861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe
Size

2.6MB
MD5

ab7eb0d2903807239b7117525cfb7b40
SHA1

8a865d4513e85f49f6cd6d76ac413b40e8c2d638
SHA256

861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37
SHA512

055ca8d1088cb92c0fcea0d12dac839bf13151a4695f9d062d388dea4286824ea1f1fec93df4d358539dd4cfddd441477d4fc21a3248a2cd2c71a97fb55eb4c8
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bSq:sxX7QnxrloE5dpUpcbV

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe

Executes dropped EXE 2 IoCs

pid	Process
3060	locdevopti.exe
216	xbodloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvPW\\xbodloc.exe"	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidRP\\bodaloc.exe"	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4524	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe
4524	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe
4524	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe
4524	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe
3060	locdevopti.exe
3060	locdevopti.exe
216	xbodloc.exe
216	xbodloc.exe
3060	locdevopti.exe
3060	locdevopti.exe
216	xbodloc.exe
216	xbodloc.exe
3060	locdevopti.exe
3060	locdevopti.exe
216	xbodloc.exe
216	xbodloc.exe
3060	locdevopti.exe
3060	locdevopti.exe
216	xbodloc.exe
216	xbodloc.exe
3060	locdevopti.exe
3060	locdevopti.exe
216	xbodloc.exe
216	xbodloc.exe
3060	locdevopti.exe
3060	locdevopti.exe
216	xbodloc.exe
216	xbodloc.exe
3060	locdevopti.exe
3060	locdevopti.exe
216	xbodloc.exe
216	xbodloc.exe
3060	locdevopti.exe
3060	locdevopti.exe
216	xbodloc.exe
216	xbodloc.exe
3060	locdevopti.exe
3060	locdevopti.exe
216	xbodloc.exe
216	xbodloc.exe
3060	locdevopti.exe
3060	locdevopti.exe
216	xbodloc.exe
216	xbodloc.exe
3060	locdevopti.exe
3060	locdevopti.exe
216	xbodloc.exe
216	xbodloc.exe
3060	locdevopti.exe
3060	locdevopti.exe
216	xbodloc.exe
216	xbodloc.exe
3060	locdevopti.exe
3060	locdevopti.exe
216	xbodloc.exe
216	xbodloc.exe
3060	locdevopti.exe
3060	locdevopti.exe
216	xbodloc.exe
216	xbodloc.exe
3060	locdevopti.exe
3060	locdevopti.exe
216	xbodloc.exe
216	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 3060	4524	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe	83
PID 4524 wrote to memory of 3060	4524	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe	83
PID 4524 wrote to memory of 3060	4524	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe	83
PID 4524 wrote to memory of 216	4524	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe	84
PID 4524 wrote to memory of 216	4524	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe	84
PID 4524 wrote to memory of 216	4524	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe	84

C:\Users\Admin\AppData\Local\Temp\861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe
"C:\Users\Admin\AppData\Local\Temp\861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3060
- C:\SysDrvPW\xbodloc.exe
  C:\SysDrvPW\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvPW\xbodloc.exe

Filesize
2.6MB

MD5
5808a0ec0e52f77a09bbe7d3dd42b613

SHA1
64b2bc953cf5f32ed22f049d6a58b6e92e26fba1

SHA256
38e86d21f677dbb13e0a9b0c018e0dd6029ef9ff1312ac88ee93853d58e2b1c9

SHA512
12b623f1af6dffe5d414168f0d93b5b41597cf4f967a9f40519ab91298acae6907928277a9ad543aa2b6beb9f5298ac27aac3e44a3ec8f5254ac6751d2528da9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
05bda54389af518f492b61b2f943f87d

SHA1
b9dcbe138fdf180adb4c1990726077d7ccb29a85

SHA256
0a0cad4f9c4f9b7993c17035d762e7b68121f902ac760b8abdbf628733c065a1

SHA512
7fad322ca23b73aeac8944876adaf26cc5ba78b68cf825ff808f1e91b790c3573a515db0ba674fa05b3b172ac4102362b6cf4312bcc8dbe4dc9b4a365adc1900

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
24782310e9737733ca74c5999484c838

SHA1
4e692d5acc0b28d565df27c59cc083ff2ea3ccfc

SHA256
8fb1574a5a7849a9422d04060f3efd7c203e0afd762801c59a76a12ce5971176

SHA512
50d081e2364bf71e4ebd6eca1d6833c6177630d09fc199a61dd23479e7007e8582e3e0b16f6866b037cb90889a75d016305e1f4f0729bb50f91e68aec284febc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
2.6MB

MD5
46d3b73af5e780691cd66e9e6801eb06

SHA1
bfb1bb460eb219c053e7a218cf82ff21ff8eedc1

SHA256
0dea2386460a89ceb62f6ad9f77c0a7b591640e7481f0ca5638715f2e1a0a7cb

SHA512
2f224515be8a050e03731bd61237ca1901e15db9834bc42cf7790acfbee4358e6a56183f3bde7cd98c81e4d8967a2593523b1165c4b05fa5a86bc2605afb570d

Download Submit
C:\VidRP\bodaloc.exe

Filesize
2.6MB

MD5
ed7a9a05a90fbfedb8ea61cd43b2cac1

SHA1
525bdbe66513ec68295f7a782e665ab73a3c9a51

SHA256
24c637856d98e50641784fe8a4040fe9ba68c58131e406b390fbfe170ee1172d

SHA512
8b909c909f1012ebac280fc8e12597cd4ea0c637f92481a0a7bd599c48bc9b38408333e31d8f90c34ab301d802f9205f1e6ed77ca8c9701640387f41a575904d

Download Submit
C:\VidRP\bodaloc.exe

Filesize
1.4MB

MD5
641825835599a6bfd5325ca27c8f8aa3

SHA1
ff4345603420a9e96ff17be8f4c35b9c35564c5b

SHA256
29125a3883f5e339d22fd80de64fec8d0ade75a81e3de4a89bc9eb7322265d66

SHA512
87d8c201bd9b5c8d1ba83f4fc9ff3b1e826149db97c200eccc38e4d1c1871100ea9bf206dc4fe0e079c6d7fc99c18b290170e25ba558f9875fbe25f97f24d994

Download Submit