b311a46ef0a0d568550f643c30d82216d35659ba9c49bae68a120a435fd3dd27

Analysis

max time kernel
119s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b311a46ef0a0d568550f643c30d82216d35659ba9c49bae68a120a435fd3dd27N.exe
Size

2.6MB
MD5

9b544f1b35579edf8366615d33ab8e60
SHA1

4d6c3a054e1af0e32ad41890f1b1a76292f6ec05
SHA256

b311a46ef0a0d568550f643c30d82216d35659ba9c49bae68a120a435fd3dd27
SHA512

6af3f046bd654370f69eba1b6dc11510435f79f337454ba01b38d41f1a7e4517e898caf5cf3bf23f22294d27c9868f0b5451e39c0e77667ada613ac25a310058
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBZB/bS:sxX7QnxrloE5dpUpWb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	b311a46ef0a0d568550f643c30d82216d35659ba9c49bae68a120a435fd3dd27N.exe

Executes dropped EXE 2 IoCs

pid	Process
2912	locdevdob.exe
3676	devbodec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintED\\boddevloc.exe"	b311a46ef0a0d568550f643c30d82216d35659ba9c49bae68a120a435fd3dd27N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeP9\\devbodec.exe"	b311a46ef0a0d568550f643c30d82216d35659ba9c49bae68a120a435fd3dd27N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b311a46ef0a0d568550f643c30d82216d35659ba9c49bae68a120a435fd3dd27N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3172	b311a46ef0a0d568550f643c30d82216d35659ba9c49bae68a120a435fd3dd27N.exe
3172	b311a46ef0a0d568550f643c30d82216d35659ba9c49bae68a120a435fd3dd27N.exe
3172	b311a46ef0a0d568550f643c30d82216d35659ba9c49bae68a120a435fd3dd27N.exe
3172	b311a46ef0a0d568550f643c30d82216d35659ba9c49bae68a120a435fd3dd27N.exe
2912	locdevdob.exe
2912	locdevdob.exe
3676	devbodec.exe
3676	devbodec.exe
2912	locdevdob.exe
2912	locdevdob.exe
3676	devbodec.exe
3676	devbodec.exe
2912	locdevdob.exe
2912	locdevdob.exe
3676	devbodec.exe
3676	devbodec.exe
2912	locdevdob.exe
2912	locdevdob.exe
3676	devbodec.exe
3676	devbodec.exe
2912	locdevdob.exe
2912	locdevdob.exe
3676	devbodec.exe
3676	devbodec.exe
2912	locdevdob.exe
2912	locdevdob.exe
3676	devbodec.exe
3676	devbodec.exe
2912	locdevdob.exe
2912	locdevdob.exe
3676	devbodec.exe
3676	devbodec.exe
2912	locdevdob.exe
2912	locdevdob.exe
3676	devbodec.exe
3676	devbodec.exe
2912	locdevdob.exe
2912	locdevdob.exe
3676	devbodec.exe
3676	devbodec.exe
2912	locdevdob.exe
2912	locdevdob.exe
3676	devbodec.exe
3676	devbodec.exe
2912	locdevdob.exe
2912	locdevdob.exe
3676	devbodec.exe
3676	devbodec.exe
2912	locdevdob.exe
2912	locdevdob.exe
3676	devbodec.exe
3676	devbodec.exe
2912	locdevdob.exe
2912	locdevdob.exe
3676	devbodec.exe
3676	devbodec.exe
2912	locdevdob.exe
2912	locdevdob.exe
3676	devbodec.exe
3676	devbodec.exe
2912	locdevdob.exe
2912	locdevdob.exe
3676	devbodec.exe
3676	devbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 2912	3172	b311a46ef0a0d568550f643c30d82216d35659ba9c49bae68a120a435fd3dd27N.exe	82
PID 3172 wrote to memory of 2912	3172	b311a46ef0a0d568550f643c30d82216d35659ba9c49bae68a120a435fd3dd27N.exe	82
PID 3172 wrote to memory of 2912	3172	b311a46ef0a0d568550f643c30d82216d35659ba9c49bae68a120a435fd3dd27N.exe	82
PID 3172 wrote to memory of 3676	3172	b311a46ef0a0d568550f643c30d82216d35659ba9c49bae68a120a435fd3dd27N.exe	83
PID 3172 wrote to memory of 3676	3172	b311a46ef0a0d568550f643c30d82216d35659ba9c49bae68a120a435fd3dd27N.exe	83
PID 3172 wrote to memory of 3676	3172	b311a46ef0a0d568550f643c30d82216d35659ba9c49bae68a120a435fd3dd27N.exe	83

