fdf3dd27233c683d1eb40fa1e78235a9d7a47ea0042181f690d57241332ea721

Analysis

max time kernel
120s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1440106da82fa1a98020be948cab990N.exe
Size

2.6MB
MD5

b1440106da82fa1a98020be948cab990
SHA1

862fd6505c7c365e2cd9285bcb50c3e08ee9d21f
SHA256

fdf3dd27233c683d1eb40fa1e78235a9d7a47ea0042181f690d57241332ea721
SHA512

20d48a5b0ac20f10b113cad79972677f3a1f4b8d844b55c0c458a48e3943f65094937275ad44fb3895df9f2b7bf6edf5236acf6fcc80316210ab90a396372c49
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bS:sxX7QnxrloE5dpUpub

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	b1440106da82fa1a98020be948cab990N.exe

Executes dropped EXE 2 IoCs

pid	Process
1096	locdevbod.exe
3968	devbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeUB\\devbodsys.exe"	b1440106da82fa1a98020be948cab990N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidLJ\\dobxloc.exe"	b1440106da82fa1a98020be948cab990N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1440106da82fa1a98020be948cab990N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2764	b1440106da82fa1a98020be948cab990N.exe
2764	b1440106da82fa1a98020be948cab990N.exe
2764	b1440106da82fa1a98020be948cab990N.exe
2764	b1440106da82fa1a98020be948cab990N.exe
1096	locdevbod.exe
1096	locdevbod.exe
3968	devbodsys.exe
3968	devbodsys.exe
1096	locdevbod.exe
1096	locdevbod.exe
3968	devbodsys.exe
3968	devbodsys.exe
1096	locdevbod.exe
1096	locdevbod.exe
3968	devbodsys.exe
3968	devbodsys.exe
1096	locdevbod.exe
1096	locdevbod.exe
3968	devbodsys.exe
3968	devbodsys.exe
1096	locdevbod.exe
1096	locdevbod.exe
3968	devbodsys.exe
3968	devbodsys.exe
1096	locdevbod.exe
1096	locdevbod.exe
3968	devbodsys.exe
3968	devbodsys.exe
1096	locdevbod.exe
1096	locdevbod.exe
3968	devbodsys.exe
3968	devbodsys.exe
1096	locdevbod.exe
1096	locdevbod.exe
3968	devbodsys.exe
3968	devbodsys.exe
1096	locdevbod.exe
1096	locdevbod.exe
3968	devbodsys.exe
3968	devbodsys.exe
1096	locdevbod.exe
1096	locdevbod.exe
3968	devbodsys.exe
3968	devbodsys.exe
1096	locdevbod.exe
1096	locdevbod.exe
3968	devbodsys.exe
3968	devbodsys.exe
1096	locdevbod.exe
1096	locdevbod.exe
3968	devbodsys.exe
3968	devbodsys.exe
1096	locdevbod.exe
1096	locdevbod.exe
3968	devbodsys.exe
3968	devbodsys.exe
1096	locdevbod.exe
1096	locdevbod.exe
3968	devbodsys.exe
3968	devbodsys.exe
1096	locdevbod.exe
1096	locdevbod.exe
3968	devbodsys.exe
3968	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 1096	2764	b1440106da82fa1a98020be948cab990N.exe	87
PID 2764 wrote to memory of 1096	2764	b1440106da82fa1a98020be948cab990N.exe	87
PID 2764 wrote to memory of 1096	2764	b1440106da82fa1a98020be948cab990N.exe	87
PID 2764 wrote to memory of 3968	2764	b1440106da82fa1a98020be948cab990N.exe	88
PID 2764 wrote to memory of 3968	2764	b1440106da82fa1a98020be948cab990N.exe	88
PID 2764 wrote to memory of 3968	2764	b1440106da82fa1a98020be948cab990N.exe	88

