Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 19:55
Static task
static1
Behavioral task
behavioral1
Sample
148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe
Resource
win10v2004-20241007-en
General
-
Target
148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe
-
Size
2.6MB
-
MD5
42e4fee316404e8b073aaa70878e8685
-
SHA1
d2c60fdbe4c1fedec87905a15bc9b517a4352b1c
-
SHA256
148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8
-
SHA512
a7f205f5ca2f9e9d794d0568f7da3d7f956677c7f9ca7a99adc73ed7615dfb16c0ca838d455f3308ccdc898465f1473cfa84dd827a97b3fbcd461117b99ec761
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bS:sxX7QnxrloE5dpUpVb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe 148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe -
Executes dropped EXE 2 IoCs
Processes:
locdevbod.exexbodsys.exepid Process 1812 locdevbod.exe 1636 xbodsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files1M\\xbodsys.exe" 148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid5A\\dobxsys.exe" 148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exelocdevbod.exexbodsys.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exelocdevbod.exexbodsys.exepid Process 3684 148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe 3684 148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe 3684 148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe 3684 148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe 1812 locdevbod.exe 1812 locdevbod.exe 1636 xbodsys.exe 1636 xbodsys.exe 1812 locdevbod.exe 1812 locdevbod.exe 1636 xbodsys.exe 1636 xbodsys.exe 1812 locdevbod.exe 1812 locdevbod.exe 1636 xbodsys.exe 1636 xbodsys.exe 1812 locdevbod.exe 1812 locdevbod.exe 1636 xbodsys.exe 1636 xbodsys.exe 1812 locdevbod.exe 1812 locdevbod.exe 1636 xbodsys.exe 1636 xbodsys.exe 1812 locdevbod.exe 1812 locdevbod.exe 1636 xbodsys.exe 1636 xbodsys.exe 1812 locdevbod.exe 1812 locdevbod.exe 1636 xbodsys.exe 1636 xbodsys.exe 1812 locdevbod.exe 1812 locdevbod.exe 1636 xbodsys.exe 1636 xbodsys.exe 1812 locdevbod.exe 1812 locdevbod.exe 1636 xbodsys.exe 1636 xbodsys.exe 1812 locdevbod.exe 1812 locdevbod.exe 1636 xbodsys.exe 1636 xbodsys.exe 1812 locdevbod.exe 1812 locdevbod.exe 1636 xbodsys.exe 1636 xbodsys.exe 1812 locdevbod.exe 1812 locdevbod.exe 1636 xbodsys.exe 1636 xbodsys.exe 1812 locdevbod.exe 1812 locdevbod.exe 1636 xbodsys.exe 1636 xbodsys.exe 1812 locdevbod.exe 1812 locdevbod.exe 1636 xbodsys.exe 1636 xbodsys.exe 1812 locdevbod.exe 1812 locdevbod.exe 1636 xbodsys.exe 1636 xbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exedescription pid Process procid_target PID 3684 wrote to memory of 1812 3684 148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe 86 PID 3684 wrote to memory of 1812 3684 148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe 86 PID 3684 wrote to memory of 1812 3684 148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe 86 PID 3684 wrote to memory of 1636 3684 148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe 89 PID 3684 wrote to memory of 1636 3684 148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe 89 PID 3684 wrote to memory of 1636 3684 148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe"C:\Users\Admin\AppData\Local\Temp\148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1812
-
-
C:\Files1M\xbodsys.exeC:\Files1M\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD501fbe305580138137138c2bcde879cda
SHA13cf8a39fc8a693ece5747e61d3616c16ce507971
SHA25617b0f433370a4125b5411f711013c041d0ff060d0678703f765a30be6068f068
SHA512a15d3271ebe677362fe5a6d517f78b57f06bd38fedd6c2fcc74ce9dc8f685df37aa1b2c79d81884b608b9b295a22ae5e0f036d75e3a7be7ac86b1e09e6d899d2
-
Filesize
201B
MD527d24ed159c0173bc95bd6a285984ce3
SHA1566356085d6885d5faf01d5d2235f7bb44b21bce
SHA256564584ae4f02e48940e1ba1efd3a612be41a1e941b20822daa2865e0d731af3e
SHA512c41f4fb2cfa4da8c1e4f85da5ca47696b33593c1fb6401b82f7fac045a45131ddbd9aad2c3e55adf19f79edd11f9111d73e285a228228ebf72d64716ac9434f2
-
Filesize
169B
MD5713a7a676c9d40ca56ec429db57221ae
SHA1bc9dcbd563a74377ac382e154f817bb37237f812
SHA2563cf22097f28ab52ac38ce69f6d5209431124e16742b16623b7af23ff1204c8c3
SHA512ad6a2e6bc3f1dd9d3835ef5d7d999639dad371b299b9f265613d2fb3c1dc43f4eb31c41402fd4cd23e5182e889f80c3a9c1d6f1a21a0eac082acc2cab37d87cd
-
Filesize
2.6MB
MD5711c9cebb25cc4de314b5541bffc7762
SHA17b4bb6853ed540168288954956ad9e64aef55165
SHA25613160e61bf22de75827cb46394c28969eee91246774f6c80038c8455735d2d5a
SHA512e6606def8c718aee66d39993d37b94eb0862763d11efb8ae6f22e4dccdedcfd964d4490b9432dc25aa3f1dd127a6781bef2308b00ce1b2024cb899e550882806
-
Filesize
2.6MB
MD5aa8e13b481284d1e3b2124447c5f529d
SHA11afd90a119f584fdb203de26186b14b8572de9e0
SHA25626507de4f7e72ce8c2d43e7804e6757cd3f8a08f341beb66126e853c3719bca2
SHA512291b9a831fc3330e55bd035b6212f57a1a187eeadbabb02feafb64790efef28760bc6252349ed75f23ad75a6ae7ff36c36f81a22043d44d00350061c7b5b9600
-
Filesize
2.6MB
MD5438550544a6a512fe820406a770d89d2
SHA16f14494bb2794922f1c8d50786f344bb38e1f8b2
SHA2566df202435d23f48f330248b8c3501f1c708289a75d001c3169e470d62e527a07
SHA51233d91b66eee14375c65406c2d38419cb6de01b3d22a45b37099f3b4f413f37faf54fd3a19f4a9d6a12d5b2c1e6a438fe63e75b453825b07b13470e687cead69a