774d7b1dbff12b4ca8d22a3f4542cdafda2b390060905d0f5dec3c042df5f5bf

Analysis

max time kernel
118s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ce45bfe76f2151b5cc1f71e4d5b3790N.exe
Size

2.6MB
MD5

9ce45bfe76f2151b5cc1f71e4d5b3790
SHA1

d7bf4f015d2e29040c790de8b268ed0ef4a108b2
SHA256

774d7b1dbff12b4ca8d22a3f4542cdafda2b390060905d0f5dec3c042df5f5bf
SHA512

5e0babfe1a9eaef2f5ec9ba459b9ad165116d991fad95fd763f23e14e51bab8471315df75ccec0c9f796f2bf7c1cf7cadde1f6e87226613c0ddec8cc42de8e8f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUprb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe

Executes dropped EXE 2 IoCs

pid	Process
2492	locdevbod.exe
2988	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2812	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe
2812	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvMK\\xbodsys.exe"	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZVO\\dobdevsys.exe"	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2812	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe
2812	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe
2492	locdevbod.exe
2988	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2492	2812	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe	30
PID 2812 wrote to memory of 2492	2812	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe	30
PID 2812 wrote to memory of 2492	2812	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe	30
PID 2812 wrote to memory of 2492	2812	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe	30
PID 2812 wrote to memory of 2988	2812	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe	31
PID 2812 wrote to memory of 2988	2812	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe	31
PID 2812 wrote to memory of 2988	2812	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe	31
PID 2812 wrote to memory of 2988	2812	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe	31

C:\Users\Admin\AppData\Local\Temp\9ce45bfe76f2151b5cc1f71e4d5b3790N.exe
"C:\Users\Admin\AppData\Local\Temp\9ce45bfe76f2151b5cc1f71e4d5b3790N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2492
- C:\SysDrvMK\xbodsys.exe
  C:\SysDrvMK\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZVO\dobdevsys.exe

Filesize
2.6MB

MD5
c4b309793b8b1e404733584ce8d0561d

SHA1
9e4b1611ec9ff0775cb4e88ed13ea66b7665a0f6

SHA256
94b9a6746f74d2d2aad7cf36b65b66ab26d735663185efd482d434a33e20fe90

SHA512
9a81c15d958ad796b5d925913006da875ee76b592a7a771db90d2ce3bb88d610604919fbcfede3e0881e482dcdd9a962a3002c8d715704b68bf726c0366250a4

Download Submit
C:\LabZVO\dobdevsys.exe

Filesize
2.6MB

MD5
3ab5c6a07a236765aeb070b0bf50b4ba

SHA1
880d3144431f4f39681316159f9659b319ccbad9

SHA256
961579b510900999361c68d4fba040587a8e3458556652e309ae8d629d4eb765

SHA512
b82fd9faf35d111ea1e304f9c7f9a03f4e7733eff5484c161d28ee67d4e34559e8bcd25ecff77fe109fbf0c5526f03365136aff7cfe759cf756b7c7bd16fe8e0

Download Submit
C:\SysDrvMK\xbodsys.exe

Filesize
2.6MB

MD5
879eed204a0751a3e44da740f93e57f4

SHA1
f1cf58a28dcee23f326c58351c9a30eaa201bf6f

SHA256
5efe36da4ada0139f0349f862c4519c1ddae760fb37ead3ae8271e6d5d2627e0

SHA512
150e894ecdcc9aae7b6af2a22f9bc6ae6642108e8b6913beae43f2e3814d8671d988b0039123b74eee0a1de57cce30a8569b2b952835b04c40a0eedb05b9caaf

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
e6d03ba65a1013396173524ebe207a77

SHA1
fe4cf0f1f722511dc09a1e195494435eea9d4e61

SHA256
a54b921e14309f498640639800967e5642ba321a65d8eec039892054e89fb1d6

SHA512
88783e8bc66e88ed90a5d006b991fb5f0e9afe6258f8818f71e5ed6d3aaef8de9ce02b0360a63e780a4fb004929a9573da31ef39ab66e76781b6be8ed31819eb

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
41449046fef3ade36c884d461faa07a6

SHA1
1ccc60357e727efa21844adccf4b54265ea26e93

SHA256
78f4b6ed4b7a6e72747e740c8594acf01ed6110b146612f700edf79a33268086

SHA512
0ddffd2234f114723c6da2f10803e63f24a30dd483c4b91b398d25256d1517a5727d0767fb378be93f1783bab5892fd3515b0d9bfc3b3437743d180af80f0089

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
2.6MB

MD5
1b92ee4f44afb2806997e3df7e3dcf32

SHA1
e95991dce011af5758165b54be850c9b39c0dbc8

SHA256
7d97c606eb15d413b5e9cfdb60210b1e46898cb5a23e2acb9161f5d939c9417e

SHA512
22a096b2640f27fb2d6c67f6517687e23fb18f16271f5e981f5c556c810cece65ee5f8864a412e150bb021f016acbdd0c48a04886f4dfd7aa7461dc197a6a1ce

Download Submit