d0051eec84e965bcc80b3d5cbcabfff3a92ad475d6a7b45d8fd2fd37cbe6bed5

Analysis

max time kernel
149s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusSign.2024.02.08/03ba9978296204d2048fb184e546932b.exe
Size

4.0MB
MD5

03ba9978296204d2048fb184e546932b
SHA1

63fc0f70834a1868681c1ac8bf9dca778221816c
SHA256

0af366e7b4fa57f57a14aec07cd5c2991809e96b3d240c9440c1c6e59576a16e
SHA512

4f6c5cb0048ae1d3a8b39c7dcd2fb3901402dac55309efe453b69b7ded5efa8085f27144e766eeddb1c9d38a857dfa7b2bf1cbd6fc52d65348dd76bb3cab3ed4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpabVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	03ba9978296204d2048fb184e546932b.exe

Executes dropped EXE 2 IoCs

pid	Process
3800	sysdevbod.exe
1988	abodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesSN\\abodsys.exe"	03ba9978296204d2048fb184e546932b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidMY\\boddevec.exe"	03ba9978296204d2048fb184e546932b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5060	03ba9978296204d2048fb184e546932b.exe
5060	03ba9978296204d2048fb184e546932b.exe
5060	03ba9978296204d2048fb184e546932b.exe
5060	03ba9978296204d2048fb184e546932b.exe
3800	sysdevbod.exe
3800	sysdevbod.exe
1988	abodsys.exe
1988	abodsys.exe
3800	sysdevbod.exe
3800	sysdevbod.exe
1988	abodsys.exe
1988	abodsys.exe
3800	sysdevbod.exe
3800	sysdevbod.exe
1988	abodsys.exe
1988	abodsys.exe
3800	sysdevbod.exe
3800	sysdevbod.exe
1988	abodsys.exe
1988	abodsys.exe
3800	sysdevbod.exe
3800	sysdevbod.exe
1988	abodsys.exe
1988	abodsys.exe
3800	sysdevbod.exe
3800	sysdevbod.exe
1988	abodsys.exe
1988	abodsys.exe
3800	sysdevbod.exe
3800	sysdevbod.exe
1988	abodsys.exe
1988	abodsys.exe
3800	sysdevbod.exe
3800	sysdevbod.exe
1988	abodsys.exe
1988	abodsys.exe
3800	sysdevbod.exe
3800	sysdevbod.exe
1988	abodsys.exe
1988	abodsys.exe
3800	sysdevbod.exe
3800	sysdevbod.exe
1988	abodsys.exe
1988	abodsys.exe
3800	sysdevbod.exe
3800	sysdevbod.exe
1988	abodsys.exe
1988	abodsys.exe
3800	sysdevbod.exe
3800	sysdevbod.exe
1988	abodsys.exe
1988	abodsys.exe
3800	sysdevbod.exe
3800	sysdevbod.exe
1988	abodsys.exe
1988	abodsys.exe
3800	sysdevbod.exe
3800	sysdevbod.exe
1988	abodsys.exe
1988	abodsys.exe
3800	sysdevbod.exe
3800	sysdevbod.exe
1988	abodsys.exe
1988	abodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 3800	5060	03ba9978296204d2048fb184e546932b.exe	87
PID 5060 wrote to memory of 3800	5060	03ba9978296204d2048fb184e546932b.exe	87
PID 5060 wrote to memory of 3800	5060	03ba9978296204d2048fb184e546932b.exe	87
PID 5060 wrote to memory of 1988	5060	03ba9978296204d2048fb184e546932b.exe	88
PID 5060 wrote to memory of 1988	5060	03ba9978296204d2048fb184e546932b.exe	88
PID 5060 wrote to memory of 1988	5060	03ba9978296204d2048fb184e546932b.exe	88

C:\Users\Admin\AppData\Local\Temp\VirusSign.2024.02.08\03ba9978296204d2048fb184e546932b.exe
"C:\Users\Admin\AppData\Local\Temp\VirusSign.2024.02.08\03ba9978296204d2048fb184e546932b.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3800
- C:\FilesSN\abodsys.exe
  C:\FilesSN\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesSN\abodsys.exe

Filesize
4.0MB

MD5
fe6636e840f1a74542686b01eeaa8bba

SHA1
a83219ef9e15efd01d50ec03da0259dd2d82d991

SHA256
8166b39a8758948a10c1549ee808645175bf0a5014239b66035e3f0e56f00bf6

SHA512
341c67f0a4d6df74d0b65f9e83d79b8f98127f4333f671dd0a57afeb9db8028cac7639037eb3c0c29129f344d1e30bcbae888451eb7ce842cdea219d50884e45

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
edebbd06f8cb83e285354fb731486e10

SHA1
dc0d58f661da5dfef47cdd309296ac36397a9271

SHA256
2cfa51f9e07f20ca9f152bff1f391d5f30f5a16bb99b8760e7362d76e2d729b9

SHA512
37decbc4dc275aca9995be11021795d967e4f5a297e4bb9d328c2f461e3c13383f6b8a3b4ebc97493cbbb937067c0c7603f1e6a767b3bfea99343c210852a8f3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
9ee34dd2aee21fe55b8b2dca2f7df6f5

SHA1
713e57a426664ddd381749ad6bc7fa6d7c265144

SHA256
4314a092cb270fb149bed4bf189aec894e06e9c93451c1dbe0917f5cb2d4eed8

SHA512
7d6cbb4dd013aaf1b9442989a12a906466519ce8342ec23c03da4ff1da4ad7be781a63133dd4189868cf3f9ee92ac858ac4e64336d88d68b37aced8069d3c8ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
4.0MB

MD5
624da640aa949bf56c96bee7fa3821c8

SHA1
ba8266c066f13c03042620846f932ceeaea77c55

SHA256
78b5181b21dd16a55db275b6590a8c811a94c3c8c054519bac6630855ffda413

SHA512
bbc69221192b2fd6c9aac22ede02428f9715e8ec349888b50deb9e679d0d29db35f512d4f10ee65ab1dbe5adc334e894e1eddd4b812663e12a29ce20d21028c0

Download Submit
C:\VidMY\boddevec.exe

Filesize
4.0MB

MD5
08d5ca5d2f4a4e5d1d80e82f56fdf104

SHA1
e780a75d9581f3fcf61491fc39813a07f8286ed9

SHA256
93c508e64bc9d8f8e4c9b279ada6ed643e7338e8f698781678dc47746c13c43f

SHA512
ccc43488cbd4e8fb6870c502c05da2065c7cb4a69b402449d4e8155d45872b2a7d43874043edea05a9908fef1a1e0035839000e60bcfb2e42eddaacd02be896d

Download Submit
C:\VidMY\boddevec.exe

Filesize
4.0MB

MD5
c62be9c26e58e88cd59cab1ef8874685

SHA1
7761e33ccad863281d21ea4f3b4957a0be445a9e

SHA256
5db061815aa278b19d0d4e5e73f34e3c4e374fce4c1df8d40b413707bd22f67c

SHA512
8320144b2f3c699c9527d627a4c035607e28b8d273432ac1ff68baa9d4da2d25d79ba3643e6644c3c88834143516979ab3bc77ad7d302785439fb9063848dfca

Download Submit