C:\Users\Admin\AppData\Local\Temp\b1440106da82fa1a98020be948cab990N.exe
"C:\Users\Admin\AppData\Local\Temp\b1440106da82fa1a98020be948cab990N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1096
- C:\AdobeUB\devbodsys.exe
  C:\AdobeUB\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeUB\devbodsys.exe

Filesize
82KB

MD5
661187bf6b204d76c0b8bda56e9db3c0

SHA1
57828b5a62b6b425585bc0b71078f8553511c8ba

SHA256
5f0c2900ccc921ff761e2e13777d63c0ce575b3548f201c6410b6f9e6f3ba3ec

SHA512
14f1b07fa7ccfe0b3f6b9362b209fd577a5ab43ce4ce3cdc9df94fa44ecded8c5881ae9a44a0878b34992e8c5e7fd3e74d80de7a98a6e756751da2cf670a44b8

Download Submit
C:\AdobeUB\devbodsys.exe

Filesize
2.6MB

MD5
f6a4c19c226c4816d64c02f8590254ff

SHA1
2d74fc05ea17ca769aa419b6b64c92b8a3c959b1

SHA256
e0a2c8af1c463fc02749e737c536de4091d91cf48701b20ff4be0e043b5060aa

SHA512
7dbb2259b0392166c9ad173fddf56e95772fccb4c932d9fd0a464796e0b455aa63e8fb9d0b25bf3fe3f9605e2c50a406cfaa3a2dec619c53ab5e3e745c16fd2e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
d296d41d8ff7a135895d19c8abfedd97

SHA1
f48df39fddf8e712c84ad53731be13965d725750

SHA256
13bc07f8946f76e909deed0d11d460a1f5c1ccc41d29169518a8761c335c1d65

SHA512
578d3c92d0f89f866ad599645c6c119acebe186f69eaf01e70a7dd7e4631a27b73714122d8d8d077d0a04dd10945165265063d9afed547f18c2b096af3b57ffe

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
10436f587aa039fdd728a6684e8fcd58

SHA1
bbe12ef2c99d34d6e7c17fc97addf822fd3683b4

SHA256
19d7a5b088c981ab9c0bf03bf2b190349042b3d94cedd26ba805c05737e03e5e

SHA512
e4431d61e84de7e62d7ec5b2dac6797e03f342066862036cdf6be742025d2007717082b19b1ac250356f7fc76c4e620c86aab357d365e5621ae5bd7480a40887

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
2.6MB

MD5
36019264ad4cdcccbd8c4747db30afb2

SHA1
deacb3452c688f479866002e91b13e5898a6c1f2

SHA256
1943e923f662d7f6da3a4ce3bf61bebfa28afce4a9239588e3ff4707f3b4cc72

SHA512
4073b6984b3c922d244b3a7acd9ee3cb5baaba4017bcf91d7619eff5de4d3b49e73e511aa6477e5c557b9c338de73c5487a446667f80364d9946c3a4c0356aef

Download Submit
C:\VidLJ\dobxloc.exe

Filesize
274KB

MD5
4bd33c47cfce1680c77f17e981cac1c8

SHA1
3397c0cc1a6e0c8dd6668c4bb278f518f46b1aa9

SHA256
d2ad3ab4b58819d420c930f586893556b9f2e1da195bed3aec6427e5cd9cddc0

SHA512
e7b345176ccbc686d8920d67e046020e5baa62c31c49128274b29af3eaa8ce5981d974e05030b9bddae6ead7f09927e68400330de3d9519f89a171c27e3884ce

Download Submit
C:\VidLJ\dobxloc.exe

Filesize
2.6MB

MD5
fc444da6868ae7cfd67c0d5dd570f0f7

SHA1
54e280636fcc268d8a35cbcc0922bd7719429ce2

SHA256
f2325a2ae956139486a18ee7415bccb118b513961c5b08187bc8cb703dfe7db3

SHA512
bc7f5b67b8d62efb5a8fd83839b0efa9b7b0cf44e23e71edd2a19de370db413a53369464f5981bbf0736b353f01f9e66aa4cfa392a78ca268143f45ea588fd97

Download Submit