a731a29140de578595f9047680b811c89ea3c33f5a05cff251fbf104e4f3c542

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09e9d701097d04698f79e1666583d8d0N.exe
Size

3.2MB
MD5

09e9d701097d04698f79e1666583d8d0
SHA1

3ed675da18525a87f7ca9cc8012f58fc36eeb7ff
SHA256

a731a29140de578595f9047680b811c89ea3c33f5a05cff251fbf104e4f3c542
SHA512

0ed99d85158d559e2d7f3ea32c969a6e23c8a465d9cef9d7875066cccf63b13c173bb13c196c74fbbf7672382000f8f24173a36799585bb77f23055a259989b2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBsB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpbbVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	09e9d701097d04698f79e1666583d8d0N.exe

Executes dropped EXE 2 IoCs

pid	Process
4424	locadob.exe
3728	devbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvL2\\devbodec.exe"	09e9d701097d04698f79e1666583d8d0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZZH\\dobdevec.exe"	09e9d701097d04698f79e1666583d8d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09e9d701097d04698f79e1666583d8d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1632	09e9d701097d04698f79e1666583d8d0N.exe
1632	09e9d701097d04698f79e1666583d8d0N.exe
1632	09e9d701097d04698f79e1666583d8d0N.exe
1632	09e9d701097d04698f79e1666583d8d0N.exe
4424	locadob.exe
4424	locadob.exe
3728	devbodec.exe
3728	devbodec.exe
4424	locadob.exe
4424	locadob.exe
3728	devbodec.exe
3728	devbodec.exe
4424	locadob.exe
4424	locadob.exe
3728	devbodec.exe
3728	devbodec.exe
4424	locadob.exe
4424	locadob.exe
3728	devbodec.exe
3728	devbodec.exe
4424	locadob.exe
4424	locadob.exe
3728	devbodec.exe
3728	devbodec.exe
4424	locadob.exe
4424	locadob.exe
3728	devbodec.exe
3728	devbodec.exe
4424	locadob.exe
4424	locadob.exe
3728	devbodec.exe
3728	devbodec.exe
4424	locadob.exe
4424	locadob.exe
3728	devbodec.exe
3728	devbodec.exe
4424	locadob.exe
4424	locadob.exe
3728	devbodec.exe
3728	devbodec.exe
4424	locadob.exe
4424	locadob.exe
3728	devbodec.exe
3728	devbodec.exe
4424	locadob.exe
4424	locadob.exe
3728	devbodec.exe
3728	devbodec.exe
4424	locadob.exe
4424	locadob.exe
3728	devbodec.exe
3728	devbodec.exe
4424	locadob.exe
4424	locadob.exe
3728	devbodec.exe
3728	devbodec.exe
4424	locadob.exe
4424	locadob.exe
3728	devbodec.exe
3728	devbodec.exe
4424	locadob.exe
4424	locadob.exe
3728	devbodec.exe
3728	devbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 4424	1632	09e9d701097d04698f79e1666583d8d0N.exe	87
PID 1632 wrote to memory of 4424	1632	09e9d701097d04698f79e1666583d8d0N.exe	87
PID 1632 wrote to memory of 4424	1632	09e9d701097d04698f79e1666583d8d0N.exe	87
PID 1632 wrote to memory of 3728	1632	09e9d701097d04698f79e1666583d8d0N.exe	88
PID 1632 wrote to memory of 3728	1632	09e9d701097d04698f79e1666583d8d0N.exe	88
PID 1632 wrote to memory of 3728	1632	09e9d701097d04698f79e1666583d8d0N.exe	88

C:\Users\Admin\AppData\Local\Temp\09e9d701097d04698f79e1666583d8d0N.exe
"C:\Users\Admin\AppData\Local\Temp\09e9d701097d04698f79e1666583d8d0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4424
- C:\SysDrvL2\devbodec.exe
  C:\SysDrvL2\devbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZZH\dobdevec.exe

Filesize
1.8MB

MD5
aab47b4d3650ec1caced4f3edcca8ef6

SHA1
995e65fca1e337f6147ebf3e3ae9003a077c633c

SHA256
4381d77b1fc1b16385abbfdc5e18d6924443db2c4c5d2c607aead3801643ab1e

SHA512
9c33c18743ee6d0335dc32b246c9f777e0c199c0b675621f617c5cfde5238bfc21abe3c2e404d6f8e07f150097a067953e5df87fb40f5ecea7041dbcc0d7a020

Download Submit
C:\LabZZH\dobdevec.exe

Filesize
3.2MB

MD5
55adb201ff091a54254eacc413f2093b

SHA1
a90ec6e913c1de077c823c1491ff976a6c426e71

SHA256
635ebaddb05f8ca6e77f48d7cc1f1117d776ec92c93a54f5b589d1170a7d48dd

SHA512
113e4c978f237b3cd06fe16e4358a3375e7bcab278b8c463660b91e0708deb0907af6771aef92fd8cb5cfec5e0fb735475d55cbb7f83934c52c50f4758cd8bf8

Download Submit
C:\SysDrvL2\devbodec.exe

Filesize
3.2MB

MD5
c62f1ac8e00ed3f0996ea47e7ef1f902

SHA1
d7bdd069ed44dd9cc29b0a96175040df745e5d42

SHA256
e7f013273a65112091d0b8b3154d006e764cb132e8f2dbcd3751255388912cfd

SHA512
1ed7060e55f5a32230177be9f5ccb47825f58e0a3766f71980e6107cb02f13d53235df957ee753b7e563895677f11cf0f5f03db887afa7df8d2aa82a2d69dd54

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
570a1423c6a19f53b3f689598989b00d

SHA1
946c471ea9cea0ee68bba1542fa0b974d89fadef

SHA256
5e70b8102392a711aa2dc76ee618dc7405d84ba9ede88f58664768c1ffaaeef9

SHA512
74cc72c0de886c3a36a320ff4dc0e94eeac335ae1e55d6ac1024bf360a0599fdfacfe612e2888edfb37b230b4285b780696a7dbe5cd0a05b7001dfd3a32dfb59

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
e7119b409b4859fdeffcab7aaa3b2212

SHA1
f94f90e12b42ed6dab787e26ad6c6f259fa21085

SHA256
f40f33394b0cf8610f0fd8d08ba5fdbc4220827c3464ec912e2ce1de13306118

SHA512
2b52eacd9a605f8bed864840069e266c331cc9448610847bfe02c91fca63f0fa5cda2802dab1052453498e5b03a23062df41c7dbe392ed2f32e3eb6b8f5533fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
3.2MB

MD5
53ae46e4d1297dfa0cf9ee3cadf407e4

SHA1
7a0b7d04fea255d80887da80a71fdc805e88253e

SHA256
e05f1d14f4ffa7debda19081ed7faabff12566534fbe4826bc578b22c793c711

SHA512
1e3479a20efad69ed4142533eaeb0860388d2326b00897cc58c91424ab03e60f30ef2c4e3087f8ae86bb557b41888c66feda218193e4148e02f2702d4df254da

Download Submit