2f59f2c13d923e9bb01ef423f2daf60d4dc7fc024d5a56e29dd48c77b75be160

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 23:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3352fde1244027dd7cfaf8506ecb3270N.exe
Size

3.0MB
MD5

3352fde1244027dd7cfaf8506ecb3270
SHA1

3dad82981a3ac30bf0508a2ab03e3faea8f78159
SHA256

2f59f2c13d923e9bb01ef423f2daf60d4dc7fc024d5a56e29dd48c77b75be160
SHA512

5b72b3d3ba60c9a10fbcb74a6b9c7ebb250e3e81c2620bd8ec772f0d769dede6ab0573fd011b0ad5974205b336858d198b3e03cdd0f7f2f7f7900d8d86a509da
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bSqz8:sxX7QnxrloE5dpUpbbVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	3352fde1244027dd7cfaf8506ecb3270N.exe

Executes dropped EXE 2 IoCs

pid	Process
2176	locadob.exe
2244	devbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2400	3352fde1244027dd7cfaf8506ecb3270N.exe
2400	3352fde1244027dd7cfaf8506ecb3270N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvKX\\devbodec.exe"	3352fde1244027dd7cfaf8506ecb3270N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintIN\\bodxloc.exe"	3352fde1244027dd7cfaf8506ecb3270N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3352fde1244027dd7cfaf8506ecb3270N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2400	3352fde1244027dd7cfaf8506ecb3270N.exe
2400	3352fde1244027dd7cfaf8506ecb3270N.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe
2176	locadob.exe
2244	devbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2176	2400	3352fde1244027dd7cfaf8506ecb3270N.exe	30
PID 2400 wrote to memory of 2176	2400	3352fde1244027dd7cfaf8506ecb3270N.exe	30
PID 2400 wrote to memory of 2176	2400	3352fde1244027dd7cfaf8506ecb3270N.exe	30
PID 2400 wrote to memory of 2176	2400	3352fde1244027dd7cfaf8506ecb3270N.exe	30
PID 2400 wrote to memory of 2244	2400	3352fde1244027dd7cfaf8506ecb3270N.exe	31
PID 2400 wrote to memory of 2244	2400	3352fde1244027dd7cfaf8506ecb3270N.exe	31
PID 2400 wrote to memory of 2244	2400	3352fde1244027dd7cfaf8506ecb3270N.exe	31
PID 2400 wrote to memory of 2244	2400	3352fde1244027dd7cfaf8506ecb3270N.exe	31

C:\Users\Admin\AppData\Local\Temp\3352fde1244027dd7cfaf8506ecb3270N.exe
"C:\Users\Admin\AppData\Local\Temp\3352fde1244027dd7cfaf8506ecb3270N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2176
- C:\SysDrvKX\devbodec.exe
  C:\SysDrvKX\devbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintIN\bodxloc.exe

Filesize
1.2MB

MD5
eae9e709342cfb6d25768dac96ca9023

SHA1
ae34b1e73d16731b7cf217b75da21d10cdd0d570

SHA256
43141988ba9385d7c726d200f7e8ca8a1c3d0eee0f7a08abf066932ab66e7747

SHA512
57bc5965b7ca653ffc6bd3abcfd848b399daeb62c3bb96bbd583322aa46b14037a010eed4ef3d3b0de25e0da2ed6c0c6271124f57310d2723b4facd4680c2312

Download Submit
C:\MintIN\bodxloc.exe

Filesize
3.0MB

MD5
6c01e26667f3d38795221e22e3c8ff29

SHA1
569a861ffa102cc60f011a83d6f6340ad6c04af2

SHA256
ecbdb28613e15aba7de08bbdf62a743274dc3c8a842eae8a99f9e16bc55e4bfd

SHA512
fc3c0dee542357cc26decc58eb662dd96691816d33af9437c6fe0ec5e1ff283ab8044a4f69b6e8672fa19dcd3fac9656227e82ee598985fd4c117bcff843014c

Download Submit
C:\SysDrvKX\devbodec.exe

Filesize
3.0MB

MD5
10d0685ba61f754007605da22e5ba992

SHA1
dbfadcbf0398a6ae6504313b00d8b9a365c99f74

SHA256
1bc9dab76b2c3a4e1e5ab41eb7e87c14dbdf9c8257154ff88250903c1c0ade8b

SHA512
347be5fea78c4b475ccf81972e27846aa209de875a1668f5a301be8b8b72b4dcbc9a58f1dafba4833d3694213d173b9940c79308ad4bf9807a8eb15de3a49ecd

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
f2ff3677dfb388b7c078627eeebd5f1f

SHA1
646d6e22ed02cdefbf7e692d8880c33f799aa8e5

SHA256
4ee032ea1afa5c09e78cef71c84df6e734f163dbaea483c98b4969468ad8a518

SHA512
901255fef975ea9225ad0bfad7c7a73e30729c44651a616f35abe03afc8816e71063fe926c6c968d952bbc928f03858be4cdfaddd6f29532a1e2e1e0d5193f7f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
44c8221c16762c0d676d5a6c26b746c8

SHA1
243f791c84dfd2c9ebd98b7e81cd0a5c299f3f3f

SHA256
c08dce2e75fbcca5c14088ba7d9aeb2697951d90f982136ad4bc75426c95dbc8

SHA512
9085b1901a1c02bfb736d94ea4e4c557f1fe432a980fb7b0556fbe828f89fdae6489d1c3ccd1a2f15222836562d676bde7517bfd89723cc8d1ca24b86cac491e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
3.0MB

MD5
6c4edc1a3358ee97acfe6eefac73d8c3

SHA1
d6d02cd3900a1c4014e28973d6ab6514a9e27a5c

SHA256
ee817fae999331f1a8198208503c641cd04767dae8128d214c3042a1a563a088

SHA512
3cf723bcee575ae072ec991bf166a1d5e4399b89e13e3c10e73247a592412547a970af5f889b7dd941abbaca370367694e83e62d08ea38584618c35d36f7fa10

Download Submit