Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 17:13
Static task
static1
Behavioral task
behavioral1
Sample
18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe
Resource
win10v2004-20241007-en
General
-
Target
18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe
-
Size
2.6MB
-
MD5
0dfb70f35e3fa52b28c1b0902dff5080
-
SHA1
c789c44af04c1c3d92336ad22863074c61ba4e8c
-
SHA256
18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106
-
SHA512
fec0fcf56b2d290d9d39d91b5d426c48d5244dc61696b2ffd316c5c426d66ce7e4f19eddcfd9bf51d0a3799bc6b15d8837e54e7d693c984eb4d4aa7e41c3d1d1
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSq:sxX7QnxrloE5dpUpxbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe -
Executes dropped EXE 2 IoCs
pid Process 2396 locdevdob.exe 3080 xbodsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesKT\\xbodsys.exe" 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBEL\\boddevloc.exe" 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1704 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe 1704 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe 1704 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe 1704 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe 2396 locdevdob.exe 2396 locdevdob.exe 3080 xbodsys.exe 3080 xbodsys.exe 2396 locdevdob.exe 2396 locdevdob.exe 3080 xbodsys.exe 3080 xbodsys.exe 2396 locdevdob.exe 2396 locdevdob.exe 3080 xbodsys.exe 3080 xbodsys.exe 2396 locdevdob.exe 2396 locdevdob.exe 3080 xbodsys.exe 3080 xbodsys.exe 2396 locdevdob.exe 2396 locdevdob.exe 3080 xbodsys.exe 3080 xbodsys.exe 2396 locdevdob.exe 2396 locdevdob.exe 3080 xbodsys.exe 3080 xbodsys.exe 2396 locdevdob.exe 2396 locdevdob.exe 3080 xbodsys.exe 3080 xbodsys.exe 2396 locdevdob.exe 2396 locdevdob.exe 3080 xbodsys.exe 3080 xbodsys.exe 2396 locdevdob.exe 2396 locdevdob.exe 3080 xbodsys.exe 3080 xbodsys.exe 2396 locdevdob.exe 2396 locdevdob.exe 3080 xbodsys.exe 3080 xbodsys.exe 2396 locdevdob.exe 2396 locdevdob.exe 3080 xbodsys.exe 3080 xbodsys.exe 2396 locdevdob.exe 2396 locdevdob.exe 3080 xbodsys.exe 3080 xbodsys.exe 2396 locdevdob.exe 2396 locdevdob.exe 3080 xbodsys.exe 3080 xbodsys.exe 2396 locdevdob.exe 2396 locdevdob.exe 3080 xbodsys.exe 3080 xbodsys.exe 2396 locdevdob.exe 2396 locdevdob.exe 3080 xbodsys.exe 3080 xbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1704 wrote to memory of 2396 1704 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe 86 PID 1704 wrote to memory of 2396 1704 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe 86 PID 1704 wrote to memory of 2396 1704 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe 86 PID 1704 wrote to memory of 3080 1704 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe 89 PID 1704 wrote to memory of 3080 1704 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe 89 PID 1704 wrote to memory of 3080 1704 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe"C:\Users\Admin\AppData\Local\Temp\18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2396
-
-
C:\FilesKT\xbodsys.exeC:\FilesKT\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3080
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD52f2b29e5d07837de396beeb36cbb07f3
SHA1f9ccbafe7e35183fd3a29f6df1140a2be819f0c5
SHA256309ecff53e870a8916a97d4fdf272b369a770912a55b2f1ce7c3020190c2d882
SHA51207066e32d4d46bee9ae3eac3bbdcb7d1970657a8464f7c946fca0c8a669056738b5b9b8d19b36ba98a5e07ee7f1d5c41377f374c345e16496b2471e973287d2a
-
Filesize
2.6MB
MD5e61c6ee467ccf7edf4786023375a9081
SHA135cc868f5a567f186ce9d1197b535a7086519473
SHA256ac26fdb3ca69a8476434b5206b251548707b2c940c67449410df4b4757ddbe1e
SHA5122342f3e9f89489604a6325f926ce492e2f40f0024f005ffc8976eb7c421ea9e5206d4281040106bfc4ffc4cb5a9fcea381d39a62f5c80e46f211106901fb3cba
-
Filesize
2.3MB
MD525c9b30b751a52abe4a1d552559e59aa
SHA1de7ff044e0a3995c620287015c8bfab85a86b138
SHA256a73cd4b3b49dae0c19e9f2f5111842932518d39b3c84d02d2299f2b3505e17af
SHA512bd5ce9378cdfb496dbac8fae43faa72b1dd9838ce6160a8ab32bc68165089a99fd06f1e2c22f09c104ad20550ffb5f468dcec41c2aba3383966543775b91d0c0
-
Filesize
2.6MB
MD59d3900eda9b7deb3442b01f625528836
SHA1975f86a3d7824d17f1bb60ec5f84fe2f92043640
SHA2564dc9f6fb7c9c0380a1fc1d6f52b27aa3e8b10c75358e30b494c9d049db2431a1
SHA512c686fd8769ef882759b83a88714745cdf16239e7fef0920dfb11af6025f289cf8ada5ce7f5a30752c027507f050908e7445098bf5846092901a0f7ea5b1cd435
-
Filesize
204B
MD5700d96510f323103a6e78882f146bf88
SHA15292dca087c1497c1717f77bfe25eeb16666d7ff
SHA256535842a763a5f68dd1c196aba1b2d87a1b295fdec5816d8852632e16bcbf13f1
SHA51257ea1c008e6f87252f6f34a77bbaecb8c0b8b7ca8dedd2ee676480884a228a7c0ccb1081ed0218f24cff50f6ae76712a573bcdb5ba137768cbd9b2166dcc6a53
-
Filesize
172B
MD562500b816125e48f9f7d11274d9d9bf0
SHA1e76228a32c48a3de792f7070f7b64a8550b58db4
SHA256e2d60cd7c457c602d95c0a893f818d34a0d31b8b74d387b9c84d070996e396e2
SHA5125868ad2991a97731f7ece303a2afdf7a8cab4c667acf0ba386af18dc19fc0a583d9ee1d6ed3fa66ca2dcc38116964d9026b8c92a4aefdf63381c5fe291b824fc
-
Filesize
2.6MB
MD53adbe7210f464459a40a07a188b0a089
SHA1733b2b5c5f7442f849e0decbc371c16511a6b6b7
SHA25611a74b6f70c63e68bba563106364710fd768b74f88ddb325735e626eff54c0dc
SHA51284930a8e48fa8b9d65d3ef3130df435ec9d9cfaabb01281dfd8a480e46e17bee7bf193ab430e9c999f6e6b69e00d7ab4348becc66fe38830897877d81d050f91