927bb63b00c959570N.exe
Size

2.6MB
MD5

6d6b0e109146cb1927bb63b00c959570
SHA1

6f7109c0e09b1453676277caedbabda2536497ff
SHA256

8343bd388dfab8ac612ae9067a2f63e658aef3a91cc985ae8ae75ab8a3088b16
SHA512

57b6e959370552660a9c12bc338ab3bca41fa0651ee4ada13a5cee711f9faa09eb725cb7e22dadd94ecfe739be8ec01c87fc4218a5bf98a3cfbfe097f86f681a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bS:sxX7QnxrloE5dpUp3b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	6d6b0e109146cb1927bb63b00c959570N.exe

Executes dropped EXE 2 IoCs

pid	Process
1864	locabod.exe
3036	xbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc51\\xbodloc.exe"	6d6b0e109146cb1927bb63b00c959570N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZKN\\bodxsys.exe"	6d6b0e109146cb1927bb63b00c959570N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
836	6d6b0e109146cb1927bb63b00c959570N.exe
836	6d6b0e109146cb1927bb63b00c959570N.exe
836	6d6b0e109146cb1927bb63b00c959570N.exe
836	6d6b0e109146cb1927bb63b00c959570N.exe
1864	locabod.exe
1864	locabod.exe
3036	xbodloc.exe
3036	xbodloc.exe
1864	locabod.exe
1864	locabod.exe
3036	xbodloc.exe
3036	xbodloc.exe
1864	locabod.exe
1864	locabod.exe
3036	xbodloc.exe
3036	xbodloc.exe
1864	locabod.exe
1864	locabod.exe
3036	xbodloc.exe
3036	xbodloc.exe
1864	locabod.exe
1864	locabod.exe
3036	xbodloc.exe
3036	xbodloc.exe
1864	locabod.exe
1864	locabod.exe
3036	xbodloc.exe
3036	xbodloc.exe
1864	locabod.exe
1864	locabod.exe
3036	xbodloc.exe
3036	xbodloc.exe
1864	locabod.exe
1864	locabod.exe
3036	xbodloc.exe
3036	xbodloc.exe
1864	locabod.exe
1864	locabod.exe
3036	xbodloc.exe
3036	xbodloc.exe
1864	locabod.exe
1864	locabod.exe
3036	xbodloc.exe
3036	xbodloc.exe
1864	locabod.exe
1864	locabod.exe
3036	xbodloc.exe
3036	xbodloc.exe
1864	locabod.exe
1864	locabod.exe
3036	xbodloc.exe
3036	xbodloc.exe
1864	locabod.exe
1864	locabod.exe
3036	xbodloc.exe
3036	xbodloc.exe
1864	locabod.exe
1864	locabod.exe
3036	xbodloc.exe
3036	xbodloc.exe
1864	locabod.exe
1864	locabod.exe
3036	xbodloc.exe
3036	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 1864	836	6d6b0e109146cb1927bb63b00c959570N.exe	87
PID 836 wrote to memory of 1864	836	6d6b0e109146cb1927bb63b00c959570N.exe	87
PID 836 wrote to memory of 1864	836	6d6b0e109146cb1927bb63b00c959570N.exe	87
PID 836 wrote to memory of 3036	836	6d6b0e109146cb1927bb63b00c959570N.exe	88
PID 836 wrote to memory of 3036	836	6d6b0e109146cb1927bb63b00c959570N.exe	88
PID 836 wrote to memory of 3036	836	6d6b0e109146cb1927bb63b00c959570N.exe	88

C:\Users\Admin\AppData\Local\Temp\6d6b0e109146cb1927bb63b00c959570N.exe
"C:\Users\Admin\AppData\Local\Temp\6d6b0e109146cb1927bb63b00c959570N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1864
- C:\Intelproc51\xbodloc.exe
  C:\Intelproc51\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc51\xbodloc.exe

Filesize
146KB

MD5
8e4200612caff3df522da7999f4e69a7

SHA1
ee028b9a3c0036aed73e32db8cef974d75b68ba3

SHA256
dc377d868fc92b17def0570417cb110d4438dbddc39ec3e7b459913ced95d531

SHA512
7d91de6eaf6cc451f9be2a0885622f2d57aa39bc9d51643e50c57dfd390568b36e8ca1bd976b594849e92c48441f1c5f195fce5c6113d2d7682f87ad39e8193a

Download Submit
C:\Intelproc51\xbodloc.exe

Filesize
2.6MB

MD5
4ddd5e9c2da75a9e2b4a56892b6c4ebb

SHA1
9041b66762fb4251bfc86c7a72225ddc6610b7d0

SHA256
e73d5f31979f84ffa5cbbdc9798e103037da9bf3a17d9ad4447d2510d6f9037d

SHA512
90d4dc813f1cdc9ccb3dcb69efa9c7484174f5df3189e72690ff65ca421dc42b306a943c19aac93ed6be4b738e5bdc41f5df4372eb9c67d6df148c660494845a

Download Submit
C:\LabZKN\bodxsys.exe

Filesize
256B

MD5
bae5eb085a9f023b8d36e2a083933bdd

SHA1
c8f3b383d6ce74e8606027a03db4b0ae08c513b1

SHA256
b505b72bbec0ac5ef11559a9e1cd5d9b176f6b03b0dc9296023c144e105605ab

SHA512
93d15b5bec81644cf4030f24c5941cb76efb1e539e47e25ee9c722db4b1b52b8ec129fef26b9080ad23fe6b7d1f0752e3a263040aa5557656967acd4d5e485f3

Download Submit
C:\LabZKN\bodxsys.exe

Filesize
540KB

MD5
a6de293817ec775c9207733eed6d1838

SHA1
24fbc009a2d8812f98b8510330c9c0f25135d40a

SHA256
b1d9f76ae5fa520a5f1581f6c4008b450777ea0a8773cb6798a3c2201279a302

SHA512
bbb50134b01e29441363a6a59d1f75833316ec6173f6cc01aa730dcc0b2986dc4e32396ccd2776abd0fb0525799775ee79bcbee7f0b3355ee9781ef6f3680b2b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
75d0faa2e2bb2289f8ea51ac58e541a0

SHA1
1db13d14c5cfea3cd30dc44ae51ce01b2d4700ff

SHA256
db08ae06a602f5d17c5222886f3e95d656d95ac56a02018792279bf937d5ea25

SHA512
386fac23208ba922baa6035f43d09adbebb2529b8c299699574fb7677eb683dc210227a93b7929c96203c6d9e295bc10db6cc1f4c773b5cf41a4d1e2994754f8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
a7b9c83206fd1a1a6097f5aca8abb9ce

SHA1
9f4a792efa3dc4c3139b016f77823ef5ddff8d9f

SHA256
b54a274804c50c92308a0acb6e2fdd701f4faa8dfb8335326b251d1c9561e574

SHA512
873aa986a5c37ce11dec5667b07e2dedd4d26ae4807b2fbdfc6a58aa8467c0b06603c1184a9828839141df9ec454ef38eaa21f26f37c4bbfd99f74ef802b8978

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
2.6MB

MD5
96e5ae91c837d2349c54ac8029c4058d

SHA1
5002647e13e182c29d68e15fcba294e8a10179ae

SHA256
24014cdc1f961d6fdcc51f5574f7e80e3bf1ffa211b3118b3d0b902abe1329db

SHA512
c877ab4d115bc623b67c8d00750b2db4cd0bdbb42ea8debea56de89d28ea21686c1ecc3abc96df409116857ae7bc64cf48375cc917027960c5c123ac4e5fec26

Download Submit