f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe
Size

2.6MB
MD5

da7798983dc0e62359c27ba5902dbcc0
SHA1

d2986001ea13ba4379cb9cc20dab6eaab25c10f5
SHA256

f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704
SHA512

5b39a26a058710fd7147c46e4e821594671e1fe53cb78f7845c5bce5e38f8e901c263f2be88222d72d6b7a6bdd6bea759268f8b108c21f306c100070c333d4cb
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bS:sxX7QnxrloE5dpUpRb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe

Executes dropped EXE 2 IoCs

pid	Process
5068	locdevdob.exe
4820	xbodsys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe6U\\xbodsys.exe"	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid5S\\optidevsys.exe"	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1680	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe
1680	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe
1680	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe
1680	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe
5068	locdevdob.exe
5068	locdevdob.exe
4820	xbodsys.exe
4820	xbodsys.exe
5068	locdevdob.exe
5068	locdevdob.exe
4820	xbodsys.exe
4820	xbodsys.exe
5068	locdevdob.exe
5068	locdevdob.exe
4820	xbodsys.exe
4820	xbodsys.exe
5068	locdevdob.exe
5068	locdevdob.exe
4820	xbodsys.exe
4820	xbodsys.exe
5068	locdevdob.exe
5068	locdevdob.exe
4820	xbodsys.exe
4820	xbodsys.exe
5068	locdevdob.exe
5068	locdevdob.exe
4820	xbodsys.exe
4820	xbodsys.exe
5068	locdevdob.exe
5068	locdevdob.exe
4820	xbodsys.exe
4820	xbodsys.exe
5068	locdevdob.exe
5068	locdevdob.exe
4820	xbodsys.exe
4820	xbodsys.exe
5068	locdevdob.exe
5068	locdevdob.exe
4820	xbodsys.exe
4820	xbodsys.exe
5068	locdevdob.exe
5068	locdevdob.exe
4820	xbodsys.exe
4820	xbodsys.exe
5068	locdevdob.exe
5068	locdevdob.exe
4820	xbodsys.exe
4820	xbodsys.exe
5068	locdevdob.exe
5068	locdevdob.exe
4820	xbodsys.exe
4820	xbodsys.exe
5068	locdevdob.exe
5068	locdevdob.exe
4820	xbodsys.exe
4820	xbodsys.exe
5068	locdevdob.exe
5068	locdevdob.exe
4820	xbodsys.exe
4820	xbodsys.exe
5068	locdevdob.exe
5068	locdevdob.exe
4820	xbodsys.exe
4820	xbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 5068	1680	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe	87
PID 1680 wrote to memory of 5068	1680	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe	87
PID 1680 wrote to memory of 5068	1680	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe	87
PID 1680 wrote to memory of 4820	1680	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe	91
PID 1680 wrote to memory of 4820	1680	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe	91
PID 1680 wrote to memory of 4820	1680	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe	91

C:\Users\Admin\AppData\Local\Temp\f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe
"C:\Users\Admin\AppData\Local\Temp\f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5068
- C:\Adobe6U\xbodsys.exe
  C:\Adobe6U\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe6U\xbodsys.exe

Filesize
509KB

MD5
186d281063e3b7fe7249b958841be45a

SHA1
ca0a69ee80b089423f27309aa2a99c3345862c28

SHA256
406c4788bfaa5bcc59fd1547d307ade4274bafd0fcc8c0e83cab0bd67d2638c1

SHA512
f41944563f3a414497850d3cad9ad941c3e184bfb5e8521ccc7ecf5120f9e6bfd4ce009038c5bc44b2f12912b63a2c781a06eccc7141b7838ea3675265db3cde

Download Submit
C:\Adobe6U\xbodsys.exe

Filesize
2.6MB

MD5
6dc3391a92eb72ef6e1bf764957a6bc4

SHA1
3620300edd7c4a104577235112453f5c36c20f31

SHA256
c07c42cce703ba84a473411ea7f1f83a37b133e12a3575adf0b6a12b9f25465a

SHA512
ef0a28fee3240b864ce0743c02af1d4fc9f7f4f6afce523f5ca6c0c51ff029fdf660a106b529da923f063ee0891fe12003ef86649a473634f82bcd8f92139300

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
627aa9f7ebd5cc68213f1d4c560f29ee

SHA1
80fa5dea227de452852f9e2fb15940039e95a001

SHA256
1b3ab9e3f06f11c80e8dc8e05e5fb01450fef9b40546eda8336fb87296ba07ec

SHA512
56b55e13ea22599937e2dfafc1fcd5950fd4b0f2e274dd8691c6987eeab2c82fbb901fdc4230b0150c701979d9f587d3ccdd8a9719a36a69b58ee3d5e1fbc571

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
b8aaba0108c4bd94da87fd8d48fe625b

SHA1
f64eed8155a2ed142bfcf824fea41d0dd9ec3b9b

SHA256
93da6d3705b4277944d7c26125a9f480a8cd4e535075296ed3f522e775ac9cab

SHA512
5cb648536d72cbb6a2f653c67ce8a506d6a5ba469b8fb2b478a5a9d9b675103cd01ba2e3c9c868d45e5d4965f632920f3f6ba5c91f6e95001545059925029462

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
2.6MB

MD5
c07479a9734adb60090ab591dd243fc1

SHA1
1e9265a643d6341ae2d4b5ea0cbd912f35a866c1

SHA256
53f61441bba9eb8877ea2ab1e46c345014ce04534051c26f6f9662c8f194d31a

SHA512
54404bbfad8d3a5747376d6ed845183e5e6857bc6ad86e143b778ba6b57965f83350bd9021c587bd053bf620d65a168ca34b075b9033a0d7e591038874822f63

Download Submit
C:\Vid5S\optidevsys.exe

Filesize
2.6MB

MD5
60e2118020cae05748cb6f54aeaef3b6

SHA1
a2b627eb3d8b4a080af6815aed60c7060574914f

SHA256
7e5259f6aa1f8d548c81eccb4046be923b2dd8e2dec3867b4e210141b32162be

SHA512
e184ddbc4f8bf5f6d2623b1bc030623285786985b9220523d11e00209c7f71484199a585d8ea08df8718081a86252a0848a7baf3a3728d660045efea93e83c0e

Download Submit
C:\Vid5S\optidevsys.exe

Filesize
2.6MB

MD5
1cf8c30fa234ad023eec93353e35b4cc

SHA1
985bbe0d28da74323bb56824a1f485d37a3fe44e

SHA256
8dc3b94bdac07bf92810a6b6bf9b876d51d206503406987f0f8dcede2ac69f82

SHA512
e56928b49c06402bfaed96ad07bd1ee02117bf1daa02f3c95af3c72c961d76914eee186bcd916c3d997e5d18d23c3f22f8ad982d9dc0edd1304fd764f0e28620

Download Submit