Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 13:41
Static task
static1
Behavioral task
behavioral1
Sample
a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe
Resource
win10v2004-20241007-en
General
-
Target
a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe
-
Size
2.6MB
-
MD5
25fcd43dd13be01b88d95f3006bf36a0
-
SHA1
3c04d3af5a3fac3da76780e3d5e86e235987e2a8
-
SHA256
a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14dd
-
SHA512
8407df9422abc63a2f5ec47208593a27be276a3ba6cea634dbb2312544164ece7f6d78735bbf37ec27feea6e951814d9df15dc4f5f36c413d08086cb3704e7e0
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpWb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe -
Executes dropped EXE 2 IoCs
Processes:
locdevbod.exexdobec.exepid Process 684 locdevbod.exe 3016 xdobec.exe -
Loads dropped DLL 2 IoCs
Processes:
a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exepid Process 2068 a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe 2068 a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocLI\\xdobec.exe" a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB3Z\\bodasys.exe" a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exelocdevbod.exexdobec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exelocdevbod.exexdobec.exepid Process 2068 a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe 2068 a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe 684 locdevbod.exe 3016 xdobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exedescription pid Process procid_target PID 2068 wrote to memory of 684 2068 a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe 31 PID 2068 wrote to memory of 684 2068 a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe 31 PID 2068 wrote to memory of 684 2068 a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe 31 PID 2068 wrote to memory of 684 2068 a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe 31 PID 2068 wrote to memory of 3016 2068 a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe 32 PID 2068 wrote to memory of 3016 2068 a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe 32 PID 2068 wrote to memory of 3016 2068 a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe 32 PID 2068 wrote to memory of 3016 2068 a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe"C:\Users\Admin\AppData\Local\Temp\a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:684
-
-
C:\IntelprocLI\xdobec.exeC:\IntelprocLI\xdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3016
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5557588b5982ee60422bc38138d315908
SHA156e17e352888d7664301e1a19cef84c1824f544b
SHA256a24a0dbdd0e80f6fa5a4b036401e1178f14a68dfb500fdee8a3c122edb7a1d80
SHA51236853caafbe507895b1844d78762792758ed5a891216db3c9bbce7e094364eb04a6b0eb3e6c3cab2bf1a055a04e863d194a089908e1607395ecea28678ba80f7
-
Filesize
2.6MB
MD56e11cb30f62f8cd386d00255c50be71a
SHA14aeb45cfa182f2b4015b98e191d3114809dacc9f
SHA2563daa3251b19d6ee25450bda1d842f008eb1ac38893b643c10cf05e9424beff07
SHA512d295e101225e7d5d78e3a71b144dd7827446e714924c08b63765cfc17b94876c5d62a4ff8f29b764fbbc83f9d73bf44d592548dbeb0aac43e016122a5ab46b3a
-
Filesize
60KB
MD50adfdacc3885e032eb1fd49992ceffc4
SHA173ed7fc873d51ca8524a6b3a295ad5b0528e31c0
SHA256ff47550d7958eb05d4bde24a1bac7be0f99f4f7afd0da28cf157ae62d7098fcb
SHA512d1482a2a567e9aa4828d8323e0981ca2b58bd898cbd4d57f78296b038e4fe8014ed05ee6ae7f9c54fa0981b775f1dd8e5288cccb35b96e3d4937e49591989d6b
-
Filesize
173B
MD5f348bc501f1a74f403647395d8d0d766
SHA13af0aa7f929fabbfe1bd396fd69afd58077bbce7
SHA256d17049dd81e4bcc75170d68963de970fbce45e5c58e09909f71cf590828c041d
SHA51231e61a1a9094658e35f1ae375a81ad6ff83ab9d16ba9c8c63fe898f88680ce665017ec2fc37ae25f2dc1fb204e6d78ce19d86125d0ebecb5c36b1f71af466b78
-
Filesize
205B
MD503705cd718d63952b0c073dc88eaf4fe
SHA15b53fedcdd7a4ccacd680348f76cdde66bc1876c
SHA2566bf99004847ef8435734b1953bce8ce4c9d2b4cb338885ebe7089509745c4aae
SHA512de4b860353690cc080c6da16d3307a8f852d3167f4c31b200b03ca36b3c1aa4d51c02e14c0a6375301066835a0c7c46f09beae40d307259eabaa7bccd3605ec9
-
Filesize
2.6MB
MD5dbda7c25d2b3c11c3a43f3c8e4fb230b
SHA19e8f2deb40266be77ea745d41043f321565d4525
SHA2560352b8fce892371eda02a0fc036093d8f7454aa26b636561f6c60a2213775c51
SHA5124f2ff8441965c6475552e2871f049c428658b735604a860437cfc4e297e241b2f7100beb296c302b1bb93d7c8d3e8db2ea6ad164a8ce98ca75493b872ff13f06
-
Filesize
2.6MB
MD533ea9f07e29dfeb60bcdb963064094a7
SHA1793603c48ff6e6781324d69a971019d835a54702
SHA256f82f429e3cfc207f56add276db41bcc26cadbc055eee6e58637922d287827a5d
SHA512616c8a65a349e84520b585d245c6af0097d6db3175a4813ee8e80b2c13e4b0bd257b5982d23190c81c21d5d8edee72b4af1e94b2585fa32a6a89470aec22ca5b