Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 20:12
Static task
static1
Behavioral task
behavioral1
Sample
1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe
Resource
win10v2004-20241007-en
General
-
Target
1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe
-
Size
2.6MB
-
MD5
86136fac208ef5fbe52c2c0dc47f154e
-
SHA1
c949bca829e4e76f44c759f102fe4bc82349ddb6
-
SHA256
1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726
-
SHA512
cc0b82fb598a230aefad1e09db71cf33e37a6626361ba7d107c276bdf3b575b195236dc868caf31c8f21084ee9a6c10e8d0959426b8e48551be54ad7208cbce2
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bS:sxX7QnxrloE5dpUphb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe -
Executes dropped EXE 2 IoCs
pid Process 1616 locdevbod.exe 2920 xbodec.exe -
Loads dropped DLL 2 IoCs
pid Process 840 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe 840 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4L\\xbodec.exe" 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid5C\\boddevec.exe" 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 840 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe 840 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe 1616 locdevbod.exe 2920 xbodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 840 wrote to memory of 1616 840 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe 30 PID 840 wrote to memory of 1616 840 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe 30 PID 840 wrote to memory of 1616 840 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe 30 PID 840 wrote to memory of 1616 840 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe 30 PID 840 wrote to memory of 2920 840 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe 31 PID 840 wrote to memory of 2920 840 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe 31 PID 840 wrote to memory of 2920 840 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe 31 PID 840 wrote to memory of 2920 840 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe"C:\Users\Admin\AppData\Local\Temp\1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1616
-
-
C:\UserDot4L\xbodec.exeC:\UserDot4L\xbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2920
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD54b15a8dc60fb28ba194308947f8d0bdf
SHA1addcf6f0cc5dc9577f5354dd3efdf91843caddb2
SHA256eeda459c0f86c4f2c639edc7bc26cc6dc4f508b51063a31d85ac8a6f6e64b152
SHA51235c0dcc269feb3a6378ec13dde959d0dbc121e4ec5236b5910536beee95f1128b58b5d7711ee4f05359371d8097a799e57a11fa6b9dbb26c543666dffd669e7e
-
Filesize
2.6MB
MD5f8a6bb436afda62b3fc5e356c2a2b86f
SHA1cea29e2353c0ffd2c6f1a535e1b95927f25f0de8
SHA256d60f806b47844af5ee5a8699d334026a73dbef99925ba240cfd02c09f9edba84
SHA512feacde03056a7da505b508c0589ff52ca5798663996d08944fd79da885d70575112592d6ff1b83fe5539ad2f0f903fef2e7becb094b7f361e68b68a5f83baed0
-
Filesize
171B
MD51d704e714ac6ba30fbb56292b3041985
SHA1d3a8ed8749601d74f1c6759d6d10342e39b907eb
SHA2563e1f460dcfd7275a0d6bd5e3eaef18fd513e158d699e5a62bfd70db41e37cd95
SHA512db6684f6169a675cea4dcf6b6441954e103f10768bc92974b9dcabf13ec1b8f4a44f2efd22f63603aa58ed9e3610961601bda62006d2f3f90eb43347b88a4748
-
Filesize
203B
MD55b564730b9e7af4a6b8ab2aae96a42af
SHA1b02bb8306c60a6ed7cb6b4c15491dab4b018c914
SHA256585c617091e839ee434e37869e0e4e2a1c091ac44cbc9310e9d0f39e030eb517
SHA51267691658220456fbd24676ebc4e2e5cb3bbfab5b79c402f2b7c9eb8386004f316bfbf72ba0f647cccc02942c11d4dd74f71fc0bd9e219c584a2aa1289bd0a931
-
Filesize
145KB
MD5b89066b664e1bcaf48440629f62e1196
SHA1c53a80a80b8c0e651574958d04b006e21b5f6592
SHA2565dde44e5cf22086c26a23c6ce0cc49f35c6e8f1280c1ed8ec4d5cda7ee95cedc
SHA51284d342bc2916c6cd7e19264d24240e987d711b2514ae2d87b625e8f8311ecd7b68fbe511890a1dbc0b05b2daab8075c2078ae405ba25315360f9dec971fa653f
-
Filesize
2.6MB
MD5ff4b66900a409c2d72d38997d01dc396
SHA1aa1382bb61e141fd3103fd571aca5e4bb7f0eed4
SHA256cf89864284134635b4e9c306e5843d021154adc68820d6aa5760629d5d825d3c
SHA512292f27cb900b2940fa70b53539cfb58347e43e04deeffaa2659db67b92f8b883ddea049d8ce72490873fa4e7ca387062415257d954653186c66661290adb012d
-
Filesize
2.6MB
MD5c98daa4ab0c3268db527aff910fa26aa
SHA1893be3b7c6d6f5ac4afc7ac6163743ce536c2c7c
SHA256da7a69bbcfc8922b037a2d7d2c13f49b02949867ca4e8ac39632ecb29cd40c01
SHA51235fb9329bf90fbe4c28ccd5d2d6a2aa876dd13cf88faf274ec3a65052b7f3ddc54f8820a0f35ea69a3b993080640854d98f692f9ab0dfe1133541bdc19c8a81a