7618fb3f435767cb56c026743738f97d5f49a54143f646e85bd7d07d31eff542

Analysis

max time kernel
120s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1800f45515ace051c9edd00016d42e90N.exe
Size

2.6MB
MD5

1800f45515ace051c9edd00016d42e90
SHA1

a2a2fce90739ffde8b1f23403d6567cfde15ef92
SHA256

7618fb3f435767cb56c026743738f97d5f49a54143f646e85bd7d07d31eff542
SHA512

4041e59ceaa3fe00175b5e798e0e2495cead8c8ee97d5d62b61ff17387834b09122041bac340e87f4d743f798ab840a0e45f447fd2d8d0e08ef41004307c71de
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUptb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	1800f45515ace051c9edd00016d42e90N.exe

Executes dropped EXE 2 IoCs

pid	Process
4900	sysdevbod.exe
2144	xbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvBV\\xbodloc.exe"	1800f45515ace051c9edd00016d42e90N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid91\\dobdevec.exe"	1800f45515ace051c9edd00016d42e90N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1800f45515ace051c9edd00016d42e90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5000	1800f45515ace051c9edd00016d42e90N.exe
5000	1800f45515ace051c9edd00016d42e90N.exe
5000	1800f45515ace051c9edd00016d42e90N.exe
5000	1800f45515ace051c9edd00016d42e90N.exe
4900	sysdevbod.exe
4900	sysdevbod.exe
2144	xbodloc.exe
2144	xbodloc.exe
4900	sysdevbod.exe
4900	sysdevbod.exe
2144	xbodloc.exe
2144	xbodloc.exe
4900	sysdevbod.exe
4900	sysdevbod.exe
2144	xbodloc.exe
2144	xbodloc.exe
4900	sysdevbod.exe
4900	sysdevbod.exe
2144	xbodloc.exe
2144	xbodloc.exe
4900	sysdevbod.exe
4900	sysdevbod.exe
2144	xbodloc.exe
2144	xbodloc.exe
4900	sysdevbod.exe
4900	sysdevbod.exe
2144	xbodloc.exe
2144	xbodloc.exe
4900	sysdevbod.exe
4900	sysdevbod.exe
2144	xbodloc.exe
2144	xbodloc.exe
4900	sysdevbod.exe
4900	sysdevbod.exe
2144	xbodloc.exe
2144	xbodloc.exe
4900	sysdevbod.exe
4900	sysdevbod.exe
2144	xbodloc.exe
2144	xbodloc.exe
4900	sysdevbod.exe
4900	sysdevbod.exe
2144	xbodloc.exe
2144	xbodloc.exe
4900	sysdevbod.exe
4900	sysdevbod.exe
2144	xbodloc.exe
2144	xbodloc.exe
4900	sysdevbod.exe
4900	sysdevbod.exe
2144	xbodloc.exe
2144	xbodloc.exe
4900	sysdevbod.exe
4900	sysdevbod.exe
2144	xbodloc.exe
2144	xbodloc.exe
4900	sysdevbod.exe
4900	sysdevbod.exe
2144	xbodloc.exe
2144	xbodloc.exe
4900	sysdevbod.exe
4900	sysdevbod.exe
2144	xbodloc.exe
2144	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 4900	5000	1800f45515ace051c9edd00016d42e90N.exe	90
PID 5000 wrote to memory of 4900	5000	1800f45515ace051c9edd00016d42e90N.exe	90
PID 5000 wrote to memory of 4900	5000	1800f45515ace051c9edd00016d42e90N.exe	90
PID 5000 wrote to memory of 2144	5000	1800f45515ace051c9edd00016d42e90N.exe	91
PID 5000 wrote to memory of 2144	5000	1800f45515ace051c9edd00016d42e90N.exe	91
PID 5000 wrote to memory of 2144	5000	1800f45515ace051c9edd00016d42e90N.exe	91

