a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2024, 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe
Size

2.6MB
MD5

0c78f8752b54e17f04b38f0fd76b6e9d
SHA1

61ebea8924e0dece82793998454dff1e1e33b2e1
SHA256

a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592
SHA512

c1e02b8b2613a843dac795f80e27dcbe74d3c14968347dafe8f4f913adb4e74bd05cd524c6a555fbe6ee4734664c94ccfd86a9e4db3fb74fefb01b6c7e3b7121
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBZB/bS:sxX7QnxrloE5dpUpKb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe

Executes dropped EXE 2 IoCs

pid	Process
3080	locxbod.exe
2748	devbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBEE\\optidevsys.exe"	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocVM\\devbodloc.exe"	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5028	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe
5028	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe
5028	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe
5028	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe
3080	locxbod.exe
3080	locxbod.exe
2748	devbodloc.exe
2748	devbodloc.exe
3080	locxbod.exe
3080	locxbod.exe
2748	devbodloc.exe
2748	devbodloc.exe
3080	locxbod.exe
3080	locxbod.exe
2748	devbodloc.exe
2748	devbodloc.exe
3080	locxbod.exe
3080	locxbod.exe
2748	devbodloc.exe
2748	devbodloc.exe
3080	locxbod.exe
3080	locxbod.exe
2748	devbodloc.exe
2748	devbodloc.exe
3080	locxbod.exe
3080	locxbod.exe
2748	devbodloc.exe
2748	devbodloc.exe
3080	locxbod.exe
3080	locxbod.exe
2748	devbodloc.exe
2748	devbodloc.exe
3080	locxbod.exe
3080	locxbod.exe
2748	devbodloc.exe
2748	devbodloc.exe
3080	locxbod.exe
3080	locxbod.exe
2748	devbodloc.exe
2748	devbodloc.exe
3080	locxbod.exe
3080	locxbod.exe
2748	devbodloc.exe
2748	devbodloc.exe
3080	locxbod.exe
3080	locxbod.exe
2748	devbodloc.exe
2748	devbodloc.exe
3080	locxbod.exe
3080	locxbod.exe
2748	devbodloc.exe
2748	devbodloc.exe
3080	locxbod.exe
3080	locxbod.exe
2748	devbodloc.exe
2748	devbodloc.exe
3080	locxbod.exe
3080	locxbod.exe
2748	devbodloc.exe
2748	devbodloc.exe
3080	locxbod.exe
3080	locxbod.exe
2748	devbodloc.exe
2748	devbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 3080	5028	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe	89
PID 5028 wrote to memory of 3080	5028	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe	89
PID 5028 wrote to memory of 3080	5028	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe	89
PID 5028 wrote to memory of 2748	5028	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe	90
PID 5028 wrote to memory of 2748	5028	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe	90
PID 5028 wrote to memory of 2748	5028	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe	90

C:\Users\Admin\AppData\Local\Temp\a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe
"C:\Users\Admin\AppData\Local\Temp\a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3080
- C:\IntelprocVM\devbodloc.exe
  C:\IntelprocVM\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocVM\devbodloc.exe

Filesize
206KB

MD5
eeac235b928d0fba3fa52837f42132cd

SHA1
2dd961d50771d81b29f4177fa1cab6d442bbc46a

SHA256
7b01accfd28116618def125470fd0bfcdd1b151e98888b3027fde945566d5b5c

SHA512
683cbb61657f3f79a5edd3385a8cfc5bbe364d54760e65eb3d52a0657d1d8b56eaffdebcc9f6037ab49a48355fe8c63b036a3e2289950615e7917972e56eb45d

Download Submit
C:\IntelprocVM\devbodloc.exe

Filesize
2.6MB

MD5
df81b4b7f3d7979116712f5c2298a063

SHA1
395eed967aaaf0adfad0ea41732522f9e5898bb2

SHA256
b36ec98b43c0b0e250b5ac062b6d6dabf307b5efc57964e29e6165af76fdab8c

SHA512
a79b3bf17242e164c301cc4a2891708d9657ef827356587fe6fc8c766c08bbaed0bc2d7c545160c3669b8a78441236abb3130f2f6fcb4b9cf5e3c0ba0e2eda24

Download Submit
C:\KaVBEE\optidevsys.exe

Filesize
2.6MB

MD5
9f899faa89cf3a02f5a427a89348b437

SHA1
b06ee5a392e713fe4f47536634d6ee04ee8f0326

SHA256
313405c385006fee1eb5b88f7e5e10da4c2e4dcab2cbbaeade2204fcdbbb846e

SHA512
621c25bd9fd312452a4abddafb1d7e2748536c6b4d53b331acca84437d28f08c3f437c891bdcf23d08e0ef82b517620fcd6b00f84f2b1b4cb16d1e26bdfa8e6a

Download Submit
C:\KaVBEE\optidevsys.exe

Filesize
2.6MB

MD5
1619a90cc345539397b07fbe3b6d665e

SHA1
dde490af08d64bd88888cfa07ba4fc48ae6de75b

SHA256
ad49c12a0d20b80326a5e45f32d33257db1305daeabef555ff6ecad8aa5825a9

SHA512
103df3f09ae97edf2d7bec407d089ef851bca3941e6d16cd9bd6bc1da73d8e50f9b0aa04c5338b718a878524cef779ef3892afa6820021a3bb85e56e2d4861d0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
209B

MD5
22ef96908025583faed980994726fa5a

SHA1
7ca3b50f18160db7f12f9bf8785783d0b223423c

SHA256
760086432c0870a8b34ddf96482c90911e7ef4ece9f15548a900c698a2652a42

SHA512
adf84926e943fd0f9b3fbea51a566711c40383918e99413b6d77d35aa538ebe5543df15d2fc44622ad708cebc7c13958d73e605082020cb88747981f492a3d08

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
177B

MD5
a595a83ebde3dc9565c215100d986691

SHA1
34e3d85b78f52a415ec0a47c24b4c9e7e30012cb

SHA256
02b34af7460b374e5630b6ca5c5a64586cdba4e95049abf5045e700236684cee

SHA512
f1dd4a8f50a9806670604a660bd0994ff4b336113b6f1c3a1ef7cdb67316c405832c2df6b52c78ad2553ec82f62c88657125778da8f3dd2b61d01064499e1a69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.6MB

MD5
329161a9ba0bf3bbfde7a3c108f943b6

SHA1
907a345c03d3a595e7db078c54ef31b574ae9ea5

SHA256
50631c4b50d7f5b2dbe8ff44b492ecaae8af576c3597f849f38d486ec8f2d5a2

SHA512
94e7d8fea1b0663b61aea7b64aad0f8369a64f81397a57859374fc932f571b4e443502c49741e8d0443d49345e579b0c2beccd5e2af9247751e1515d88cb932e

Download Submit