6cc4f42f490e9206448d9bf8d96f976d615ff35de90954adfa89d8cefea30fff

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de5f790e6901157e698d4af0d4f1ac30N.exe
Size

3.2MB
MD5

de5f790e6901157e698d4af0d4f1ac30
SHA1

9b2e03bcdeb836035ca94157981b59170ded9e9d
SHA256

6cc4f42f490e9206448d9bf8d96f976d615ff35de90954adfa89d8cefea30fff
SHA512

2b367f0ca4af553b274099f11eaa511e5dc34e4d62205fd67b4bb05abfdbf8b669b34c0fbf33d4bf77522cacc0e0ddb9daa5faa371ce8182190f9d3a409eae1c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpsbVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	de5f790e6901157e698d4af0d4f1ac30N.exe

Executes dropped EXE 2 IoCs

pid	Process
1112	locabod.exe
4016	xdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvX7\\xdobsys.exe"	de5f790e6901157e698d4af0d4f1ac30N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZQS\\bodaec.exe"	de5f790e6901157e698d4af0d4f1ac30N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de5f790e6901157e698d4af0d4f1ac30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5092	de5f790e6901157e698d4af0d4f1ac30N.exe
5092	de5f790e6901157e698d4af0d4f1ac30N.exe
5092	de5f790e6901157e698d4af0d4f1ac30N.exe
5092	de5f790e6901157e698d4af0d4f1ac30N.exe
1112	locabod.exe
1112	locabod.exe
4016	xdobsys.exe
4016	xdobsys.exe
1112	locabod.exe
1112	locabod.exe
4016	xdobsys.exe
4016	xdobsys.exe
1112	locabod.exe
1112	locabod.exe
4016	xdobsys.exe
4016	xdobsys.exe
1112	locabod.exe
1112	locabod.exe
4016	xdobsys.exe
4016	xdobsys.exe
1112	locabod.exe
1112	locabod.exe
4016	xdobsys.exe
4016	xdobsys.exe
1112	locabod.exe
1112	locabod.exe
4016	xdobsys.exe
4016	xdobsys.exe
1112	locabod.exe
1112	locabod.exe
4016	xdobsys.exe
4016	xdobsys.exe
1112	locabod.exe
1112	locabod.exe
4016	xdobsys.exe
4016	xdobsys.exe
1112	locabod.exe
1112	locabod.exe
4016	xdobsys.exe
4016	xdobsys.exe
1112	locabod.exe
1112	locabod.exe
4016	xdobsys.exe
4016	xdobsys.exe
1112	locabod.exe
1112	locabod.exe
4016	xdobsys.exe
4016	xdobsys.exe
1112	locabod.exe
1112	locabod.exe
4016	xdobsys.exe
4016	xdobsys.exe
1112	locabod.exe
1112	locabod.exe
4016	xdobsys.exe
4016	xdobsys.exe
1112	locabod.exe
1112	locabod.exe
4016	xdobsys.exe
4016	xdobsys.exe
1112	locabod.exe
1112	locabod.exe
4016	xdobsys.exe
4016	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 1112	5092	de5f790e6901157e698d4af0d4f1ac30N.exe	87
PID 5092 wrote to memory of 1112	5092	de5f790e6901157e698d4af0d4f1ac30N.exe	87
PID 5092 wrote to memory of 1112	5092	de5f790e6901157e698d4af0d4f1ac30N.exe	87
PID 5092 wrote to memory of 4016	5092	de5f790e6901157e698d4af0d4f1ac30N.exe	88
PID 5092 wrote to memory of 4016	5092	de5f790e6901157e698d4af0d4f1ac30N.exe	88
PID 5092 wrote to memory of 4016	5092	de5f790e6901157e698d4af0d4f1ac30N.exe	88

C:\Users\Admin\AppData\Local\Temp\de5f790e6901157e698d4af0d4f1ac30N.exe
"C:\Users\Admin\AppData\Local\Temp\de5f790e6901157e698d4af0d4f1ac30N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1112
- C:\SysDrvX7\xdobsys.exe
  C:\SysDrvX7\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZQS\bodaec.exe

Filesize
3.2MB

MD5
e3d0f70f56f1f6c37c5ec16e234291b8

SHA1
aca67a35d9cfe51ddff06f5c59c9480298014a56

SHA256
eaeef25efac6f13035117b6e97a030972bc1e71b4dda85c9c76ee937723e7ec7

SHA512
026b8d2f8f3e1b2643ac1f9a0e2ab1d4f2dad800ea1511a9662e4ba5483fbbe9511a49931da4abed1617a0c87add687c93e80bdfae7e7cb55fae1a15c4b979db

Download Submit
C:\LabZQS\bodaec.exe

Filesize
3.2MB

MD5
fac6923eb4c83847714b47765042a8be

SHA1
594f14e815d9c7097f010d0a26de5dddcf072058

SHA256
edb089df3b77aa4a71b5fb3a782e347dc75fbcb8997467775d2c96924544696b

SHA512
5df9166990627972ae8e9fcfa1cd3b7038f9ed13ea20d42e42daefefbbafef1c787bc3c66c3ef94e78f2117fc7cc16940a1c274de6b30984c95730d9b1677774

Download Submit
C:\SysDrvX7\xdobsys.exe

Filesize
3.2MB

MD5
498acafd9eade6fe249bf4c031d2328d

SHA1
9a41ac578c38d09226338812ad4bd9a20ea49cf2

SHA256
7ec67729b1cab016e7ea357f7091b7b304ed44b8411ba230a919e19c7249242e

SHA512
ca2785f45888e63cce7e0523d1a3ba704bf75194acf9c21eb2fe82af887315fcb9a0824ee10cb0017cde82ddb983133bec691740ef51268690fb2064a6c1e9f6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
0aa15e2527e929a9903b8e86e59eac81

SHA1
36b6eabb80a654f9dcf3e3826adb7a02cec92450

SHA256
6427c6e2ba455fd09bcd9ddf75f0a45579b3d58e86a3c5efb6f9f847e50728f8

SHA512
f3c04667d384deecc36c7a621fbf6662f4119b886d110ac32d977313fae0d94bbbfefa35b7503341ce6044a9c2d3393d870a09207630dd84ae909e42268ce7ca

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
94543687829733de513dce88b3642bea

SHA1
bf43232b62b0f3f1dde251554da624e334f12b06

SHA256
57ca557f375c9342af765b972b53c1c46335315dcaf144e9637720c02403629e

SHA512
009aabad419e7e2c6e80cb662e9fa8d403d6cc7f1ddbafcf3b0548eb15a43ac29654426578971ea84ce9d8586cfdf0bfdfb6e943afa033701407b87d954345c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
3.2MB

MD5
2d07aa0c0bffa923dd7055365e894fba

SHA1
95761ccd172d6c598e2e6d86d2557f6323d6536c

SHA256
7e7bcdaaaa6d18d9eda508981a7405451c1ecd23bd10da0450fafde2c26da99b

SHA512
80203fc0efceb3230a67ef6b0780737ab428d35fa5375d0d8a1fc560e8996ab98c3cfa8c4d74e4695245da7bba15e5e037981f7bd647aff45ab76fe2a85bead3

Download Submit