96a85e08e98db6fcb940eca6b695bd9a41bcfcdd0d620b31de4a8f35d22ae0c4

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b83d16ceb4c4f2370ab149a03b9fd30N.exe
Size

2.6MB
MD5

5b83d16ceb4c4f2370ab149a03b9fd30
SHA1

cee1c2bd9cad74586ba6361056b601b64c007853
SHA256

96a85e08e98db6fcb940eca6b695bd9a41bcfcdd0d620b31de4a8f35d22ae0c4
SHA512

3cc10d8be306e9ff9bd000994b889b4fa1e01c3df4f3d273445501fe7e11733df5c1fc02eb4ec4f6e1e2547d5c3db143053471ddf60866b9eeaa2254cbedda0d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bS:sxX7QnxrloE5dpUpEb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	5b83d16ceb4c4f2370ab149a03b9fd30N.exe

Executes dropped EXE 2 IoCs

pid	Process
2268	sysdevbod.exe
3048	xdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotGV\\xdobsys.exe"	5b83d16ceb4c4f2370ab149a03b9fd30N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBVQ\\bodaloc.exe"	5b83d16ceb4c4f2370ab149a03b9fd30N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b83d16ceb4c4f2370ab149a03b9fd30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2156	5b83d16ceb4c4f2370ab149a03b9fd30N.exe
2156	5b83d16ceb4c4f2370ab149a03b9fd30N.exe
2156	5b83d16ceb4c4f2370ab149a03b9fd30N.exe
2156	5b83d16ceb4c4f2370ab149a03b9fd30N.exe
2268	sysdevbod.exe
2268	sysdevbod.exe
3048	xdobsys.exe
3048	xdobsys.exe
2268	sysdevbod.exe
2268	sysdevbod.exe
3048	xdobsys.exe
3048	xdobsys.exe
2268	sysdevbod.exe
2268	sysdevbod.exe
3048	xdobsys.exe
3048	xdobsys.exe
2268	sysdevbod.exe
2268	sysdevbod.exe
3048	xdobsys.exe
3048	xdobsys.exe
2268	sysdevbod.exe
2268	sysdevbod.exe
3048	xdobsys.exe
3048	xdobsys.exe
2268	sysdevbod.exe
2268	sysdevbod.exe
3048	xdobsys.exe
3048	xdobsys.exe
2268	sysdevbod.exe
2268	sysdevbod.exe
3048	xdobsys.exe
3048	xdobsys.exe
2268	sysdevbod.exe
2268	sysdevbod.exe
3048	xdobsys.exe
3048	xdobsys.exe
2268	sysdevbod.exe
2268	sysdevbod.exe
3048	xdobsys.exe
3048	xdobsys.exe
2268	sysdevbod.exe
2268	sysdevbod.exe
3048	xdobsys.exe
3048	xdobsys.exe
2268	sysdevbod.exe
2268	sysdevbod.exe
3048	xdobsys.exe
3048	xdobsys.exe
2268	sysdevbod.exe
2268	sysdevbod.exe
3048	xdobsys.exe
3048	xdobsys.exe
2268	sysdevbod.exe
2268	sysdevbod.exe
3048	xdobsys.exe
3048	xdobsys.exe
2268	sysdevbod.exe
2268	sysdevbod.exe
3048	xdobsys.exe
3048	xdobsys.exe
2268	sysdevbod.exe
2268	sysdevbod.exe
3048	xdobsys.exe
3048	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2268	2156	5b83d16ceb4c4f2370ab149a03b9fd30N.exe	86
PID 2156 wrote to memory of 2268	2156	5b83d16ceb4c4f2370ab149a03b9fd30N.exe	86
PID 2156 wrote to memory of 2268	2156	5b83d16ceb4c4f2370ab149a03b9fd30N.exe	86
PID 2156 wrote to memory of 3048	2156	5b83d16ceb4c4f2370ab149a03b9fd30N.exe	87
PID 2156 wrote to memory of 3048	2156	5b83d16ceb4c4f2370ab149a03b9fd30N.exe	87
PID 2156 wrote to memory of 3048	2156	5b83d16ceb4c4f2370ab149a03b9fd30N.exe	87

C:\Users\Admin\AppData\Local\Temp\5b83d16ceb4c4f2370ab149a03b9fd30N.exe
"C:\Users\Admin\AppData\Local\Temp\5b83d16ceb4c4f2370ab149a03b9fd30N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2268
- C:\UserDotGV\xdobsys.exe
  C:\UserDotGV\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBVQ\bodaloc.exe

Filesize
667KB

MD5
4bc1f5a18db684207bcd35483a87b961

SHA1
fce4698088a123f9fe5487f6c0243056fb8b9bea

SHA256
28d0cb9c5688d39c278c99f08520c52c888632f351449303a9e8bb6c6d7be5c7

SHA512
4603ab6429c48ebc417e948ac191f6bdd2f32c221140c67f7922b8bf18d83ee562affffe7f783d19286816e1aef0a0951424f9b1fb6c02dc11d0386cd9d04245

Download Submit
C:\KaVBVQ\bodaloc.exe

Filesize
1.5MB

MD5
6d35b83c8e00c7b1b6b66079ecb3ed3c

SHA1
673f4ac0a3ea69b3323c68db419e4a19f29cb9c9

SHA256
333e8f22689c53ee1e3fb93425fe71e16037e5bc39c931662af9594216e57b21

SHA512
d100537a2f26ecbd0eb6aa763ede0e024032803d0d7265c4e5803eda3c5620bcdc1a11d7772eb5ddc0af45a39f3810ea834504510c69c75fd2663fbbf5cd097b

Download Submit
C:\UserDotGV\xdobsys.exe

Filesize
2.6MB

MD5
7b15d24c6a2cd46333641e6515575c62

SHA1
e2e32fd59cd889af9391abe80c38b6b7a2116e7b

SHA256
ca48ba24684b0ea4221ee8601f12f598401e74709076f7b7d6c2c9383dee0c65

SHA512
320a628b5143622dba013ace4371be8e57b0013aa6ddcbaa63efdda8c40d9f45bd5136710361f6da885096a3c78eb62b1d87519a1826df11cebd647bfce68998

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
b0b8b50401b43e4bffd89071f27fc90b

SHA1
fc08628d095a831b3f98125a19e03f39d891d019

SHA256
bf6362b7681e1c9ce5dc86c108a1d320c0adb308de836c86fd943b204b4ad66a

SHA512
90f3458abdf24bc847406013c102705b7c68102ae40caf41d6547a31388e177434ddb853bacc51be64c502fbb679caceb2e78cd10dea928fc63e6dfffdbfa4cb

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
247a5e2ccb2b9b85a558fd7f485ca7cc

SHA1
1c66e45c566d42ae473857caab96a4ee26fa3d23

SHA256
5a0029392591cf4589c682370ada10d7893558845beb4fa29c56262330d7d9f3

SHA512
1887ee1b5af7c31561f5d2cae5a7e0721d9420956c0cd49189bb9d08f7d817029a4369d790350a61601f70317629734c4b46376d37d689a1d3cb4020f8b4853f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
dfe36def3a0da18951b43a1e23ea8c77

SHA1
b8d01b4eeed0d8f5f60c9c20d3f85666ed555b16

SHA256
73ec0c1fbf6abf1ab2524189a83e801e62b38b38ab4079426f53b9865e10c2b1

SHA512
1de5d8c0e5279372bc8e0cc3cef312c17ae03ff2b4424581ce43c0cacf1c77c678e55df2986c400e41462b5214d4cdec60725d1d6e52b314259779577bde4856

Download Submit