502b5a17e5c62cbfb5052e2756235240877cfd7db0003b6764cc0cf785a962ec

Analysis

max time kernel
119s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4644ff643e338dba4beaada055ad79a0N.exe
Size

2.6MB
MD5

4644ff643e338dba4beaada055ad79a0
SHA1

e9ce05dba27d1a730f6bfb77ca455e0910150d6f
SHA256

502b5a17e5c62cbfb5052e2756235240877cfd7db0003b6764cc0cf785a962ec
SHA512

8602b6c5ca2e84070da59ef12228ea5c6d5be3adca111d47f8502fd6a806895ce3e0676d3cf6d7ad8e593b831c9145d0a40692ed96fec197beda41fcd3eabe87
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bS:sxX7QnxrloE5dpUpbb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	4644ff643e338dba4beaada055ad79a0N.exe

Executes dropped EXE 2 IoCs

pid	Process
3640	sysdevbod.exe
1860	xbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot5F\\xbodloc.exe"	4644ff643e338dba4beaada055ad79a0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidVJ\\dobasys.exe"	4644ff643e338dba4beaada055ad79a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4644ff643e338dba4beaada055ad79a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1256	4644ff643e338dba4beaada055ad79a0N.exe
1256	4644ff643e338dba4beaada055ad79a0N.exe
1256	4644ff643e338dba4beaada055ad79a0N.exe
1256	4644ff643e338dba4beaada055ad79a0N.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe
3640	sysdevbod.exe
3640	sysdevbod.exe
1860	xbodloc.exe
1860	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 3640	1256	4644ff643e338dba4beaada055ad79a0N.exe	92
PID 1256 wrote to memory of 3640	1256	4644ff643e338dba4beaada055ad79a0N.exe	92
PID 1256 wrote to memory of 3640	1256	4644ff643e338dba4beaada055ad79a0N.exe	92
PID 1256 wrote to memory of 1860	1256	4644ff643e338dba4beaada055ad79a0N.exe	93
PID 1256 wrote to memory of 1860	1256	4644ff643e338dba4beaada055ad79a0N.exe	93
PID 1256 wrote to memory of 1860	1256	4644ff643e338dba4beaada055ad79a0N.exe	93

C:\Users\Admin\AppData\Local\Temp\4644ff643e338dba4beaada055ad79a0N.exe
"C:\Users\Admin\AppData\Local\Temp\4644ff643e338dba4beaada055ad79a0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3640
- C:\UserDot5F\xbodloc.exe
  C:\UserDot5F\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDot5F\xbodloc.exe

Filesize
1.4MB

MD5
fcf531548e80ea8e8014f8e97bc9b615

SHA1
ea918ea80e50c66bcf9f4dea7123e888cac328dc

SHA256
6396738af5a4df65c3660611acfb655848f812616e9fb7a5fa1033eaa3c21787

SHA512
58412b00858bc40098af4106ea4a057bcdbd32f53626c72d2005c9dcf9f87c2ae3f3927e9a6d31635ba799ec2718aa00b01553e9141bfdbc9c95bac55123d49e

Download Submit
C:\UserDot5F\xbodloc.exe

Filesize
2.6MB

MD5
818c5c9a4671cb2b704aad46a576f8f8

SHA1
f28fa4f3f64d64b38e1fa6e0f73a3617d9fc0e06

SHA256
82c0289fb7927391efc7f75292daa5076ca2740d58bff52b102caa256deb39a9

SHA512
e497564211d8f0b758ed61b53a752a862d571703baee27ced09bd3eb598e5fa57cdca5dc4e4911d005bbc0dc039fd6908eccf8d58938840404e9f1c1e98963bf

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
6354407f635f4f73026392b49bb7cbf3

SHA1
44a819d421bb4560504a6df1427a54f5e60b570f

SHA256
2cef3e4fd33c51fbd00bc1dc915ff5701caf3ba6190f775e4788b26d6a17996c

SHA512
45911109e26e9e4144e06eea54b7d0c3b6a25def315ac5b2bfb0bf2cd18907799432f12d6505b13c3b40cb9de40344bdef440759d6a52c5bda929fe21ec2c17c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
0c42106bdf0d84e607ae936dd9c5ad19

SHA1
38221c6f77dbe1f36d6025f551f386b358cd4a89

SHA256
d18de9764819cdf517c1f1c222157cbd50458896b45269cbc745e5d13dbf94d2

SHA512
233e7008a816c58e66463dd68a00e3b2ac50d79d45fb089c075aeaa86b2ba4a18c37835a48e52ff8ca8a0e08e5ffe74d28dc8b02ac32617f02ff988b873b0439

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
d48e36150fd498717048b5ef487d4f01

SHA1
899963d881bebc83690f52b08d983dee5dd0e775

SHA256
fd901f9544e10ba94c114ac06abf392f67c78c3a4631c93cb37472cbf2cb2dc8

SHA512
2b8ed206e01863eae14f3772c413545152e22afacf0bf5b30ace550fec7be3db64a924b9f5d133decb7f087f835ee4e4035d4ad4e2251fcd4b2a43d2b29a6860

Download Submit
C:\VidVJ\dobasys.exe

Filesize
30KB

MD5
09f9f4e546875b92f6068810d8b60410

SHA1
5d30dc83123e0275958f741b5a57da1b143d4174

SHA256
d06b9256591d0a106e2a0b5112ee077e14152e16f691a1ffa93df40c9d31c7e3

SHA512
776153ef167b208db97fb18c6d0919f50465a7a1dcbfe0daad4276730d86c9cce2106003ae430e8f78c8c029ae7ae4eed66baa7414be3114c609f0afc22a7e51

Download Submit
C:\VidVJ\dobasys.exe

Filesize
640KB

MD5
3efe3a0d2138d84b9dacbeb99d16fa84

SHA1
ed441962eefd03038ef40210a5535f6d5b75aacc

SHA256
87aa0c60e65caad44e66cf4836fa14006f682aeb26afb8b2b71d6fea50daab26

SHA512
0fda9120c157f22e1bf6c974408646a3e4dc1a31e0686d9ddf836058535841f68b21e9755b580b9714013c3d0a42ef6de334f40e1980a6ceaea8be42447768b3

Download Submit