69febc8fbd4f3b50eb3d3bd7fb09334941d0aafc4878ab21db68a61bb5e4dddb

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bcb0b228d457a866cc9c5b9a7a7e530N.exe
Size

2.6MB
MD5

9bcb0b228d457a866cc9c5b9a7a7e530
SHA1

4a3e1ab08db7d47ddd1c84e1b9929d29de283408
SHA256

69febc8fbd4f3b50eb3d3bd7fb09334941d0aafc4878ab21db68a61bb5e4dddb
SHA512

1b5e050ae23d5fab0c1a6af71d319c1e0ff8a8945b0c55d2f8332299eb11c1dcf0aeb60fedd2ed7c3970c46a294495fbcef436909b783ffb5b5c9df62f489662
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB3B/bS:sxX7QnxrloE5dpUpAb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	9bcb0b228d457a866cc9c5b9a7a7e530N.exe

Executes dropped EXE 2 IoCs

pid	Process
2120	locdevbod.exe
2572	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2900	9bcb0b228d457a866cc9c5b9a7a7e530N.exe
2900	9bcb0b228d457a866cc9c5b9a7a7e530N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot1D\\devoptiec.exe"	9bcb0b228d457a866cc9c5b9a7a7e530N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZMO\\boddevloc.exe"	9bcb0b228d457a866cc9c5b9a7a7e530N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9bcb0b228d457a866cc9c5b9a7a7e530N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2900	9bcb0b228d457a866cc9c5b9a7a7e530N.exe
2900	9bcb0b228d457a866cc9c5b9a7a7e530N.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe
2120	locdevbod.exe
2572	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2120	2900	9bcb0b228d457a866cc9c5b9a7a7e530N.exe	30
PID 2900 wrote to memory of 2120	2900	9bcb0b228d457a866cc9c5b9a7a7e530N.exe	30
PID 2900 wrote to memory of 2120	2900	9bcb0b228d457a866cc9c5b9a7a7e530N.exe	30
PID 2900 wrote to memory of 2120	2900	9bcb0b228d457a866cc9c5b9a7a7e530N.exe	30
PID 2900 wrote to memory of 2572	2900	9bcb0b228d457a866cc9c5b9a7a7e530N.exe	32
PID 2900 wrote to memory of 2572	2900	9bcb0b228d457a866cc9c5b9a7a7e530N.exe	32
PID 2900 wrote to memory of 2572	2900	9bcb0b228d457a866cc9c5b9a7a7e530N.exe	32
PID 2900 wrote to memory of 2572	2900	9bcb0b228d457a866cc9c5b9a7a7e530N.exe	32

C:\Users\Admin\AppData\Local\Temp\9bcb0b228d457a866cc9c5b9a7a7e530N.exe
"C:\Users\Admin\AppData\Local\Temp\9bcb0b228d457a866cc9c5b9a7a7e530N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2120
- C:\UserDot1D\devoptiec.exe
  C:\UserDot1D\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZMO\boddevloc.exe

Filesize
23KB

MD5
859ebb87091eda45d4aaf0ea5e233084

SHA1
7db3583f649e3ca4a64208de312be8edeef804e4

SHA256
e5879114b6d73753c6e36f5dd28769d598180e7749714c60c98d3de4a491bbe9

SHA512
c09308ad9e9cabad916973148c7d104d499eb492568eaf5574fd9b68dee97beb2fade58e85b0be82d4c0ae18f05f7658c7b9a79adabd2c57472b2579cb7cb9c9

Download Submit
C:\LabZMO\boddevloc.exe

Filesize
173KB

MD5
cff1c73c6ce9cc928c923624354f1392

SHA1
683c63d340f5885f360c65474c3cb5fdb95929e8

SHA256
aa2512dcb309a56353edbb899298ca120530e5ac6f3b117c8326550fbb75bbe6

SHA512
2137d1a92741113cb65d9880450571bacc7c10ec7caec0af78dede188d43ef9fa22b61efdd23c4f80e65af21cabf6aaefc3ca3b763dda27c241ea37f6b9547ea

Download Submit
C:\UserDot1D\devoptiec.exe

Filesize
25KB

MD5
5762bac0acb51c17f2d50d3089e9a468

SHA1
0050c15f18fcfb7ccb580d1b978828a14dfe5548

SHA256
9ba88174226e3e60f0e21fe9ea512cc1b77c4e88e7cd924a32a5d3ca62dd78fe

SHA512
c653b3411dcef476e2330af4f8649c7cd0bee4d00aa083bcee7ee9e5fa618df1779ef8f2c1a39238cb514b17f7ef07ea5a11b68b1ada79e11743feca9cf8a93c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
6aed2c6d681adc322724f6057c389cab

SHA1
778fc77d715917ee13f4e717e8efcb7545382b84

SHA256
21eb3c011d2f8f86e61c46bc1332b11e9d1a0a7503f103b5f25c956e0d8b9248

SHA512
fe3cae5898a946526a322bbae60c18ef1fc1596eaaad28a449282ea74cd83cb85ff2a4214ad1bf75549ae0812dc6c57ad0a8a6c2294ad4f295baf9768511073a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
01ca2471b99b339569d8638f3e211f7c

SHA1
8ceb28d4983824de84f3daaf4d59a443826fb934

SHA256
44c01600470f75e1ee763497565946a8e51cb1b3c51b3ee56a9f0eeb9123687a

SHA512
1cbc0d7c7bbd6f5c523496318b9066b68559a815831b4aedab5ecb89a832b4d999b6bc5ceb83740cca987fe15ba453b7e3fd1a3a4d519ddd446d19728ee1a95b

Download Submit
\UserDot1D\devoptiec.exe

Filesize
2.6MB

MD5
84754a0224d5f050c4e2d1b758015841

SHA1
cc2dc6d2dc1bca138472245584a55e108e840f4f

SHA256
8e833995e443dc3edb771915219d75736d27aa6ffb86c420c39163f599b6dea8

SHA512
7ca9a3aba624d9faf4a507d6260f2febc8d28fa07d6f9a5f47872b154f6563eee9d5fb51f9ebb9696395ca57b2419696305d4a0347bf3fde66088abec8d5b758

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
2.6MB

MD5
d0182ff0217120d8343d1736b144d4b3

SHA1
e2c30900262116ad37c06da364c73964552cc1e0

SHA256
85b7f90c5f8e6dec9cb5bfe24ed375a39d923651ebf77d1a18fb36350d3918d4

SHA512
11bdb177da0b5bc2d9ad830f4505399d9470ad246d9ef3fce9bd4c82172f5f75929dea80dd15cca76e2f20490bfe9d3d94932f2e6f53331b6d008fb46dd9a592

Download Submit