7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bf

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe
Size

2.6MB
MD5

fd9fa869215da69b80d1d897040b2dd0
SHA1

2d945392b274a46299a104fe3ebcf468a66ff1e3
SHA256

7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bf
SHA512

849a94563a48cf72be032984159659afbeafa03228d792112c2953f6d6fbee862548eaedbaaa2dde984c430b51b231b79a17c09ef449b0428eb2108105542966
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUpjb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe

Executes dropped EXE 2 IoCs

pid	Process
1488	locxbod.exe
1360	devbodloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocVM\\devbodloc.exe"	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBEE\\optidevsys.exe"	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
724	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe
724	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe
724	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe
724	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe
1488	locxbod.exe
1488	locxbod.exe
1360	devbodloc.exe
1360	devbodloc.exe
1488	locxbod.exe
1488	locxbod.exe
1360	devbodloc.exe
1360	devbodloc.exe
1488	locxbod.exe
1488	locxbod.exe
1360	devbodloc.exe
1360	devbodloc.exe
1488	locxbod.exe
1488	locxbod.exe
1360	devbodloc.exe
1360	devbodloc.exe
1488	locxbod.exe
1488	locxbod.exe
1360	devbodloc.exe
1360	devbodloc.exe
1488	locxbod.exe
1488	locxbod.exe
1360	devbodloc.exe
1360	devbodloc.exe
1488	locxbod.exe
1488	locxbod.exe
1360	devbodloc.exe
1360	devbodloc.exe
1488	locxbod.exe
1488	locxbod.exe
1360	devbodloc.exe
1360	devbodloc.exe
1488	locxbod.exe
1488	locxbod.exe
1360	devbodloc.exe
1360	devbodloc.exe
1488	locxbod.exe
1488	locxbod.exe
1360	devbodloc.exe
1360	devbodloc.exe
1488	locxbod.exe
1488	locxbod.exe
1360	devbodloc.exe
1360	devbodloc.exe
1488	locxbod.exe
1488	locxbod.exe
1360	devbodloc.exe
1360	devbodloc.exe
1488	locxbod.exe
1488	locxbod.exe
1360	devbodloc.exe
1360	devbodloc.exe
1488	locxbod.exe
1488	locxbod.exe
1360	devbodloc.exe
1360	devbodloc.exe
1488	locxbod.exe
1488	locxbod.exe
1360	devbodloc.exe
1360	devbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 724 wrote to memory of 1488	724	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe	86
PID 724 wrote to memory of 1488	724	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe	86
PID 724 wrote to memory of 1488	724	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe	86
PID 724 wrote to memory of 1360	724	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe	87
PID 724 wrote to memory of 1360	724	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe	87
PID 724 wrote to memory of 1360	724	7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe	87

C:\Users\Admin\AppData\Local\Temp\7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe
"C:\Users\Admin\AppData\Local\Temp\7fa2d4d87cdde0112fff2d085948a4a5bbf11e50b196923509fd7102d9b945bfN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:724
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1488
- C:\IntelprocVM\devbodloc.exe
  C:\IntelprocVM\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocVM\devbodloc.exe

Filesize
2.0MB

MD5
9a2776f32a0fabf234cc5ba29377c16c

SHA1
efaf407b61f83ffccc5f9bee32afe1573a94c07f

SHA256
4998e0d1279d0741ab4f80633801fd16a13a445c01dc7fce623a69f2750a346d

SHA512
a3f7fa40fd4a5887dd508bc87a71463df2d95146b1c15a075fba6531fb7e5ad6f3b8533dfdcadbc2b2f163ccabfeadb1b129cd50f6430481a49e7ef459fe9c0c

Download Submit
C:\IntelprocVM\devbodloc.exe

Filesize
2.6MB

MD5
a4ed29c4eed9bd8cc9907c9463d244a2

SHA1
f3f2bc9ba998637f539507b4a058d75abf813889

SHA256
bfe5897d52f525607e2f6b94e1e752fd614a3d4c428b4cc37f8e29680f94a56c

SHA512
23fa5b2b46424c760b840f77d1f50580f8665d9275984a135b89cb41603d6187580e932e27c517caa1d8350101600b799053c649fb13a4d9d562c43389f53b11

Download Submit
C:\KaVBEE\optidevsys.exe

Filesize
2.6MB

MD5
094b1649c673f25e796c7eefef11c1eb

SHA1
b744e15b0a814ebb789eec95b312b60ec18ed34a

SHA256
dc402db13769f3eb947bcbc4cdc49efcb7e9038101fc76acffc67306caea2f3c

SHA512
d44ef8145760642b3c6e5e4933d6a79c9b1438e1c3288227f10ad22f61a1eefc9cfe5973f66729b485b5868c28164822886773763a66c7a71d4f170717e73e82

Download Submit
C:\KaVBEE\optidevsys.exe

Filesize
2.6MB

MD5
6fc9f7503ad6561e457f7c658b051677

SHA1
e77cd0f1a8c42530c1c94c8c8a43ef35e6467732

SHA256
725a3507c026f10927160d104c1a9aeb8e232c42cc577220c273b21a67d72e56

SHA512
55d3bd38976e44f5fe5382035d3bfd001512ae662208936850ebdbb94a0c00fb597728db314b663b3ea89d9b88be22e15832fd1d0df9550ccd71403a33b7b229

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
209B

MD5
22ef96908025583faed980994726fa5a

SHA1
7ca3b50f18160db7f12f9bf8785783d0b223423c

SHA256
760086432c0870a8b34ddf96482c90911e7ef4ece9f15548a900c698a2652a42

SHA512
adf84926e943fd0f9b3fbea51a566711c40383918e99413b6d77d35aa538ebe5543df15d2fc44622ad708cebc7c13958d73e605082020cb88747981f492a3d08

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
177B

MD5
a595a83ebde3dc9565c215100d986691

SHA1
34e3d85b78f52a415ec0a47c24b4c9e7e30012cb

SHA256
02b34af7460b374e5630b6ca5c5a64586cdba4e95049abf5045e700236684cee

SHA512
f1dd4a8f50a9806670604a660bd0994ff4b336113b6f1c3a1ef7cdb67316c405832c2df6b52c78ad2553ec82f62c88657125778da8f3dd2b61d01064499e1a69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.6MB

MD5
08e0c2fc01c3cbafd0d0ee85fc5d42fe

SHA1
55aff039df185daa2367979b32feb39da18b70f8

SHA256
534eb3a5094671227a6fadee262cea35ba30699d13c7aaa1b1960f60bbc0ace4

SHA512
45cac06731e98ef0a237720a11d4df291d301a7947f12afd90765d2c5636f336b363edcd804c447c9d27d79a41d15f8e537b57e48ff262b4311ff4c3335a801d

Download Submit