f37711a5468cd6c73634bcd4d89d9fe33617e4ab0bee0fc1c400bb5e54c66490

Analysis

max time kernel
119s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c310345f776bd70917375b46c831da00N.exe
Size

2.6MB
MD5

c310345f776bd70917375b46c831da00
SHA1

99649095eebf035f97d8b421f75d5837ff5811e3
SHA256

f37711a5468cd6c73634bcd4d89d9fe33617e4ab0bee0fc1c400bb5e54c66490
SHA512

2cafede97638d1d662cfad700c5c78796603ae67df475ebc9d7489d1143ae7c7d68cf2157ea11a2746ee5cc1dc173b291982af8e60ce731d92de84e2b07ed93b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBtB/bS:sxX7QnxrloE5dpUp6b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	c310345f776bd70917375b46c831da00N.exe

Executes dropped EXE 2 IoCs

pid	Process
2748	sysdevdob.exe
4928	xbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeKE\\xbodec.exe"	c310345f776bd70917375b46c831da00N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxR9\\boddevec.exe"	c310345f776bd70917375b46c831da00N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c310345f776bd70917375b46c831da00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4556	c310345f776bd70917375b46c831da00N.exe
4556	c310345f776bd70917375b46c831da00N.exe
4556	c310345f776bd70917375b46c831da00N.exe
4556	c310345f776bd70917375b46c831da00N.exe
2748	sysdevdob.exe
2748	sysdevdob.exe
4928	xbodec.exe
4928	xbodec.exe
2748	sysdevdob.exe
2748	sysdevdob.exe
4928	xbodec.exe
4928	xbodec.exe
2748	sysdevdob.exe
2748	sysdevdob.exe
4928	xbodec.exe
4928	xbodec.exe
2748	sysdevdob.exe
2748	sysdevdob.exe
4928	xbodec.exe
4928	xbodec.exe
2748	sysdevdob.exe
2748	sysdevdob.exe
4928	xbodec.exe
4928	xbodec.exe
2748	sysdevdob.exe
2748	sysdevdob.exe
4928	xbodec.exe
4928	xbodec.exe
2748	sysdevdob.exe
2748	sysdevdob.exe
4928	xbodec.exe
4928	xbodec.exe
2748	sysdevdob.exe
2748	sysdevdob.exe
4928	xbodec.exe
4928	xbodec.exe
2748	sysdevdob.exe
2748	sysdevdob.exe
4928	xbodec.exe
4928	xbodec.exe
2748	sysdevdob.exe
2748	sysdevdob.exe
4928	xbodec.exe
4928	xbodec.exe
2748	sysdevdob.exe
2748	sysdevdob.exe
4928	xbodec.exe
4928	xbodec.exe
2748	sysdevdob.exe
2748	sysdevdob.exe
4928	xbodec.exe
4928	xbodec.exe
2748	sysdevdob.exe
2748	sysdevdob.exe
4928	xbodec.exe
4928	xbodec.exe
2748	sysdevdob.exe
2748	sysdevdob.exe
4928	xbodec.exe
4928	xbodec.exe
2748	sysdevdob.exe
2748	sysdevdob.exe
4928	xbodec.exe
4928	xbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 2748	4556	c310345f776bd70917375b46c831da00N.exe	87
PID 4556 wrote to memory of 2748	4556	c310345f776bd70917375b46c831da00N.exe	87
PID 4556 wrote to memory of 2748	4556	c310345f776bd70917375b46c831da00N.exe	87
PID 4556 wrote to memory of 4928	4556	c310345f776bd70917375b46c831da00N.exe	90
PID 4556 wrote to memory of 4928	4556	c310345f776bd70917375b46c831da00N.exe	90
PID 4556 wrote to memory of 4928	4556	c310345f776bd70917375b46c831da00N.exe	90

C:\Users\Admin\AppData\Local\Temp\c310345f776bd70917375b46c831da00N.exe
"C:\Users\Admin\AppData\Local\Temp\c310345f776bd70917375b46c831da00N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2748
- C:\AdobeKE\xbodec.exe
  C:\AdobeKE\xbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeKE\xbodec.exe

Filesize
2.6MB

MD5
41049f5f1ea9b650d4333200f2d44310

SHA1
1042b33b0c26b4c94e7a4dece55915ae5d2c6dca

SHA256
f086f6fb42ad32a4e8447c2412c50829b6e716221e0b1b28b2b781e330b3e046

SHA512
45f967057e0c725d91c382e4bd13c59d1cf9da22e8cc634c348590f1d5c12ce6626565c91a6d43db2d166ece6373fd21b9dc74665093404f20576589a7d17b64

Download Submit
C:\GalaxR9\boddevec.exe

Filesize
109KB

MD5
bec390f65e618afd28e07333ddf559cf

SHA1
dcb4cc1f00a8496ec2a5cd53af5b5730d91813db

SHA256
0c45d03b76f5d36e893e50662c3b92cfc9bb29509c7ae596000998b2b96a39b4

SHA512
64dacc3d5c4575a15d26693c8d5fdef8ef412dd7e69ea7b0819ed31e5ff0c3fe1f05663855717d25600e3be2160309d8b0aaf5a70da3d64b60702925076fa1ab

Download Submit
C:\GalaxR9\boddevec.exe

Filesize
19KB

MD5
8722a447f61ffe9d22d59fd0342ccf10

SHA1
826bbfbb0ed172381a61dc1904ae4ed9c90d02ae

SHA256
e5ea5445b1355be949760b8d3409b4aa831b521e8828d60b254e6c91b67800de

SHA512
2dfe8e4a37d48d578fb19ab4c43ba773635f285acae7f154930f240179812021c46c16eb3a4fa7a846e4f8bee98eff71eceaabb882cb45162a223ea0724956fa

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
a34ecf10a6a5f5ba52be8e377f7a87e4

SHA1
d91b4404f1abe003bad0b176c01f21fa7cfa0b26

SHA256
be47b05f6100639f99a5a89962f7bd0e302fbc2c2099bfba79b21928648f28b9

SHA512
1fb41bf17ed118d36a463942a6018025d277a3859edadbcf612da32d58a0805f864af2228df57739b0a59092cb467a4205d165d7584900329a33fc24f4e4790c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
7aea9f3443271587a89d8e5c81b15062

SHA1
dff5dc01bc75e7f0e9b4ffb74a34102eebba11ac

SHA256
c744f27ab3e3129f03282ba16d326ccb2c6e0bedc2f470ee8636b45389e7f3f0

SHA512
88c438c18804f39d0e5bc8b32d6d98a135deb1d85c4d51d9bb5085a6446be9943f9e1fb9a52fe41af0f03d9978667dff9bfc6fb8555bd5895be280f48b6e7b3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
2.6MB

MD5
f1bec01f74d871af8ade52122c3e5abc

SHA1
ee9d593b383c66871599ea2def3f89f86044d4e1

SHA256
8ae7e43750c22d9f4676722a9eb8da9945cec85e58a36293639fea794c8bdd06

SHA512
ab66c81dc98cd202df7fcde4531588156047b77bba6df4caf7a4ab64e7968f4ec0217c2936d8ab9f131ed49d7dadf962488e0ad279a53150a22290bea5d42b1a

Download Submit