cf48709cadd97735bcfaee52d323bdd6f08186620f5b5b56d3d7dacefeb4c63e

Analysis

max time kernel
120s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 18:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c0c0f12bf23313126924bcb7fc18f4f0N.exe
Size

2.6MB
MD5

c0c0f12bf23313126924bcb7fc18f4f0
SHA1

09d6facd81ffae28f8f33488ca0aec9a4a14cc91
SHA256

cf48709cadd97735bcfaee52d323bdd6f08186620f5b5b56d3d7dacefeb4c63e
SHA512

8a0a1fbf81a0f7830b0c70076aef6db553f08192f3dfade8d111b11051d6dae57a2ec0d3b1e676d0da4ccdfdce961b22661a509839b60cc445a655bdbca3b56c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpSb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	c0c0f12bf23313126924bcb7fc18f4f0N.exe

Executes dropped EXE 2 IoCs

pid	Process
4420	locdevopti.exe
3756	xdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe9Q\\xdobsys.exe"	c0c0f12bf23313126924bcb7fc18f4f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidCE\\bodasys.exe"	c0c0f12bf23313126924bcb7fc18f4f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0c0f12bf23313126924bcb7fc18f4f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4568	c0c0f12bf23313126924bcb7fc18f4f0N.exe
4568	c0c0f12bf23313126924bcb7fc18f4f0N.exe
4568	c0c0f12bf23313126924bcb7fc18f4f0N.exe
4568	c0c0f12bf23313126924bcb7fc18f4f0N.exe
4420	locdevopti.exe
4420	locdevopti.exe
3756	xdobsys.exe
3756	xdobsys.exe
4420	locdevopti.exe
4420	locdevopti.exe
3756	xdobsys.exe
3756	xdobsys.exe
4420	locdevopti.exe
4420	locdevopti.exe
3756	xdobsys.exe
3756	xdobsys.exe
4420	locdevopti.exe
4420	locdevopti.exe
3756	xdobsys.exe
3756	xdobsys.exe
4420	locdevopti.exe
4420	locdevopti.exe
3756	xdobsys.exe
3756	xdobsys.exe
4420	locdevopti.exe
4420	locdevopti.exe
3756	xdobsys.exe
3756	xdobsys.exe
4420	locdevopti.exe
4420	locdevopti.exe
3756	xdobsys.exe
3756	xdobsys.exe
4420	locdevopti.exe
4420	locdevopti.exe
3756	xdobsys.exe
3756	xdobsys.exe
4420	locdevopti.exe
4420	locdevopti.exe
3756	xdobsys.exe
3756	xdobsys.exe
4420	locdevopti.exe
4420	locdevopti.exe
3756	xdobsys.exe
3756	xdobsys.exe
4420	locdevopti.exe
4420	locdevopti.exe
3756	xdobsys.exe
3756	xdobsys.exe
4420	locdevopti.exe
4420	locdevopti.exe
3756	xdobsys.exe
3756	xdobsys.exe
4420	locdevopti.exe
4420	locdevopti.exe
3756	xdobsys.exe
3756	xdobsys.exe
4420	locdevopti.exe
4420	locdevopti.exe
3756	xdobsys.exe
3756	xdobsys.exe
4420	locdevopti.exe
4420	locdevopti.exe
3756	xdobsys.exe
3756	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 4420	4568	c0c0f12bf23313126924bcb7fc18f4f0N.exe	86
PID 4568 wrote to memory of 4420	4568	c0c0f12bf23313126924bcb7fc18f4f0N.exe	86
PID 4568 wrote to memory of 4420	4568	c0c0f12bf23313126924bcb7fc18f4f0N.exe	86
PID 4568 wrote to memory of 3756	4568	c0c0f12bf23313126924bcb7fc18f4f0N.exe	87
PID 4568 wrote to memory of 3756	4568	c0c0f12bf23313126924bcb7fc18f4f0N.exe	87
PID 4568 wrote to memory of 3756	4568	c0c0f12bf23313126924bcb7fc18f4f0N.exe	87

