fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe
Size

2.6MB
MD5

6cf11d2b3a18eeea3ca9d3486072b4f4
SHA1

63b862f53cf28e9a478e960e6ca87565820308b0
SHA256

fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b
SHA512

3b931c4f70cbff192860ed8b8f547da4318f12594469e0f56e41d1fd66f0a455805210c116c3bc2da6d86ce51ad04bf52d1e1e865f670e7df5de4cbc4f3d2310
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bS:sxX7QnxrloE5dpUpMb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe

Executes dropped EXE 2 IoCs

pid	Process
2864	locdevdob.exe
2576	devbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2396	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe
2396	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZBJ\\bodaloc.exe"	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc99\\devbodsys.exe"	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2396	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe
2396	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe
2864	locdevdob.exe
2576	devbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2864	2396	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe	31
PID 2396 wrote to memory of 2864	2396	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe	31
PID 2396 wrote to memory of 2864	2396	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe	31
PID 2396 wrote to memory of 2864	2396	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe	31
PID 2396 wrote to memory of 2576	2396	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe	32
PID 2396 wrote to memory of 2576	2396	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe	32
PID 2396 wrote to memory of 2576	2396	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe	32
PID 2396 wrote to memory of 2576	2396	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe	32

C:\Users\Admin\AppData\Local\Temp\fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe
"C:\Users\Admin\AppData\Local\Temp\fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2864
- C:\Intelproc99\devbodsys.exe
  C:\Intelproc99\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc99\devbodsys.exe

Filesize
2.6MB

MD5
1bca2eb24e6f77fc6595aba5be6c3eeb

SHA1
de26ea0d3e2774182638f809c3ed985152046804

SHA256
c7f2f2dd69fb85764c807c5341a50624ff302cdcf1be751be78c9cb28a96eb6b

SHA512
1e1c1405e737f6390895c6a7e6604a62122360046f9ca99f14cbe7f46c9c22a9e4ffa00353ab9388c93c379f23bafdaafe99332b455bbc4f80a8fc91b92a36f8

Download Submit
C:\LabZBJ\bodaloc.exe

Filesize
2.6MB

MD5
037e3cd5f60295e27b63b907b9fba758

SHA1
9328175fe7b85075bb06f2759661da55984cc6a7

SHA256
689dd5cf008f92926cd8c6ef64564d8d004b36e470591a786f5356ec7b0e6e81

SHA512
0884bfa26a5505585f2585146b57e4bb4063248696db14c8a5c2940c1ddf307cef15ae1c33564fc74c0180e85492233cfe95988ee15fe0ae6941bba65937254a

Download Submit
C:\LabZBJ\bodaloc.exe

Filesize
2.6MB

MD5
4df681f9a36689be85969df172f38612

SHA1
13c3b61d74e19414a28ab5b02ce402afb7e6aee0

SHA256
78b1ecf65eb0392ca94dd213305648784c89aad8c328aa16aebf9e5da9409129

SHA512
2f377babc9b364954581813714f6188205bb459528a9a25fc5ad87beffd0313bb3118cd8fdabdda6324749d5f0cf5b19bdd1f1878a552026e714ed7588867783

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
0dd265ee2cbbcb8294fbae8507113a2a

SHA1
5760f84e1bcd5b5ef251888b293a839831f9fdbd

SHA256
2c67464a4f551ca76699a7f9077e5feb751312af9bc09a4fe70240ecdb46fe47

SHA512
12fb1a7ed104a6d3bcc44e088669dcd6658c4734610de04de3a7ed9fa3153fc4f05ffe1b592d9517af64211157de538704fd1f9f31917c0d4f3ce0137bf8bad5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
afe4056f4e012f55b7e45d6f39836c48

SHA1
a84972496aa1967130ee75713f070abb6d9f6e65

SHA256
ee6ab99b5ff534fc75d86b38a0aeb7efc414e9da3ace954ae5c93f39de1583fe

SHA512
77b1b8fbdf6180e4f23720a6b46fe3e6e7078b6f9ecb0ead3c6d5d1d5bf12a8ebf642195f7e12a7d19b991357d330f9591dd16f64adfe338c92699d5918d5e99

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
2.6MB

MD5
2880d64fce22200276a317b87eba9530

SHA1
4f2cfbd51550c62c993152963988227943d2733b

SHA256
fd6f57940329d68b9c7a2a411704a6688dc0aac06c62115bea53a18f4b3b1d4d

SHA512
cf5066ea26296c0ed05970677a9d77af22b8a1c8a47c49d53c4dd9b2674cfd74c2c3a55a50cf43fe15b3ebec99963d64bcc18d7f013c224e10fc43446511e49d

Download Submit