82c9dcf8d148ae7249d9b5806f3103679445d760eea1dd4786792504c82cb158

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 22:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

82c9dcf8d148ae7249d9b5806f3103679445d760eea1dd4786792504c82cb158.exe
Size

2.6MB
MD5

815e43357dcce9be5d8ffe1a3eed622e
SHA1

90b57ae8af831f8561ade030d942c257617842a7
SHA256

82c9dcf8d148ae7249d9b5806f3103679445d760eea1dd4786792504c82cb158
SHA512

0fed557f4b8839799c7c02584f978a597fb0a4cdf452c66f20456077cf7394fc246c1ed7f92a1ee398d9556aa058bf09fc68bd94d941521e2da67aa18c1299fb
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bS:sxX7QnxrloE5dpUp7b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	82c9dcf8d148ae7249d9b5806f3103679445d760eea1dd4786792504c82cb158.exe

Executes dropped EXE 2 IoCs

pid	Process
5048	ecdevbod.exe
3116	xbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocG8\\xbodsys.exe"	82c9dcf8d148ae7249d9b5806f3103679445d760eea1dd4786792504c82cb158.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZOR\\boddevloc.exe"	82c9dcf8d148ae7249d9b5806f3103679445d760eea1dd4786792504c82cb158.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82c9dcf8d148ae7249d9b5806f3103679445d760eea1dd4786792504c82cb158.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3980	82c9dcf8d148ae7249d9b5806f3103679445d760eea1dd4786792504c82cb158.exe
3980	82c9dcf8d148ae7249d9b5806f3103679445d760eea1dd4786792504c82cb158.exe
3980	82c9dcf8d148ae7249d9b5806f3103679445d760eea1dd4786792504c82cb158.exe
3980	82c9dcf8d148ae7249d9b5806f3103679445d760eea1dd4786792504c82cb158.exe
5048	ecdevbod.exe
5048	ecdevbod.exe
3116	xbodsys.exe
3116	xbodsys.exe
5048	ecdevbod.exe
5048	ecdevbod.exe
3116	xbodsys.exe
3116	xbodsys.exe
5048	ecdevbod.exe
5048	ecdevbod.exe
3116	xbodsys.exe
3116	xbodsys.exe
5048	ecdevbod.exe
5048	ecdevbod.exe
3116	xbodsys.exe
3116	xbodsys.exe
5048	ecdevbod.exe
5048	ecdevbod.exe
3116	xbodsys.exe
3116	xbodsys.exe
5048	ecdevbod.exe
5048	ecdevbod.exe
3116	xbodsys.exe
3116	xbodsys.exe
5048	ecdevbod.exe
5048	ecdevbod.exe
3116	xbodsys.exe
3116	xbodsys.exe
5048	ecdevbod.exe
5048	ecdevbod.exe
3116	xbodsys.exe
3116	xbodsys.exe
5048	ecdevbod.exe
5048	ecdevbod.exe
3116	xbodsys.exe
3116	xbodsys.exe
5048	ecdevbod.exe
5048	ecdevbod.exe
3116	xbodsys.exe
3116	xbodsys.exe
5048	ecdevbod.exe
5048	ecdevbod.exe
3116	xbodsys.exe
3116	xbodsys.exe
5048	ecdevbod.exe
5048	ecdevbod.exe
3116	xbodsys.exe
3116	xbodsys.exe
5048	ecdevbod.exe
5048	ecdevbod.exe
3116	xbodsys.exe
3116	xbodsys.exe
5048	ecdevbod.exe
5048	ecdevbod.exe
3116	xbodsys.exe
3116	xbodsys.exe
5048	ecdevbod.exe
5048	ecdevbod.exe
3116	xbodsys.exe
3116	xbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 5048	3980	82c9dcf8d148ae7249d9b5806f3103679445d760eea1dd4786792504c82cb158.exe	82
PID 3980 wrote to memory of 5048	3980	82c9dcf8d148ae7249d9b5806f3103679445d760eea1dd4786792504c82cb158.exe	82
PID 3980 wrote to memory of 5048	3980	82c9dcf8d148ae7249d9b5806f3103679445d760eea1dd4786792504c82cb158.exe	82
PID 3980 wrote to memory of 3116	3980	82c9dcf8d148ae7249d9b5806f3103679445d760eea1dd4786792504c82cb158.exe	85
PID 3980 wrote to memory of 3116	3980	82c9dcf8d148ae7249d9b5806f3103679445d760eea1dd4786792504c82cb158.exe	85
PID 3980 wrote to memory of 3116	3980	82c9dcf8d148ae7249d9b5806f3103679445d760eea1dd4786792504c82cb158.exe	85