C:\Users\Admin\AppData\Local\Temp\1800f45515ace051c9edd00016d42e90N.exe
"C:\Users\Admin\AppData\Local\Temp\1800f45515ace051c9edd00016d42e90N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4900
- C:\SysDrvBV\xbodloc.exe
  C:\SysDrvBV\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvBV\xbodloc.exe

Filesize
1.5MB

MD5
f8496dfde599e84351d8cdccecb31b91

SHA1
ed52ca35286bd7a3093967b8664979b5bfe3693c

SHA256
de2e3879fdb8b1900fbe3f7c406b7810718b6d045a052880081955f3828dc47a

SHA512
66cb2652ef4eef3202d23415805bd5975e3b600b8b5dea7249c759f395e53effdd07e6f1f5903b023c983adf41462cb5a5ba43452548951292065bcfbff3e702

Download Submit
C:\SysDrvBV\xbodloc.exe

Filesize
2.6MB

MD5
94aa83da22cc7d4241d5262c067ae585

SHA1
f45b921f167797333d452ab0dcf0bdac2d6b147c

SHA256
3ee994361e0c7aba9e69799eef10f33747e9000874063790dbc0bb060fcee5a2

SHA512
d026b135942148fcdd7f5cfc2f277d822d0db4d4e8d6c6c8852a99088f7b97706a9a7388916ebe042cf58a74913efe182d15869e477f534a5ae483ec59e52774

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
ebaf986bb6741f6a1296f015a933d392

SHA1
e481b4e4fbcd46b7e271c7c52909ec6db46bfcb5

SHA256
21873c40732d2cbe30c5c1f0fabbd565cb95447da2c5759c43c628f4cf3ad7e9

SHA512
f7f4607b016ec7967ac63ddc40ee22322341d35415c813c62b1fb4d5b970632d6846e8a241167a69d70032f8362046151599cb5cc4a433ea02bf3e8977281f13

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
97b6906bb77ee914b57d1990af134edf

SHA1
c512b49175f8ea680692c08856b3f1c999b6f887

SHA256
dc017901d0fbdc9cf6b67d63f74b448a1db0da44a9c30c06ba9c32a0d50d4bdf

SHA512
4b22c703b77f99b708b740e97e7dd0c9afbb1ce708fd70c53a4417573520265baa49f4069962f3f81b0b040b3d90a2075c0a468aa5f26c6cfa6f9d292627f461

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
790d508f5a44f90a9dcd9cf9704acc3c

SHA1
5661c406c82621acbf96a688c49aaeb0011079b1

SHA256
02957d2dafc874e6bf006e74db1ec1af67250e433f584b79628b4ab75092cf13

SHA512
7f7c6e966644908b385b95acce4df6c1d27cad5c24bc5182fcd3b2630841b0c3331f67737e66f03ac2ef810de196f1de96b240364f76949cf03c11446b7d1e24

Download Submit
C:\Vid91\dobdevec.exe

Filesize
560KB

MD5
0f994b5f706fb9af7c5c0d9fee90c4e1

SHA1
1e8c2a57365b3cb7f77002308db669ed71e1d896

SHA256
bac94f54ead3f1e70c10932973ce09b9610cd104a650f8569ef33f7bac8228a9

SHA512
0c4c56a0487f577558bd7fd404e713e0b639636a2bf830bd0ea5e679d41c962323e1c7010d9c564e53bcbca5e6f8fb85e4ef4bdbceb47aff788e55e86dd9a43d

Download Submit
C:\Vid91\dobdevec.exe

Filesize
2.6MB

MD5
1a6afcd69f5fb6946911859a7f928d2d

SHA1
2b29fc1934789442a2b22ebd822be582a7bca378

SHA256
83fae04b5f599b4e8b09d9a06ede6c77b5ec7af294193084640b401671bc19de

SHA512
9d53e701e098786223d5820a6d95ed1faa0dd2d29c13451440c9e9312200cd4e46e1c156fa6efb0ab160f7aae0ef9e58bfc96c764e2d8a285c3bdefe198a9f6f

Download Submit