C:\Users\Admin\AppData\Local\Temp\b311a46ef0a0d568550f643c30d82216d35659ba9c49bae68a120a435fd3dd27N.exe
"C:\Users\Admin\AppData\Local\Temp\b311a46ef0a0d568550f643c30d82216d35659ba9c49bae68a120a435fd3dd27N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2912
- C:\AdobeP9\devbodec.exe
  C:\AdobeP9\devbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeP9\devbodec.exe

Filesize
2.6MB

MD5
1510d37db58a36724c21b57b2bf3dbdd

SHA1
d575684c29120b12f23820761795c4f2aff8e0a9

SHA256
393e7c095dbf3545943ddbc7810358338941138c644dd9257e80c18cd5487dff

SHA512
f06fe6156058033aa4288c92eaab7be91282a0d160807176fa895a476d3686599036474a8c5e702082c06f4eb527e01440b00ec38aab2c39ad8bd012b87dd673

Download Submit
C:\MintED\boddevloc.exe

Filesize
2.6MB

MD5
ab9163e1066579084ec25977942971e8

SHA1
b2bb55c10267c41ef0b522b8a799285dc5157bb9

SHA256
d389254a4134ba584c26c1c25e05e7cedf41b3ce99499c3d0c7e6e6512b988ab

SHA512
ee64be4eba917cb283a2f201018328e93f27422bc9bf77cdd7c52c1630bb28f96e86a313417cafc0964c3ba48a854cf7b96b5f4dbdbeda9441da1ad42db9d1ec

Download Submit
C:\MintED\boddevloc.exe

Filesize
14KB

MD5
eea4aa3d13cff294fb9de101050d3b95

SHA1
8be9253d0215e54c585f56eadb2280278a3ef3fa

SHA256
4bfbd1374923be20f98b58ddc780be3cd5a3714124580ccf4631700f056077a5

SHA512
8793ab23bc508ea67a7d382f851f692b10c6141d6a08aea34676af615c93c597ab6a7bab354d52cfa7c84c568a31eee4521a37ed280aa9a5c1a200be1d176b44

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
863e596221c1c5aa73914e31f63dbd8f

SHA1
f54f45e0f5c7a2caa8b76e491c31fccd6e67958a

SHA256
463df832c3dc4a029d0c7d8f799f0ab0770443ebe195af364a4fafa402d32f6e

SHA512
3b471f3fb21c58868942ef631210a3b64e53d0fe2d7bde634306e3c0185e7f964df3408c1d2833f3fea8f59cea62bbbba0bf69b4a43a44592b250b39e48f2c5d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
16e88138e3f6df64321d94df33093af2

SHA1
f6ef991b626ace3731087111b11094c23529504b

SHA256
4591bd55de898b8d9a2e7d1ceffcd58d44a2973b3f28016dc5abf0def14037d6

SHA512
00fa27a63433e443ccf0fe8f55e441b58d3a1c5ce4abecb3711c26520e409509cc5549d360734ce6fca82fe05e09856c02ba37fa95ba41780968fddd8da2d2f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
2.6MB

MD5
0393e4c7578d1228c9d4b9ff720a6bce

SHA1
b1950f09bc10a3fc0f8ae95e6abc04d6677d1375

SHA256
a43bf5db8d37b7a16e15cab01c5e4903f1aef7b7ef1f914bd8fa968e15abf121

SHA512
fe6941b31f9639c608ce16ca68d4ab74a052cb2c7305f146f30e14d935ac9118abbc582cd30a23efd2a8d75332b158483576f209ad94a9c27870ee87c5b686d2

Download Submit