C:\Users\Admin\AppData\Local\Temp\82c9dcf8d148ae7249d9b5806f3103679445d760eea1dd4786792504c82cb158.exe
"C:\Users\Admin\AppData\Local\Temp\82c9dcf8d148ae7249d9b5806f3103679445d760eea1dd4786792504c82cb158.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5048
- C:\IntelprocG8\xbodsys.exe
  C:\IntelprocG8\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocG8\xbodsys.exe

Filesize
1.9MB

MD5
5c7e4e42c9541623faf7736ef16155a6

SHA1
1473c7e5a293b7c75519f5f425c96bda925b02e8

SHA256
d6107fdefc74e1af9ce105f597a326cec57717e9ce3d52eca3936450066447d1

SHA512
98efc81d9ae26d5b3dfaa506294d3fbb79556fda86572760d61785ee9004a74b0777b63b60907e3893daa4e35380e92c2b745dc706e96e369a2dadde57bc176a

Download Submit
C:\IntelprocG8\xbodsys.exe

Filesize
2.6MB

MD5
772d092a8a0acaca7f8b0b24be1649bf

SHA1
ce36e141afc8abc20e826dea615fb7c701b61d08

SHA256
dae3260ee763aac4613c936bbaaa8f245f832a98d1ad1974e7099fa271509a9e

SHA512
4b948d509940653ff023c4812c223e328abba2d6bf47a1e07ff76722d9d08b2ae0510b4972aa7f256a39e4d619320fd00b74b33adab9f404b50a50dcce7e1fe5

Download Submit
C:\LabZOR\boddevloc.exe

Filesize
184KB

MD5
0b550e7c36489dea2fc8941aa3ab5478

SHA1
6623d90e7c3e79728a8a955996352104baf047ba

SHA256
1d44a23c0277676cabc1a7ffe03b56ff77b0b5346f0bb58d3698fc9284b530c1

SHA512
508f27b7aa3ecc6529856ef4abf41783bb92deb60775692fe60dcbef85fa374b8c3ff9856fedf3fd1aa1a86d5eea2b462281fed0d3fbf9626b54c3049c3cc11b

Download Submit
C:\LabZOR\boddevloc.exe

Filesize
1KB

MD5
854d7024d6a3690861a5e13adeeebc56

SHA1
2ac1cc8c12d24dba6b5be96438f764753e2534af

SHA256
7bee14ad9ce88140df4a16649b935961e01da085178d766133129df3d97623d4

SHA512
83e4768567adea2aa5df900d4c232d5f8ccf5bfaeb8524a7641aa8d27412adf71a2c90d307b2a7c43f43dbc803b2ee2754ce4035888a928c3543f1c8912422a0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
fd3e2fd26da3db722d72c537657314a4

SHA1
79ab51257e77e17a86bee0a1d3c562b2d70eb14c

SHA256
8ccc5a4691543e6f28342d54fbe885c51425561a0641ee0999cc238ecdc5460e

SHA512
26365178657e462016805a7b307c66656c7cb416394813c22a0250594c33e2db08c9af33561844a10cc19f5a65389420dc4dea625b2d82dd56079609667ca96b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
175B

MD5
6ecc7c833004a6cc31bf083e7637cf8c

SHA1
233dfbba9da0e7e61e797c9e4779e6ec03283d9e

SHA256
ee3162d271562d74e8b331e9c93c34b2332004ba9af2faa8322983740081623f

SHA512
1c96cedbee0cebeedf93f5324b50b40854a2c174d6a03e6cf09c83436c78de00a97916daebd3c404828b931256c440710912c780f849367562b77fabfa37b47d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
2.6MB

MD5
fa62da16a965f895a4cb071d090e2690

SHA1
ed0f821762c7ad291d1b8bb1245b57474bc968af

SHA256
749b9492646eb4c46e74b3a78cbc439a68b38f31aef615af40610e9f5ef092fe

SHA512
416fb40145b877e5ac08d302b57597457e955d8940cef8f2f9784b5068aeef16f8093a01e9cc40922b1dd3d8948117fe289fed7f469a935cedd5ede36a1b7ff8

Download Submit