6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe
Size

2.6MB
MD5

abafae1dee331923326e1062c9e21a26
SHA1

2f5f722053e6889085d1e6b0ac270dd7d37bb560
SHA256

6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb
SHA512

b5667d92e2f8381e8c3f3fbaca50c11b844488155ab7afea16bb0f4e817edc711cf19ae95a3a25bfe2bfcfff4fb1cc1dcb7fb0d607524d315c14a38940446f82
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bS:sxX7QnxrloE5dpUpsb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe

Executes dropped EXE 2 IoCs

pid	Process
3076	locdevdob.exe
3940	xbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvL5\\xbodsys.exe"	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ1D\\dobdevloc.exe"	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5020	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe
5020	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe
5020	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe
5020	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe
3076	locdevdob.exe
3076	locdevdob.exe
3940	xbodsys.exe
3940	xbodsys.exe
3076	locdevdob.exe
3076	locdevdob.exe
3940	xbodsys.exe
3940	xbodsys.exe
3076	locdevdob.exe
3076	locdevdob.exe
3940	xbodsys.exe
3940	xbodsys.exe
3076	locdevdob.exe
3076	locdevdob.exe
3940	xbodsys.exe
3940	xbodsys.exe
3076	locdevdob.exe
3076	locdevdob.exe
3940	xbodsys.exe
3940	xbodsys.exe
3076	locdevdob.exe
3076	locdevdob.exe
3940	xbodsys.exe
3940	xbodsys.exe
3076	locdevdob.exe
3076	locdevdob.exe
3940	xbodsys.exe
3940	xbodsys.exe
3076	locdevdob.exe
3076	locdevdob.exe
3940	xbodsys.exe
3940	xbodsys.exe
3076	locdevdob.exe
3076	locdevdob.exe
3940	xbodsys.exe
3940	xbodsys.exe
3076	locdevdob.exe
3076	locdevdob.exe
3940	xbodsys.exe
3940	xbodsys.exe
3076	locdevdob.exe
3076	locdevdob.exe
3940	xbodsys.exe
3940	xbodsys.exe
3076	locdevdob.exe
3076	locdevdob.exe
3940	xbodsys.exe
3940	xbodsys.exe
3076	locdevdob.exe
3076	locdevdob.exe
3940	xbodsys.exe
3940	xbodsys.exe
3076	locdevdob.exe
3076	locdevdob.exe
3940	xbodsys.exe
3940	xbodsys.exe
3076	locdevdob.exe
3076	locdevdob.exe
3940	xbodsys.exe
3940	xbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 3076	5020	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe	86
PID 5020 wrote to memory of 3076	5020	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe	86
PID 5020 wrote to memory of 3076	5020	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe	86
PID 5020 wrote to memory of 3940	5020	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe	87
PID 5020 wrote to memory of 3940	5020	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe	87
PID 5020 wrote to memory of 3940	5020	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe	87

C:\Users\Admin\AppData\Local\Temp\6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe
"C:\Users\Admin\AppData\Local\Temp\6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3076
- C:\SysDrvL5\xbodsys.exe
  C:\SysDrvL5\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ1D\dobdevloc.exe

Filesize
2.6MB

MD5
da2155a00d45ef3b06ef3e9f5eafba83

SHA1
85156126c650b3d0e3ec5b6043fd8a864a508c70

SHA256
03f237b0ac827473c117a9a674cd58a8cd734b0c06a96d522a6a1b707a860d44

SHA512
6c70dba40e93c54b36f305f6f30fa83eee19273dd8b734764646ae6352c6cf52dd8499da6fd9da122f439daf52260742b3696338531ad19544e3f70894559fca

Download Submit
C:\LabZ1D\dobdevloc.exe

Filesize
1.4MB

MD5
6e964777eab32c940b16bcc65d053cfb

SHA1
921ba8a34567b76bfb85534341394e1fae700f7f

SHA256
91b0a24d444349a4ef4dda97809a82d7733a51e3f4a7504909a61a62ed339029

SHA512
8c71122fecf0ab39cae363dfb976df44eb2e2fc6275362418033c23933a7afc207e1e31b76bbe6e06dd0c6072f6179b1d31573d7ca70b2a2faefe65b3caccda1

Download Submit
C:\SysDrvL5\xbodsys.exe

Filesize
2.6MB

MD5
aecd8ce87d40d2b903ca23995ff69406

SHA1
f0577ad9238f833d8bc6389c749ea6d069e8b84f

SHA256
a6838d00e8600cab7d0b050e6f1b6698c65f04737ae3ca09f1fc9e6ee708f592

SHA512
47d07e055bcc9f171ac465e5cd0bb6001542f321da928bf3f9a5d3aae0ed7d8e67d25cc995fd1cf6d79f27625b7fa53cf2b20de42dc13e2c7e0f6e85ab2001bc

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
830d676fe2409bb09b612db3b2171f22

SHA1
a715326898272fb10c352420cdfbc0a946f47240

SHA256
7d43f9cc6eb58e36c315c06c3567fcf4931ef4c1f03137adafa3a3d7bc7dcd65

SHA512
b19059318687a7c74585896a68e3c657c0e1771adabb7c381ece34b30f74176c7d5f5b7aa10314c8221ed9ed1255a8b6e81d1bac86192d55d3a8049ac22f1313

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
90a56dc41383a11ee0a95b11abb1dc72

SHA1
3c81526f1b494ba38663e7d2d9a6cc04a83ab856

SHA256
838366ca5bd866a9c9f47dc4bb044b81b829cf3a98bab13404cfbbd17bc8a39c

SHA512
50c3a41d27cbff77cf700fd5ead151b1a88d579e9614ab85c5da0bbae47e452bffb13d9434e94b312960ab32dba2c82a2f475cb0603be7aaf3bf9d4824cb79ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
2.6MB

MD5
cd9e89c1b7ed8ab3fde8f035729b094a

SHA1
2c31bbc7197cbea92ce1c135edadfd39bc289316

SHA256
25bad5de4a7e7afe44fbb0992c842150b9f7a614d9dd6ebc48764dd36a902507

SHA512
26ddf08cd795badaa8a48df8bce755e4fe49e8b2d308d1ed82615f85e5019d75a57d8464530778987cbb148bb2e1c88ef4d65c015cc37b88627ce2148f12ebe2

Download Submit