C:\Users\Admin\AppData\Local\Temp\c0c0f12bf23313126924bcb7fc18f4f0N.exe
"C:\Users\Admin\AppData\Local\Temp\c0c0f12bf23313126924bcb7fc18f4f0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4420
- C:\Adobe9Q\xdobsys.exe
  C:\Adobe9Q\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe9Q\xdobsys.exe

Filesize
28KB

MD5
d405a6e6ec1ee7e8bde0fa127d94f818

SHA1
3a4fc1b8659a42c0c87e2cb68df493ef10520626

SHA256
f7769493a434bb396a726643dfcddb3d418728f3d2de4d39bc5a2304e2078ec1

SHA512
0db30b1f330437d858e2a4f9ab32ec3ac5e2b5fdf0605b6a0bd6f7bd3b17f31a4967bac0fd7b59c07caf47c5cd0bc0b3e81597652c08a98bf5f1913674124529

Download Submit
C:\Adobe9Q\xdobsys.exe

Filesize
2.6MB

MD5
7e4bcfc03fb014cffff42601456dd104

SHA1
0e82f6cdd9fb8fde345edd393dd3f5f1057f712e

SHA256
4b431ed88039f8453fa34f6de7126f1852c11bca0a9318caa73f522f987a457b

SHA512
f51fb79f603a345f8b80fe6e37b18d213de4fdec3ff2d12304a8b7ccd28a344448f1fe93004517d895f99069eb8111407c77c792aaec456479a8cc0aeb9db70f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
15157631ff843f3ae306515f887fb477

SHA1
3ae684a8f2462e9efc2da19d3562ea0c28aa48e4

SHA256
e20b332925ebb90b44dec2926bc72d8a8ad0dda7ed30aed07aeb502cda5e1a21

SHA512
698263bce7156ec19b0152ea19576b26bfb029721fb6dff7b694d8604a851dc5009a89c26193357d9cb73e0a52ccfdb7d379a2df44460ed57c9f4bebe981ab30

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
20242ac20dd9dcdc9982d2a69a512193

SHA1
549a5c08d8b17b9427b5043573e565159b5eb7b6

SHA256
f9eac6fc75a72da58835c5e2c18a0a055f4e325ec29523e91c769e44a787e2f9

SHA512
3dd70c5bffa5daa2559cd1c5f7bd795914be6d3e2c350810fd77e1fe9452f480f1e444120b8c3b236a7aba4af6ee081df3c638a53326ce76ba78e1b0cf903400

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
2.6MB

MD5
ed8363940bac0a8e9a53c413584c3a94

SHA1
59617d5cc798e58223e7d8a5b7ca33466da376c9

SHA256
2f1181d4c1a09c68323662fcea90de3aebd8fe8efdfb14dd5d4716e10c8b2a76

SHA512
7fe1bc848f4b7e594f07845300c37a96bfb7e226edca1dc57d03d502d8d90adfaf01756021f74ed57deee1500bf7ecc38ecacd162d996acc4e41e96345f875a9

Download Submit
C:\VidCE\bodasys.exe

Filesize
330KB

MD5
7ef50117b2fe23c262ac090f5ba7a9b1

SHA1
be56f2ac87316e43439d28cb112d366831fbc558

SHA256
a578253bdb8341ab05017e4136c12f7a023b59a76a2160ade2c5bdd81081c1be

SHA512
3ffbafd7b06ac450baf747a383322badf75a1cf985eb0e8690561e80a5e256c8fbd37fc950268bb91bd789a22ca516245c5077520194ea79f03ea909aa9f63f0

Download Submit
C:\VidCE\bodasys.exe

Filesize
2.6MB

MD5
90cc1e398112e6b9a6daf9557d481ae1

SHA1
9aed0782918b745d847fbd86ccd5143ccd71cb5e

SHA256
a6065e0a500d912588311b1a583162654f13144a18afe0c330a22083cea950d0

SHA512
d01f8f53bcea65c26308adfaf6b6cfec0e6cd270a5c21418751c4d5e566123c3821c418e08ee3a54e9247d5da8b8be24e507735cd5d009117acf7f59ac12b927

Download Submit