063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05f

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe
Size

2.6MB
MD5

1f26bccdd30ec8c624318e3c1427e480
SHA1

b9b59d0257e3d499b4d78b5dcfe0e7765f13edff
SHA256

063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05f
SHA512

7589b98728a52a6c52c20d915d4fcfbc7b416e9fd20a8c1c04f2e05eecc109a4f6af089f1f2e485070128e2b4aa2cd6df2cb5193031fafc4f26ecbcac3b39c50
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUp1b

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe

Executes dropped EXE 2 IoCs

pid	Process
2752	locdevbod.exe
2144	xdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2756	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe
2756	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid8B\\boddevsys.exe"	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot6Z\\xdobec.exe"	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2756	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe
2756	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe
2752	locdevbod.exe
2144	xdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2752	2756	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe	30
PID 2756 wrote to memory of 2752	2756	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe	30
PID 2756 wrote to memory of 2752	2756	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe	30
PID 2756 wrote to memory of 2752	2756	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe	30
PID 2756 wrote to memory of 2144	2756	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe	31
PID 2756 wrote to memory of 2144	2756	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe	31
PID 2756 wrote to memory of 2144	2756	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe	31
PID 2756 wrote to memory of 2144	2756	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe	31

C:\Users\Admin\AppData\Local\Temp\063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe
"C:\Users\Admin\AppData\Local\Temp\063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2752
- C:\UserDot6Z\xdobec.exe
  C:\UserDot6Z\xdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDot6Z\xdobec.exe

Filesize
2.6MB

MD5
5add1a988d7ea07ba75ccb5342882c40

SHA1
bf62ed652875f80dca9c9ad0f40aa6baa0e8c856

SHA256
0a881e2ed05d5ed33524bb7492f7d045dfea15f528fd8e1798c6c9e6f035afa6

SHA512
3d5302bbc87aae9d93dceb531eefaf270f122ea2b5c8399a1f9e403a8acaf5733ce3f1352e3a8235a8562b8de7206049465e568538af8db4979c21734486d4b4

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
57d4c09e24c14e2965240bef58894522

SHA1
6aaafec172f223558c162d51b29b16347589acda

SHA256
f99c11a67546b85bb0012a62325da16e1ac6f9563baff40a169021a9adad238a

SHA512
ae059a1bebbd3138f7a98603cd10442dd88c8a8df16e37c5ba8f619d2029c26a1c43afc71d134a1270cd0fec64ff93bb1886da86874c97d6bebfbd607ff1ed0f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
aed741c5108d34d07f9e76200d41441b

SHA1
183447cf87db40d78b60b3731cb113456e83e0bc

SHA256
3d745e8495ac7486ffdf5a9c354534524915ef9cc5d6ad5036a627b953152bdd

SHA512
6dae395dffbc8aab69e21a0909e2bd92b06fc9b709e32d641b3ced81ad5db0152ef12cddfaee697725ac20d06cd952d940f1f7bb5426b01fe3e6eb222d690625

Download Submit
C:\Vid8B\boddevsys.exe

Filesize
2.6MB

MD5
413dc7f7f99915c2a91c96a866125899

SHA1
6e082d5fbac9ba8b3a753243f4959b0ef6422bc2

SHA256
8051c2d623246aedebe300705a28739614ed0d1a848092744ecc43cf7c57fecf

SHA512
0e79a1e3ebd7be903e5986897365a39e70c001f5277e03fd8d610899d9a12bb1578663fa9346b9ae25bfe2315d4c203b0375a522a8a27434b284d5dae49eb992

Download Submit
C:\Vid8B\boddevsys.exe

Filesize
57KB

MD5
a54d72e8045190fcd1a7c29fae94a21c

SHA1
f2ea661cc3cf0731a34224f5856fb93924eb24b2

SHA256
0b20c762da9a21258c1c72f455e159b8dace732893ef98e5aa50977354b417f2

SHA512
695ebd676bd1ca7122544e8b8deb2955ca2b1188a1354b07706a7fc0b7a83480ec3d0f69b58b9d585933a9b10fc174c22ef9f24672c820f5088fa4a114a0c123

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
2.6MB

MD5
96c507884e3db640ee26573c80ccc1f7

SHA1
f90a35992bec80a5b43fd32eaa5d96ab4d68ab3b

SHA256
3a0de699e0a690c92ed4f987abae145897cef1bfef1da9cd8daf9ded531f75f7

SHA512
8b63bfef58cfc6174000c6667638bc7cd56405c1b4e5dfb3bcdceb3dc76f48c38efdbc7086e727b2b8120ed4340ff61bf697a7701169ab9898dd111148658678

Download Submit