Analysis
-
max time kernel
120s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 04:06
Static task
static1
Behavioral task
behavioral1
Sample
60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe
Resource
win10v2004-20241007-en
General
-
Target
60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe
-
Size
3.6MB
-
MD5
52e077fa15122034a64c117e7808ce20
-
SHA1
36097a2e0d084de643126e98ad1f2888b55b61c8
-
SHA256
60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353
-
SHA512
1a499fb6d13595813d49c92e5ee09062012f7350f14e44ab2732d740877614db9a2ad2679ecd0c659736ecf45e35e2599c5c939592727e68d03240a2b4896edb
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpkbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe -
Executes dropped EXE 2 IoCs
pid Process 3156 locdevbod.exe 2724 xbodloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKM\\xbodloc.exe" 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintEC\\dobaec.exe" 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevbod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2176 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe 2176 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe 2176 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe 2176 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe 3156 locdevbod.exe 3156 locdevbod.exe 2724 xbodloc.exe 2724 xbodloc.exe 3156 locdevbod.exe 3156 locdevbod.exe 2724 xbodloc.exe 2724 xbodloc.exe 3156 locdevbod.exe 3156 locdevbod.exe 2724 xbodloc.exe 2724 xbodloc.exe 3156 locdevbod.exe 3156 locdevbod.exe 2724 xbodloc.exe 2724 xbodloc.exe 3156 locdevbod.exe 3156 locdevbod.exe 2724 xbodloc.exe 2724 xbodloc.exe 3156 locdevbod.exe 3156 locdevbod.exe 2724 xbodloc.exe 2724 xbodloc.exe 3156 locdevbod.exe 3156 locdevbod.exe 2724 xbodloc.exe 2724 xbodloc.exe 3156 locdevbod.exe 3156 locdevbod.exe 2724 xbodloc.exe 2724 xbodloc.exe 3156 locdevbod.exe 3156 locdevbod.exe 2724 xbodloc.exe 2724 xbodloc.exe 3156 locdevbod.exe 3156 locdevbod.exe 2724 xbodloc.exe 2724 xbodloc.exe 3156 locdevbod.exe 3156 locdevbod.exe 2724 xbodloc.exe 2724 xbodloc.exe 3156 locdevbod.exe 3156 locdevbod.exe 2724 xbodloc.exe 2724 xbodloc.exe 3156 locdevbod.exe 3156 locdevbod.exe 2724 xbodloc.exe 2724 xbodloc.exe 3156 locdevbod.exe 3156 locdevbod.exe 2724 xbodloc.exe 2724 xbodloc.exe 3156 locdevbod.exe 3156 locdevbod.exe 2724 xbodloc.exe 2724 xbodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2176 wrote to memory of 3156 2176 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe 87 PID 2176 wrote to memory of 3156 2176 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe 87 PID 2176 wrote to memory of 3156 2176 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe 87 PID 2176 wrote to memory of 2724 2176 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe 90 PID 2176 wrote to memory of 2724 2176 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe 90 PID 2176 wrote to memory of 2724 2176 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe"C:\Users\Admin\AppData\Local\Temp\60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3156
-
-
C:\IntelprocKM\xbodloc.exeC:\IntelprocKM\xbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2724
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD502e0c9080d727013f9b350bc37565585
SHA1533c0f640e88c4d9a903828869d5e8282eead35c
SHA2565f130dbb1eb13bbdace86563b476e1d6ffac7f0e14004fa41122663f9e58c5f6
SHA512e373016c6d90d46efbf59fa1b4d51458c3e847957703a67bc0d7d1ecb70f05029b326f1cdc625070a4d998e9bb62388e5d8a2f9823ec616df1290793619a2a28
-
Filesize
1.1MB
MD589cba1fb1a4fb83a1bb886201d7cd6d7
SHA13e05f006a719f7f0aecba2cd1fefd33e74b99536
SHA25616372c0d6174081d3e76cee61915f9032fa97fbdf4b1fbf1359739b440457e2b
SHA512ef5c596c826a1acbd07e80438cfdd728244baea704d022a92f3d5dbf6433d6a2a156f77f7d8b307c023c4f168151d1d942cbe6960372304b2bdfeea0c2782d64
-
Filesize
801KB
MD5f3f696f4a91c272a473a0e4c3888def2
SHA15a0e26733680d6c69d92431efdc909e41e1b6726
SHA256fb076ba47fa182f3a83e5adf54d7dc3674ffdc975482264197dcf944b2ca9bbe
SHA5125b49998f7ffba2fcb54907e8a6cafb624dd3e0118cc2fc1c2b0365df74aa5470aaf1bf15795e4e809eb5f3593dcc93b7b0573eada765219c8efa8bb74d39a73f
-
Filesize
205B
MD5de914bc8387ef1ed79e506c3d89ce47a
SHA1125e27b52f781ab4bc29756a2c5cc1e010908760
SHA256b5b8f2f5fc98aac388f013ec89080501669c312dd70505080ae80c58b0b7e723
SHA5125d4f3535ff55cba19471bd4ea682ec6c9e980488022163dd3908ad9b07fe90cd80f884cda9958e093a715334d4c939e2b1aeaf3db67d874953ab8555516a982f
-
Filesize
173B
MD509f0cfce8c8e57bf13dbad0285425f05
SHA1ce24702d19efe0f2636c6aacb7ec82ae4a960cce
SHA256c527bd8029b067e3fbddc684f93fb7bd464a07fbe2d67353183cf22fe996f567
SHA512ff36b96655521086f6728af408d9e09cf8db22822ceb5d566247379ab1f53774c8f6467384158e30ac23959400fcb2cf2399b3f1ff8ba24680f69efec5cd2a12
-
Filesize
3.6MB
MD5af8aa649d739a2c0613b36b142081aaf
SHA187c6e8baefe9c2dfbd02800992fefa3a19ce8e81
SHA25694e3b37a614f66b2cd4f927ae4da2587be3d8ef5ca178470bf102080db43967b
SHA51277c6e0226b6e4871297b9ddb7d46924a2875060ce74c86187fcb08ce782998b1f039ae1ce9b55965cd9437f740be8eef1e1ffcb47787b514772948518b12765c