be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe
Size

3.1MB
MD5

86cd062d2f3e66cf9355f2e2f75ba382
SHA1

9a821b521b96ce9a5acc41c4d4070339e23434f6
SHA256

be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968
SHA512

b56b59dabefef3e17cb278af6ab2070bcbe2521908b39b83411b2965ca144e34f9072af1718c1fc9cb3a869b69af0b7f222788ac44e9414719301159892aa041
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSqz8b6LNXJqI20:sxX7QnxrloE5dpUpAbVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe

Executes dropped EXE 2 IoCs

pid	Process
2508	locdevopti.exe
1152	xbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOR\\xbodloc.exe"	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ1H\\bodxec.exe"	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4568	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe
4568	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe
4568	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe
4568	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe
2508	locdevopti.exe
2508	locdevopti.exe
1152	xbodloc.exe
1152	xbodloc.exe
2508	locdevopti.exe
2508	locdevopti.exe
1152	xbodloc.exe
1152	xbodloc.exe
2508	locdevopti.exe
2508	locdevopti.exe
1152	xbodloc.exe
1152	xbodloc.exe
2508	locdevopti.exe
2508	locdevopti.exe
1152	xbodloc.exe
1152	xbodloc.exe
2508	locdevopti.exe
2508	locdevopti.exe
1152	xbodloc.exe
1152	xbodloc.exe
2508	locdevopti.exe
2508	locdevopti.exe
1152	xbodloc.exe
1152	xbodloc.exe
2508	locdevopti.exe
2508	locdevopti.exe
1152	xbodloc.exe
1152	xbodloc.exe
2508	locdevopti.exe
2508	locdevopti.exe
1152	xbodloc.exe
1152	xbodloc.exe
2508	locdevopti.exe
2508	locdevopti.exe
1152	xbodloc.exe
1152	xbodloc.exe
2508	locdevopti.exe
2508	locdevopti.exe
1152	xbodloc.exe
1152	xbodloc.exe
2508	locdevopti.exe
2508	locdevopti.exe
1152	xbodloc.exe
1152	xbodloc.exe
2508	locdevopti.exe
2508	locdevopti.exe
1152	xbodloc.exe
1152	xbodloc.exe
2508	locdevopti.exe
2508	locdevopti.exe
1152	xbodloc.exe
1152	xbodloc.exe
2508	locdevopti.exe
2508	locdevopti.exe
1152	xbodloc.exe
1152	xbodloc.exe
2508	locdevopti.exe
2508	locdevopti.exe
1152	xbodloc.exe
1152	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 2508	4568	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe	86
PID 4568 wrote to memory of 2508	4568	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe	86
PID 4568 wrote to memory of 2508	4568	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe	86
PID 4568 wrote to memory of 1152	4568	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe	87
PID 4568 wrote to memory of 1152	4568	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe	87
PID 4568 wrote to memory of 1152	4568	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe	87

C:\Users\Admin\AppData\Local\Temp\be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe
"C:\Users\Admin\AppData\Local\Temp\be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2508
- C:\FilesOR\xbodloc.exe
  C:\FilesOR\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesOR\xbodloc.exe

Filesize
3.1MB

MD5
eaf94dda89045ea47c7f45decff7ea6b

SHA1
00cc5e7419b8ba51bc2b88b3ef9905711da6fab8

SHA256
7a3b7a13a4e35779907029280a339a54832ac867dd18f56eb1da6d47de82f7b7

SHA512
9a095679cecf15b6e597b2a2cc4dc8d77944b1695e8efc0eb62ea95b2693835754c4a952ddbfba429518a06945c28f656c1b50ce3b741737bf20111d30b4aed8

Download Submit
C:\LabZ1H\bodxec.exe

Filesize
3.1MB

MD5
af6fae96588e46abdad0e8f015dd8431

SHA1
7de8479567d4bffea1673727ad68d2bae800eeed

SHA256
558938c4a6261ab35103557d703eea1b6c6169caa0cebaf091e42685da7a84bc

SHA512
ed6dac48a2778751f143b4cec009fce3d5da805e52681f4c56ee884f06fab9f4e6803370f4fee3dd9cae694f7a8001c9439c321d2002a444720159addfae120a

Download Submit
C:\LabZ1H\bodxec.exe

Filesize
3.1MB

MD5
cf118519be6cb7c8a8ae35a21cb63272

SHA1
241bcc8c6e5b67dc31e98eaf94b41e611eb33628

SHA256
f15af8dccfab5415cc14492a546606c1cc7747ca0957fedc524a854798bec0bd

SHA512
8a71545a28c8589107d1f1eaebb3f0684b53e31faa4869ffc747562344177a644316083887a4a475031b413791030c5f08305c8fccf392c8941f1bb0f65fa394

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
fc4d7990f8c03fae3851eb821de4d8b5

SHA1
afd5a40126b5a599aef684b9d3150eb7ed324d0f

SHA256
0780155efc5eeb08beb03b11e9c1cfc475fe5bc06f43535d03b8cef4f217c61f

SHA512
1e6b3c71641dbc268876e7792b2008b12967514d18067311a32d3103112aded27a531b21b17109ff1e0bb863fda894ce013a1dfb31b2f3e57920446ec1de16cb

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
efb714d0bef5314f8f5fbd1c62b7f719

SHA1
6acd013a36aad027ffa4f492eb5630ff4d1f984b

SHA256
a24e31ff5148a0663b22ee07d95d1b0bf2da36c0a391f47f0a0d9e9f8e07a750

SHA512
7941d004ea4a93fcc6a5e660779c5bced8f5362366aff92cb4652c898219ce2cb5f2e1f106ef9ca786f45f353fa093db108d4469b88f18b37d3a45d57349c490

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
3.1MB

MD5
b6123862fd46a99130e2e0a82f7b2bc4

SHA1
06866bdc1e1784b3127a6eefdca7adcb3ec166a0

SHA256
ec6e901255a634da3e7214d4dc7d60e4c24fa508154cd93c7af95573f5b31a85

SHA512
a951c2ea8fd75ea1bee3fae003ecadbcc3c7744acc3d70a2b411df2e90f423deb713565054f3941de9b78a041e7aac1b7cd4bece58789b3013ca20d07eb3f9e8

Download Submit