5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe
Size

2.6MB
MD5

cb8ad88571316a7c5db8c8bced8165cb
SHA1

cbb62a447ee5ab176cd4799cee7b8903baece1ce
SHA256

5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42
SHA512

01ed3e177689a611691db1cc9d6c3a57bc5fc108865f1e99720a37c99f6418901d497bb239fb5aa1cd971e8abf4b8d203d65756a114e7689fbbcf434fe90a7e5
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bS:sxX7QnxrloE5dpUp7b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe

Executes dropped EXE 2 IoCs

pid	Process
2840	locxopti.exe
2844	devdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2488	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe
2488	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesP3\\devdobloc.exe"	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZIX\\bodasys.exe"	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2488	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe
2488	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe
2840	locxopti.exe
2844	devdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2840	2488	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe	31
PID 2488 wrote to memory of 2840	2488	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe	31
PID 2488 wrote to memory of 2840	2488	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe	31
PID 2488 wrote to memory of 2840	2488	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe	31
PID 2488 wrote to memory of 2844	2488	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe	32
PID 2488 wrote to memory of 2844	2488	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe	32
PID 2488 wrote to memory of 2844	2488	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe	32
PID 2488 wrote to memory of 2844	2488	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe	32

C:\Users\Admin\AppData\Local\Temp\5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe
"C:\Users\Admin\AppData\Local\Temp\5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2840
- C:\FilesP3\devdobloc.exe
  C:\FilesP3\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesP3\devdobloc.exe

Filesize
2.6MB

MD5
90ef49636fd0adf9715445f794134136

SHA1
cac94aaf36e255ba1bed7c166489e41c7fce0a1c

SHA256
b2999db6cfb15866ec3ad8ce2f07a55efd3e01571bd9a3f46adab248aaab3909

SHA512
47c28f644620a6cf23740ffc19ea69ae1db96cfe1903cee661fde6f72d4f8ce28611412ff503c07201d21a00a616499c3a31994131f790ca5c73d315f5996ee4

Download Submit
C:\LabZIX\bodasys.exe

Filesize
2.6MB

MD5
71906dc155713c70cdb0350c502a6a5e

SHA1
97a6163234ffaff5c4c089731c617f6b511d92df

SHA256
c092d7aa1d7aa0b30ad59aa8bdf10597b8dc59631c399c7859e947bb4c3a6137

SHA512
abf5145ab84b7f196484bfde7992978dd1c6873a043ca25c2e98bc3e1eff4f0c44e0f92062c9cdabfc44570d30100033fe05f6a402b94f71511e3dcaaa5d9664

Download Submit
C:\LabZIX\bodasys.exe

Filesize
32KB

MD5
aa404e81fdc4946ac80a30fbf1b10c14

SHA1
ed71e23df81576b945ef2f6e00f8f5b35f6a533b

SHA256
93b7a38f773796c870936ed5977333e42c13a41c33ba790d40d9ee15d294bd79

SHA512
3e210cc458293feedc8e52a4502d6a1fa12b5f5987d3bcb5323174b27f832f654224255aed64448d908132cb1173f0557d9a2234ee5e6d9caa220da210ee1ef0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
25a7ba2da9ad8d75279f4bd1bd8adc65

SHA1
bb38e5b11bfafacc5263f36cabc40765309506aa

SHA256
6a4b5015808bdcf1211731e246f79b018e1b42dbcef46ee0cbf0aee4abde9d55

SHA512
a5675af2be709c08106fc27cb76516c3d757b375211a653cbb1d001c07208c689276b0ca9eb2e608f97df2c52a1644482437bcdfe1a10240e786d8347c37f8e3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
b14a79cc399d851745678957953e4e1f

SHA1
221357c6160169c24d77214540150806829683c9

SHA256
e529fb5d01346d06a3664dce1af2f53edd0b7d46d64189477f1302427f140260

SHA512
3bc3a941927a1b3f8d0e47b7cee488aa3b237b5b3478ff98c141e0ddff93d846f615a007ccc5a3bfbda1e0e10aeb8eab82f0cffa28a08efa79112ba499963d70

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
2.6MB

MD5
a957284fe52be07a51ac65e09539b975

SHA1
336418a9dacec1d7ef43cc13893e4784fedcfd04

SHA256
ff5c5097034ea65902028faf93f643637f52c35f41434b5ad9385f389f58b545

SHA512
c4bc48508fea0c6d09864406494cb29aff427625685c66d2c851232ab2b5eefdfce5808a8dde2046aa864e342f3a6031c422472fb8abf58a8cdbb3d00bbf1148

Download Submit