970946ed9e16e95761bb6005e9cb8ae2daf2f5b0a1a6d00e66b3a1dadf20d898

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

970946ed9e16e95761bb6005e9cb8ae2daf2f5b0a1a6d00e66b3a1dadf20d898N.exe
Size

2.6MB
MD5

dedc0eb52e152ce185c8efa1676e4870
SHA1

49310bc2ed5ed7f8c68ed3a1d32f59e96c6ea6f1
SHA256

970946ed9e16e95761bb6005e9cb8ae2daf2f5b0a1a6d00e66b3a1dadf20d898
SHA512

e01994271c4d93a95d9d513ef532b899c329de650614230d1c457e466c64c00aeee831418891b2049bbbe69e21e59c1f1ba04d05d7dd51ee6bcaec0413a31d7d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bS:sxX7QnxrloE5dpUp+b

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	970946ed9e16e95761bb6005e9cb8ae2daf2f5b0a1a6d00e66b3a1dadf20d898N.exe

Executes dropped EXE 2 IoCs

pid	Process
3896	locdevbod.exe
1444	devdobloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotAP\\devdobloc.exe"	970946ed9e16e95761bb6005e9cb8ae2daf2f5b0a1a6d00e66b3a1dadf20d898N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintV6\\bodxec.exe"	970946ed9e16e95761bb6005e9cb8ae2daf2f5b0a1a6d00e66b3a1dadf20d898N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	970946ed9e16e95761bb6005e9cb8ae2daf2f5b0a1a6d00e66b3a1dadf20d898N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4344	970946ed9e16e95761bb6005e9cb8ae2daf2f5b0a1a6d00e66b3a1dadf20d898N.exe
4344	970946ed9e16e95761bb6005e9cb8ae2daf2f5b0a1a6d00e66b3a1dadf20d898N.exe
4344	970946ed9e16e95761bb6005e9cb8ae2daf2f5b0a1a6d00e66b3a1dadf20d898N.exe
4344	970946ed9e16e95761bb6005e9cb8ae2daf2f5b0a1a6d00e66b3a1dadf20d898N.exe
3896	locdevbod.exe
3896	locdevbod.exe
1444	devdobloc.exe
1444	devdobloc.exe
3896	locdevbod.exe
3896	locdevbod.exe
1444	devdobloc.exe
1444	devdobloc.exe
3896	locdevbod.exe
3896	locdevbod.exe
1444	devdobloc.exe
1444	devdobloc.exe
3896	locdevbod.exe
3896	locdevbod.exe
1444	devdobloc.exe
1444	devdobloc.exe
3896	locdevbod.exe
3896	locdevbod.exe
1444	devdobloc.exe
1444	devdobloc.exe
3896	locdevbod.exe
3896	locdevbod.exe
1444	devdobloc.exe
1444	devdobloc.exe
3896	locdevbod.exe
3896	locdevbod.exe
1444	devdobloc.exe
1444	devdobloc.exe
3896	locdevbod.exe
3896	locdevbod.exe
1444	devdobloc.exe
1444	devdobloc.exe
3896	locdevbod.exe
3896	locdevbod.exe
1444	devdobloc.exe
1444	devdobloc.exe
3896	locdevbod.exe
3896	locdevbod.exe
1444	devdobloc.exe
1444	devdobloc.exe
3896	locdevbod.exe
3896	locdevbod.exe
1444	devdobloc.exe
1444	devdobloc.exe
3896	locdevbod.exe
3896	locdevbod.exe
1444	devdobloc.exe
1444	devdobloc.exe
3896	locdevbod.exe
3896	locdevbod.exe
1444	devdobloc.exe
1444	devdobloc.exe
3896	locdevbod.exe
3896	locdevbod.exe
1444	devdobloc.exe
1444	devdobloc.exe
3896	locdevbod.exe
3896	locdevbod.exe
1444	devdobloc.exe
1444	devdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 3896	4344	970946ed9e16e95761bb6005e9cb8ae2daf2f5b0a1a6d00e66b3a1dadf20d898N.exe	86
PID 4344 wrote to memory of 3896	4344	970946ed9e16e95761bb6005e9cb8ae2daf2f5b0a1a6d00e66b3a1dadf20d898N.exe	86
PID 4344 wrote to memory of 3896	4344	970946ed9e16e95761bb6005e9cb8ae2daf2f5b0a1a6d00e66b3a1dadf20d898N.exe	86
PID 4344 wrote to memory of 1444	4344	970946ed9e16e95761bb6005e9cb8ae2daf2f5b0a1a6d00e66b3a1dadf20d898N.exe	89
PID 4344 wrote to memory of 1444	4344	970946ed9e16e95761bb6005e9cb8ae2daf2f5b0a1a6d00e66b3a1dadf20d898N.exe	89
PID 4344 wrote to memory of 1444	4344	970946ed9e16e95761bb6005e9cb8ae2daf2f5b0a1a6d00e66b3a1dadf20d898N.exe	89

