4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551ca

General

Target

4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe
Size

2.6MB
MD5

3fb6b2cec6f02b0d7bd987047df69780
SHA1

afd93d71620862d36bb59a0aaf94c26cec7b953d
SHA256

4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551ca
SHA512

4979967dc5146b8c7a9d9920b308ac4178d603f9060150d663a8c947920de3dc3ceeb24b77a11ed8fb59357f18c909fd5fb42f5e52ec4d91cfabd0d971afb4f2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpkb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe

Executes dropped EXE 2 IoCs

Processes:

locdevbod.exexbodec.exe

pid process

2396 locdevbod.exe
2772 xbodec.exe

pid	process
2396	locdevbod.exe
2772	xbodec.exe

Loads dropped DLL 2 IoCs

Processes:

4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe

pid	process
812	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe
812	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesL2\\xbodec.exe"	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBNG\\boddevloc.exe"	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exelocdevbod.exexbodec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exelocdevbod.exexbodec.exe

pid	process
812	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe
812	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe
2396	locdevbod.exe
2772	xbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe

description	pid	process	target process
PID 812 wrote to memory of 2396	812	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe	locdevbod.exe
PID 812 wrote to memory of 2396	812	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe	locdevbod.exe
PID 812 wrote to memory of 2396	812	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe	locdevbod.exe
PID 812 wrote to memory of 2396	812	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe	locdevbod.exe
PID 812 wrote to memory of 2772	812	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe	xbodec.exe
PID 812 wrote to memory of 2772	812	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe	xbodec.exe
PID 812 wrote to memory of 2772	812	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe	xbodec.exe
PID 812 wrote to memory of 2772	812	4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe	xbodec.exe

C:\Users\Admin\AppData\Local\Temp\4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe
"C:\Users\Admin\AppData\Local\Temp\4993251b2fa0dc03daf95da373a3b38f04aa93d825410f7191c44b3eec4551caN.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:812
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2396
- C:\FilesL2\xbodec.exe
  C:\FilesL2\xbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesL2\xbodec.exe

Filesize
11KB

MD5
3193f6732970f64ca3094d85171d7380

SHA1
0d2f450337cb69eafa727d6d6de40feb0750ba1d

SHA256
e09faa78045b943266c903ad6e7b69a1069ca062bfda7c5f794f8e9e7eb9ad9b

SHA512
b23afd97dc8f9fe6ddb53b3a780345bde4ea50f989055db34d69d243649f4b7cb2c2c4429e9fa318a396fe363aaa923f2c261ba475390673664ac4fda7c5b3f8

Download Submit
C:\FilesL2\xbodec.exe

Filesize
2.6MB

MD5
c89efc7c2c02e48d518fb66c0d88c918

SHA1
40679ce510939c258dbb49f75fcd329950bbdc87

SHA256
acde3980d561cda1d98dc26e79e1fab2dfb1189f6d703d478913183941d8b7b5

SHA512
38c7ba45863261134fcdff20a6d6b63d0d851d9642301c76c9a812ce8b2b7aabaf7bc8fbfd7d2be273c7ede68a8bdaa1aecc127a2f1a02b4851c4b7dc4b911f1

Download Submit
C:\KaVBNG\boddevloc.exe

Filesize
25KB

MD5
7020223b3ea2620aeaca282985e8e90e

SHA1
15cc100075bfe0ad2b5cfcee214ac4bfe0dda379

SHA256
2733a91e362cdd5a74cac5c216826f2c6dee85f0f48e53cf5b65d08b413a9e5d

SHA512
b7479a2cbbbfcde438a40cc9b0854bfc303848005de3b4e735dc2228e1fe473c59a8246f1f197ff2015d3f6df1952dc788a5e5fac55d6f6df476f085e4409d25

Download Submit
C:\KaVBNG\boddevloc.exe

Filesize
2.6MB

MD5
5bc508161f71e402bc6c697523a25232

SHA1
b378e4d5d5a535c82fa56d757a5aad67e332d115

SHA256
4575b4cfd30b1ecbb9e20373985a16b55bb030dadca026321118b7ca5be76c39

SHA512
888403f9daae9a644316c0c8aad59599063f2b3296d0661ff6ef76447024121dcfbbe06eb9d7703d2ef7455d1b8dc1005a14fead8666b92eee9541c1756ff787

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
88ed8acb021c342b6fb48433f26833cb

SHA1
d3f9af6a245e6877a11924e18b6af824fc732808

SHA256
3d3e9529dcdc621d2fe4389c362f22e5fb49787a89334a4c7dddf1094167833d

SHA512
67880b546b13c30283439e9efa42dff7bcf1721e677fe74855a923e7daed7058a971b420d72270848bba41a57491789955b46727fd1effe70a709782d09b9b73

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
0229e4144b8a7b317a0daf2c7be39165

SHA1
3652e067112516f1a4bc04427ec76190523fe10f

SHA256
842223103ba9aaad3f5bc32d0a62dddd5296ce02c9956f5f0cfdca9b1e2bc151

SHA512
bbe5f1f3b54d908ad0f4bd15e3b3fa7b9bfb4fbf03bfc59d67a1768bab77c93e07c421c135c5ba9a45cbfbf8970e5f048dc12d824ea7c9d7a087fb5995d549ac

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
2.6MB

MD5
c7ef8d2329d5d2107b43e7caa9b1bee5

SHA1
bef61c9caf9408048447272467c9604c1e63bd05

SHA256
2e406194c17210fa205868609da0736ad62e58ef4aae5b38ce3bbb4aff45caa4

SHA512
2f7631a6a52a6ce8830faf51c6a9e1cc15cd354f26306f495e0c8e2cbfda044ee6af35cde330e9dd274941cfbf7882c385fe84a2271b30c7ae9e4ebd03100107

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads