41029c08cfac383bc190287bb36e4eac77791f39d2fa13bea957dc151e89612e

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdb8a42d79e70573a72d505017befd30N.exe
Size

2.6MB
MD5

cdb8a42d79e70573a72d505017befd30
SHA1

924e918b024327b32bc65c97c06e59f6a16d013e
SHA256

41029c08cfac383bc190287bb36e4eac77791f39d2fa13bea957dc151e89612e
SHA512

f0925895f5fdc226a4b2b746ad798a5ebd4579b482e6f1a5bb6c24857a2843ad5ef48e2026312d92a3acef9af3e8a36d91e849139be2255bb48117221ba929ce
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpmb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	cdb8a42d79e70573a72d505017befd30N.exe

Executes dropped EXE 2 IoCs

pid	Process
2428	ecdevdob.exe
3056	devdobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvU0\\devdobloc.exe"	cdb8a42d79e70573a72d505017befd30N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZZH\\bodaloc.exe"	cdb8a42d79e70573a72d505017befd30N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdb8a42d79e70573a72d505017befd30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
412	cdb8a42d79e70573a72d505017befd30N.exe
412	cdb8a42d79e70573a72d505017befd30N.exe
412	cdb8a42d79e70573a72d505017befd30N.exe
412	cdb8a42d79e70573a72d505017befd30N.exe
2428	ecdevdob.exe
2428	ecdevdob.exe
3056	devdobloc.exe
3056	devdobloc.exe
2428	ecdevdob.exe
2428	ecdevdob.exe
3056	devdobloc.exe
3056	devdobloc.exe
2428	ecdevdob.exe
2428	ecdevdob.exe
3056	devdobloc.exe
3056	devdobloc.exe
2428	ecdevdob.exe
2428	ecdevdob.exe
3056	devdobloc.exe
3056	devdobloc.exe
2428	ecdevdob.exe
2428	ecdevdob.exe
3056	devdobloc.exe
3056	devdobloc.exe
2428	ecdevdob.exe
2428	ecdevdob.exe
3056	devdobloc.exe
3056	devdobloc.exe
2428	ecdevdob.exe
2428	ecdevdob.exe
3056	devdobloc.exe
3056	devdobloc.exe
2428	ecdevdob.exe
2428	ecdevdob.exe
3056	devdobloc.exe
3056	devdobloc.exe
2428	ecdevdob.exe
2428	ecdevdob.exe
3056	devdobloc.exe
3056	devdobloc.exe
2428	ecdevdob.exe
2428	ecdevdob.exe
3056	devdobloc.exe
3056	devdobloc.exe
2428	ecdevdob.exe
2428	ecdevdob.exe
3056	devdobloc.exe
3056	devdobloc.exe
2428	ecdevdob.exe
2428	ecdevdob.exe
3056	devdobloc.exe
3056	devdobloc.exe
2428	ecdevdob.exe
2428	ecdevdob.exe
3056	devdobloc.exe
3056	devdobloc.exe
2428	ecdevdob.exe
2428	ecdevdob.exe
3056	devdobloc.exe
3056	devdobloc.exe
2428	ecdevdob.exe
2428	ecdevdob.exe
3056	devdobloc.exe
3056	devdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 2428	412	cdb8a42d79e70573a72d505017befd30N.exe	86
PID 412 wrote to memory of 2428	412	cdb8a42d79e70573a72d505017befd30N.exe	86
PID 412 wrote to memory of 2428	412	cdb8a42d79e70573a72d505017befd30N.exe	86
PID 412 wrote to memory of 3056	412	cdb8a42d79e70573a72d505017befd30N.exe	89
PID 412 wrote to memory of 3056	412	cdb8a42d79e70573a72d505017befd30N.exe	89
PID 412 wrote to memory of 3056	412	cdb8a42d79e70573a72d505017befd30N.exe	89

C:\Users\Admin\AppData\Local\Temp\cdb8a42d79e70573a72d505017befd30N.exe
"C:\Users\Admin\AppData\Local\Temp\cdb8a42d79e70573a72d505017befd30N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:412
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2428
- C:\SysDrvU0\devdobloc.exe
  C:\SysDrvU0\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZZH\bodaloc.exe

Filesize
2.1MB

MD5
3765c3ef463905560d943b36cda33d09

SHA1
ad705a0c40cf222f7626f624c35dd7143b1d5fb3

SHA256
bec4ad6bb30b17da6b645dae87aefc4eaf013cf88651afe2b1343ae7581db917

SHA512
575a6ebc968d507bdde9f9b8d0cb816fa0557e918080cf335036df172192620bf0469ad74bca260bd50e6ac89291391270df3e285a98374a5e76be02249d7a0e

Download Submit
C:\LabZZH\bodaloc.exe

Filesize
17KB

MD5
f218ec25fbf44d8ada55b81c57e9368c

SHA1
3254b68c8ff9dd72772ec3c826687fc2f2e58051

SHA256
467e21f563b16934238c7063303543443c22689335e46bb9c062de8adfa02303

SHA512
a4d4e08e5dd2456e7d6dbe472cdfcec7bd18be974c39e1035955ed3d4dd06043ef6abf9551cd150c97e10652878ffcf1e8241e72ad729ce1a9c525863a8a35c9

Download Submit
C:\SysDrvU0\devdobloc.exe

Filesize
2.6MB

MD5
5f3d4c0d2bb2dd2ac09e4461f8b8ed46

SHA1
c81a8caf886aa618fef98f995479d0ce8acb534c

SHA256
4440539d1b1ea64da379f9b4d378c889ab20ad5a3f7c3b76dcc79b5232a42216

SHA512
e5f1fa20ce4ab25f955f9cf6edca05b82c73caaa8cca61028023217d1b784b29ba867a6025e488c63a32d2b120c37d7cf97fe8fd890885bca6114b6fdef42642

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
6ac4132c39a2c245b035ad29153fba6f

SHA1
16d9407b84c991fc144a62d13cc23db8e9089a58

SHA256
48b970b48500015b0ed3cafeba021ddeec2d6982d9aa120cc2244123318c819e

SHA512
209e197a9be64799156b1c2f2678e4658be6874c79c1365e34ec8e46c595ee6027d3a317722cfdf5786a85e866e5fb642e93c40906cdbe0c19e0984fc27dc8d3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
91dde625ee7622215323f03fdeb2834c

SHA1
0dbbbef79b6e3d1b218e75c166904b6bfd34600f

SHA256
4a470efe743205120fab07d4fdb37997158b589ac5a9b5b77d4cb6b1e509e7ff

SHA512
3385cb0c32e873b024c1bc7731aa5fe4cc3e4a604769776294d4f41928737995781a62530b930f7fd912e7cf517a7c1b9f4ff0a131372abaea0c9325490663c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
2.6MB

MD5
443cca5e601fa161130ca8a350ce7c00

SHA1
2c2444acda9b0907a1f41ccd760e9d6ccc8db2ee

SHA256
978b3b1b10892e6beacb67b92bf43b63c2d43a8bec88f7375eba7392a0e41a46

SHA512
b94a10344675fdaef8ea6a6b58ed1f3ebc7da16ed3e8ce9a9f5f64f79a19627830a12903fe34a0ee1e15cf91cad5226cb76856d11f8e63fa62c1887ca3ff6d27

Download Submit