C:\Users\Admin\AppData\Local\Temp\970946ed9e16e95761bb6005e9cb8ae2daf2f5b0a1a6d00e66b3a1dadf20d898N.exe
"C:\Users\Admin\AppData\Local\Temp\970946ed9e16e95761bb6005e9cb8ae2daf2f5b0a1a6d00e66b3a1dadf20d898N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3896
- C:\UserDotAP\devdobloc.exe
  C:\UserDotAP\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintV6\bodxec.exe

Filesize
2.6MB

MD5
d05910b9482171aca9e5d4fd6e81ab43

SHA1
2b05cec43062d2503e2c66921330f5a76e63009d

SHA256
9a7cb8c0dd475585c14bcfd2e3f8a6b48dca500700c4ab852e7e745e6602e1ed

SHA512
975938809407b0a712978eb4377674ef7e2de462b88d5e08bfd2e9f03a9bb237467b18cc863fa5b5d87f9c46548596c7f283453e21cc6160b51a80e72f50e5f9

Download Submit
C:\MintV6\bodxec.exe

Filesize
1.3MB

MD5
2b055d289fb7098c4399b30ccf7b2128

SHA1
f2a359c0e57cf32e56bbc93ca20caac959ca7395

SHA256
c2c7dd211354cf3ae687cec20762a8497676b94527b64ee1ae2cfc25e8abcd3b

SHA512
3ba9094cabb161dc71812044fc6029d05156bf94eec0ff9506bbb363a3d61a62b114f7b217cb2a8a8835a4ccb5fee86124b8be4b501235590f4f78a7661ece9a

Download Submit
C:\UserDotAP\devdobloc.exe

Filesize
2.6MB

MD5
3119bf750a9ad390183eccf7db25de8e

SHA1
cf73c43d64abfb28f39311ce61153eda7ee5f1a4

SHA256
bd9066b1bf746dfaebca70c8626b8037cf302027930b51116978fe3137f10533

SHA512
1249fa231b1dca3434905df30b78f7b642fcb88d0a49499c3f661afdd9f86c86ae40c6b3f145ce5c532e47b1ae313269d74a69e5b2bb654cae9c1e2784b041e4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
8f8ecf589e04d77b78d6189225df5189

SHA1
5d2eaa643ba296e853a68dc289380f47c60d2bca

SHA256
83676c8ece94fdbb99b092e3d3841caa04194aaf36d71ad63eb7f8d75d90b4cd

SHA512
cc8ba4cf37937f4506c2f7d85eed7c2f05ebba4714a41772ccdc987a5cda2f0b5b85dfa585536f19092f6af47fe95e23247304381da261c23ddb9d893520dc1c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
b1d4f3c5a59d002184ae0410bd0fc86b

SHA1
75449370ca31a12c00cb0e8903f41d6b16c298a0

SHA256
4ee8a85889ff6fc3057bf5c1bc43d2ce225cf1cd56f7ccd05a9ee42e3e2c88b4

SHA512
ff19a57ee614f2746e1cbde46bc6ee3145b40042abbf2318651f142f46e3ff7399ebf2330ad9d7c934d3e95817c88b161880397109cb831d35af2214519c104c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
2.6MB

MD5
6bb8cab89f4dd9ea47266aabe567dda7

SHA1
b5034e8e3e2b72ae7461e39a3b79ff42c9998f6c

SHA256
0ccb41b6c82b072aa7c7b35ca7e239bef388d5da63d5ee923115cc09e7de39a2

SHA512
2a33cd5e5e7bd28f5f6ab18bdadef41a684cd57662e849b5edc73d51ee3f19addccdeaba32f16c6fdd13793051f994fa496d9b5ac6728156864349293bd72004

Download Submit