571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
Size

2.7MB
MD5

07f2d7a5e261847251ccb427b2bd5d00
SHA1

29018e3c6793003f7240ebd76de6a12c5d6932b5
SHA256

571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4
SHA512

7a5641521cf24264ce33ba5c8f4ba6eba2ce18a187c2c9ae7d0d66833c9fb05702b5e939d713f9eb0d033389c45cfb246233786a4b55f1f7a04c03b3c44ea387
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBJ9w4S+:+R0pI/IQlUoMPdmpSpF4X

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe

Executes dropped EXE 2 IoCs

pid	Process
4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
1896	devbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe1T\\devbodec.exe"	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint8W\\boddevloc.exe"	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodec.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2732	ipconfig.exe
3536	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
1896	devbodec.exe
1896	devbodec.exe
4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
1896	devbodec.exe
1896	devbodec.exe
4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
1896	devbodec.exe
1896	devbodec.exe
4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
1896	devbodec.exe
1896	devbodec.exe
4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
1896	devbodec.exe
1896	devbodec.exe
4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
1896	devbodec.exe
1896	devbodec.exe
4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
1896	devbodec.exe
1896	devbodec.exe
4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
1896	devbodec.exe
1896	devbodec.exe
4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
1896	devbodec.exe
1896	devbodec.exe
4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
1896	devbodec.exe
1896	devbodec.exe
4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3536	NETSTAT.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 4684	4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe	91
PID 4708 wrote to memory of 4684	4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe	91
PID 4708 wrote to memory of 4684	4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe	91
PID 4708 wrote to memory of 1896	4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe	92
PID 4708 wrote to memory of 1896	4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe	92
PID 4708 wrote to memory of 1896	4708	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe	92
PID 4684 wrote to memory of 2396	4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe	106
PID 4684 wrote to memory of 2396	4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe	106
PID 4684 wrote to memory of 2396	4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe	106
PID 4684 wrote to memory of 1636	4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe	108
PID 4684 wrote to memory of 1636	4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe	108
PID 4684 wrote to memory of 1636	4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe	108
PID 4684 wrote to memory of 3900	4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe	110
PID 4684 wrote to memory of 3900	4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe	110
PID 4684 wrote to memory of 3900	4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe	110
PID 2396 wrote to memory of 2732	2396	cmd.exe	112
PID 2396 wrote to memory of 2732	2396	cmd.exe	112
PID 2396 wrote to memory of 2732	2396	cmd.exe	112
PID 1636 wrote to memory of 3536	1636	cmd.exe	113
PID 1636 wrote to memory of 3536	1636	cmd.exe	113
PID 1636 wrote to memory of 3536	1636	cmd.exe	113
PID 4684 wrote to memory of 4048	4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe	122
PID 4684 wrote to memory of 4048	4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe	122
PID 4684 wrote to memory of 4048	4684	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe	122

C:\Users\Admin\AppData\Local\Temp\571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
"C:\Users\Admin\AppData\Local\Temp\571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Users\AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
  C:\Users\AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -a
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:3536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.doc /b /s >> C:\Users\Admin\grubb.list
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4048
- C:\Adobe1T\devbodec.exe
  C:\Adobe1T\devbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe1T\devbodec.exe

Filesize
28KB

MD5
c8923eb6d55ae59a2d91ecce1706dd72

SHA1
7b64709b1ee3cace250ea9a3a59e338b8cc1bc49

SHA256
6a6f2712427e99ceede982fd03ae1a1a1ab93ae8c749862d691e4fcf9d7f5a59

SHA512
3266bf3c9bfd253f8e8f635c018170b26e68bc71ed54714d20499835f2b6d27f07a1d8b13af9f6c0f0dbb0dc58b4c811ed7a2e5556d5434e75ad2dd2a067158c

Download Submit
C:\Adobe1T\devbodec.exe

Filesize
2.7MB

MD5
582b31fb36f35c5d50fc86a4ac9f33ab

SHA1
d7d14be06183e6a75348754d94fd31ea9d17a645

SHA256
515ed51339aef2d7df2fc7c12e993216454385c836520ae13af26cf54283dbe7

SHA512
41de292fc6e6cb3194f7a267dd95e2f4a5bc3b5fa3ae4e5676e849344c2872a9efb9f8a6ae1165487ca1cb9c8f6259d08c3072937bda5d35a568e4526fc1e367

Download Submit
C:\Mint8W\boddevloc.exe

Filesize
2.7MB

MD5
8e53f59356003f38cda1337a2dc36ed9

SHA1
fe0eae38fbff448e2751485418876b6dc0a5dfbe

SHA256
060011c4bd447342056c4a029c72b289f4182a4c4d8ba24165974e68b2115230

SHA512
3ea3e4dbf280ad6e8cd3db0d2dadd1cccb48e855a773f15419b9f0249e87e76dcfe90fe6dce5d7201e143b88f2760f0e15458a1c149df60d8971bd30e98c6678

Download Submit
C:\Mint8W\boddevloc.exe

Filesize
2.7MB

MD5
e9e18f833fcd6a3f2e241f55ac9e3f74

SHA1
df67dbf4d1c80241a70cbb8e88aebee4cf2fd52a

SHA256
2b5a6f899728b8e6b28a015de950865a7d898cad7b696aafcb1f5735cb76c189

SHA512
8f303f60bff0fb651794ea86d3709b5720227105849298d8061f528a13da7f2d357f45227bb1d0391dfd0c4dc035de7afb8b42e14306c5db75c0a0383401ebd4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
3512205338768da449c1f44073c9522e

SHA1
02d12765a53e0e27697ee63fb1cdd9286c424264

SHA256
e13204075abc45b535a274fed52dbd00c46c5d8307d50148046d5ce122f86e74

SHA512
072a085ef5d0160d4c54d5253197f6d9a6f68926e05bb0d33efa9d4fb1a13e1c750170406fb762e2ab69bc522fb5aca1d162be713196318d86d35eb80ad7e2f8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
18e3cdd70f92d75518148227ce51e98b

SHA1
df5bd5eba2f352f08a74c7bcd7b5aa43d00b7014

SHA256
b97564ba9426d21c613a58ed4e81897ca8e4ab3083de27544c4011b864251e9e

SHA512
3fae85e248747db495b3938031bb5ae3f3c0e79248834f576cbf6407a703a4e8908e70317c861318dc4e9019c97101fc77200eb1c052affd6e37bedf5df47460

Download Submit
C:\Users\Admin\grubb.list

Filesize
40KB

MD5
1bdcccecaba080152bb54be855d41736

SHA1
a9dae921d9eb24573aae5541e73eaf9a2ecdea0e

SHA256
09c0b53cbb5a30a886c8fa485268e4f3b636ef891c072a25cc07f495f9efe24d

SHA512
5f169c5f04d8088ba8f4d191eaeb79938d1d299c07d872f88dfe0ef8c8d0031612f2217019a83258da956dacf1795efc0c0e4ad9347fb9e496dd15fc42072dc1

Download Submit
C:\Users\AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe

Filesize
2.7MB

MD5
d5d001fb6899f9805353bd8614acfdda

SHA1
1f8f99188e71ff190536128ce070ed0427d05d37

SHA256
b28f12df846cb94940d4fd0c420b802f3aa223efca62dcaf1d9af9f47bb2a477

SHA512
43b7f8dafe26dcceca17d097aa30343ee05cc48e033e5eec9c44cf25f3b6649773dbe997f73e1e9189b52bc09c95df76df889ceac7946d71c61f681d3ca4d65e

Download Submit