Analysis
-
max time kernel
119s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/01/2025, 22:10
Static task
static1
Behavioral task
behavioral1
Sample
b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe
Resource
win10v2004-20241007-en
General
-
Target
b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe
-
Size
2.6MB
-
MD5
e7f897e8a95a79d1a4b2924f34737525
-
SHA1
6232974a1ff86e0eae98f18d37b21349408b9b8b
-
SHA256
b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd
-
SHA512
f63e54bdbc16063a34c10ac4c3458e03a85002049c792603a71c8e74c9c343efcbf9f3dcbb940ccdf53c8d0e4c6dcab37cb6f6753f5e0f5edb7299cf11adc740
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSi:sxX7QnxrloE5dpUp5bl
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe -
Executes dropped EXE 2 IoCs
pid Process 1440 locdevopti.exe 3700 devbodloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvW6\\devbodloc.exe" b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB9V\\bodxsys.exe" b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3496 b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe 3496 b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe 3496 b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe 3496 b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe 1440 locdevopti.exe 1440 locdevopti.exe 3700 devbodloc.exe 3700 devbodloc.exe 1440 locdevopti.exe 1440 locdevopti.exe 3700 devbodloc.exe 3700 devbodloc.exe 1440 locdevopti.exe 1440 locdevopti.exe 3700 devbodloc.exe 3700 devbodloc.exe 1440 locdevopti.exe 1440 locdevopti.exe 3700 devbodloc.exe 3700 devbodloc.exe 1440 locdevopti.exe 1440 locdevopti.exe 3700 devbodloc.exe 3700 devbodloc.exe 1440 locdevopti.exe 1440 locdevopti.exe 3700 devbodloc.exe 3700 devbodloc.exe 1440 locdevopti.exe 1440 locdevopti.exe 3700 devbodloc.exe 3700 devbodloc.exe 1440 locdevopti.exe 1440 locdevopti.exe 3700 devbodloc.exe 3700 devbodloc.exe 1440 locdevopti.exe 1440 locdevopti.exe 3700 devbodloc.exe 3700 devbodloc.exe 1440 locdevopti.exe 1440 locdevopti.exe 3700 devbodloc.exe 3700 devbodloc.exe 1440 locdevopti.exe 1440 locdevopti.exe 3700 devbodloc.exe 3700 devbodloc.exe 1440 locdevopti.exe 1440 locdevopti.exe 3700 devbodloc.exe 3700 devbodloc.exe 1440 locdevopti.exe 1440 locdevopti.exe 3700 devbodloc.exe 3700 devbodloc.exe 1440 locdevopti.exe 1440 locdevopti.exe 3700 devbodloc.exe 3700 devbodloc.exe 1440 locdevopti.exe 1440 locdevopti.exe 3700 devbodloc.exe 3700 devbodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3496 wrote to memory of 1440 3496 b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe 82 PID 3496 wrote to memory of 1440 3496 b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe 82 PID 3496 wrote to memory of 1440 3496 b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe 82 PID 3496 wrote to memory of 3700 3496 b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe 83 PID 3496 wrote to memory of 3700 3496 b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe 83 PID 3496 wrote to memory of 3700 3496 b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe"C:\Users\Admin\AppData\Local\Temp\b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1440
-
-
C:\SysDrvW6\devbodloc.exeC:\SysDrvW6\devbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5be370eadb2d8a1fa776878a357d0ba48
SHA178b8f9f0e33db180c2c07b4655fce9797d723cde
SHA256e29f838a0a344a49700909f698316fc91be81d03583735a0bdd4b98e7c279f3f
SHA51299ddf60da8f5c56c085e929aab4ad40992a1d932f1555c9c062d9eb12c97bfb5d001eefb1be210664f3343b8f8348abfda0ba00e08989451594ab265bbebf614
-
Filesize
2.6MB
MD5000c23ccac4cebefa8fc996a1429cd2e
SHA11b589c665c35920250418f8e77f262766b7c2536
SHA256d4326a980d59950e4cc40fcf4ea5ca9b2129bbce5bf7d08217dfbf7e8640471f
SHA51283e52b6782fb378a36e90d9015f0168f2f288bff0b06846033c7ecd795fc39794918fa23d3624d8b74dd4cb1a236fb359f5b8b274f12a649bd524d8b3bcf5cff
-
Filesize
2.6MB
MD5613b48f2f05d06983c5e0b9c5cdc5ada
SHA1f05ec43439058d64c316493be81a57276a073018
SHA256e18a292b6db63e81f49fe9988bfa84e52cab132239153481527dc1f191013842
SHA51232ae452c8251c70bb83be06f31f13ae601617cc129afc7dbc0770fa82f253a650691415b87d525332630f624c3142b635ec53559ff0442e278146d78128c58ce
-
Filesize
206B
MD51fbb4821962f32ec9045f1b1943e361e
SHA1a8a2378bea4da80c465305930ebc04a6d21f1ff4
SHA2566882f54ff901f671fa80bd7054b75526fa35f67805ec0a31773d24a73fca01a0
SHA5128ee203c79ed1c4befc81d74890d09a5e3fb87633d2c56e34bb78c4c2c3367e95279713f998f90151367ddf7122f57cb5b6edb708ace1d1da00a25e5fcebdd3f8
-
Filesize
174B
MD59dd40a36f71984a5df766ea41a508636
SHA1b3ed8d894dc94965d9905283b2c9e7f1bc9a4505
SHA2567e03e0ffad9ae86be6f8b50b550cd7d5415ff5a19ed041f9f31a0b3755469452
SHA5129b2fe7136a2d0129b91ca1c3247bf8dd3383eab3d410a4bc3fb4d242b2234847490da2f5eef85c9055480e2cec4a3c131e64eb74fd7096365a75e6e88800704e
-
Filesize
2.6MB
MD5041b65493b4fd1140945ba00c1967a9e
SHA159026f559eea45e692d768706ba4402e7014c748
SHA256e811a89d28e8c3357db0440182595b86d4aab08918713438344a343a04e9378b
SHA5123e344046394b7f68bee66a8b5d245d16b47a18c5dc1fbf133b233b4ae308e1ba1229dc32ea9d8ec629f57a386209a2dfa74748a403ae2cf0f00050d33147b7b2