153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95

Analysis

max time kernel
149s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe
Size

2.6MB
MD5

1abccf097d1132466158a7e067f5c2cc
SHA1

e98410ebc3c8f26b008488810ed4c53b7271da18
SHA256

153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95
SHA512

9eeec6af6720a71be5b20ea0b0b7d72fd94a956d814ea8b5df8a2318c42aec67bf30bcdce400d605ccdfda41abf3c8344b865f55e8b2c1b15039dba45530181d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bS:sxX7QnxrloE5dpUpUb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe

Executes dropped EXE 2 IoCs

pid	Process
1748	locxdob.exe
2348	devbodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2316	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe
2316	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv6E\\devbodloc.exe"	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBQP\\bodasys.exe"	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2316	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe
2316	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe
1748	locxdob.exe
2348	devbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 1748	2316	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe	30
PID 2316 wrote to memory of 1748	2316	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe	30
PID 2316 wrote to memory of 1748	2316	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe	30
PID 2316 wrote to memory of 1748	2316	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe	30
PID 2316 wrote to memory of 2348	2316	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe	31
PID 2316 wrote to memory of 2348	2316	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe	31
PID 2316 wrote to memory of 2348	2316	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe	31
PID 2316 wrote to memory of 2348	2316	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe	31

C:\Users\Admin\AppData\Local\Temp\153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe
"C:\Users\Admin\AppData\Local\Temp\153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1748
- C:\SysDrv6E\devbodloc.exe
  C:\SysDrv6E\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBQP\bodasys.exe

Filesize
2.6MB

MD5
1ee093dddf1ddab8fb4f3a432e91f794

SHA1
7551b59c91144fb19cb556ca236dbf217923b5f7

SHA256
8afaef2f27ad8a24068666a0c5a2089e3a789eeae28cf37dfd4a6dcdec299783

SHA512
bab1f32de15857a12c713b26ea2bfd91b9d9a2a6dad6219a819c92977eec1373cecac1867507b167d7bd892d34dea167ef8324e4202e13ef781971d6f6dc485a

Download Submit
C:\KaVBQP\bodasys.exe

Filesize
2.6MB

MD5
82a6760a510e10ed5ff670cb4a25e6e6

SHA1
6b663ba2133154612f31049c1ce7af98178565da

SHA256
2be60335003c312c2f4785068c9e55f20c9cf7c5467aab4915b1ba8f78087d68

SHA512
ecb033c342f5ce90fd93243f3bd95bf9771d2f1b41aa2fcd92f292a09f6e6c40c11ea41ad7e38de8b855e5f8341619705911c27b02e7ed96a5bdebb8d74af604

Download Submit
C:\SysDrv6E\devbodloc.exe

Filesize
2.6MB

MD5
3435dcffe207426889f86ce508c7cff8

SHA1
64ecaa24bda92372d7b731c17aa9bc7279411a7f

SHA256
221cb58a449c2fc381690f8747a4eb90aae3fd843cd3f29550580ff4c10212e8

SHA512
7d3de26c212428f9719244d2ef636dfa09cea6f6763adb46eb271afb3dc155a125bbc0a0da1d9b344cd91152e6c1e2ec1d8f2cf17feb53f7afab1f9ac1793b71

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
ac2a994b33bba523f5309e2004150aaf

SHA1
29c38ff6948ce5fc7e4abbcbe6cd22c509629d0b

SHA256
24e6767fd72502a97a6162bf989ab64b3d9082b22165d5ad29b1208c0ff6b5b7

SHA512
1bc3ccbe8df7e5effc55548e718b10878582b42b2cd3d0af514edbdffb60324d8106118ca9697c126fb0b8ed4231e2b8f286a6376663f2b84ec6f934f905d65b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
0ba37a0e4c5405d3bc3cbc5b1eb75d19

SHA1
1d1c0a8f9cca37b6dda5f2689db8387c5257b3b4

SHA256
d16d0a68b0d48c42f01a27719cc305c324250e9bae90c3f5a17553b33a0e71a8

SHA512
8da587b80129794de11b747ca7af86c51d8fccaa8e8fc0e44ae96e71d49b44141236ae441197f4d08b19938a42311c58ca2668b8e8ab8166879e56518e7ce392

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
2.6MB

MD5
967858132c5cb5252667b53e45a383ef

SHA1
fc1578e2ee662bfcf2864cb3914974d62bc410f0

SHA256
481bbd253292d69f6819b455d5de7afaca8c3204b84ed744d779b5d9eed9c025

SHA512
61ace70f7d3c7484a53d78730b81e29af1e26b0959faba8bc0a2961f09c9e72aaeca8a0b15923d7934622d200eac15e6d72604447079ab49ecfa3987ddac16ab

Download Submit