fc11d70259730c33bc40397241af7509e6a784ed5cc144428626300310ca87b0

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc11d70259730c33bc40397241af7509e6a784ed5cc144428626300310ca87b0.exe
Size

3.1MB
MD5

4b0fd7f1f83364b5982979d896097f42
SHA1

8cc746c1d1685897375b4045e95707dfa0d4117d
SHA256

fc11d70259730c33bc40397241af7509e6a784ed5cc144428626300310ca87b0
SHA512

d6c0354a28134668e1b29ebf133831711bc1ff67fb01571b3083189f46bfcfa62061870dfbeb93deaf363d4eca0d7fa34c9f813427241f0aca8ed91585503665
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB3B/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpUbVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	fc11d70259730c33bc40397241af7509e6a784ed5cc144428626300310ca87b0.exe

Executes dropped EXE 2 IoCs

pid	Process
2680	sysxbod.exe
2944	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1368	fc11d70259730c33bc40397241af7509e6a784ed5cc144428626300310ca87b0.exe
1368	fc11d70259730c33bc40397241af7509e6a784ed5cc144428626300310ca87b0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocO7\\xbodsys.exe"	fc11d70259730c33bc40397241af7509e6a784ed5cc144428626300310ca87b0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintYM\\dobaec.exe"	fc11d70259730c33bc40397241af7509e6a784ed5cc144428626300310ca87b0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1368	fc11d70259730c33bc40397241af7509e6a784ed5cc144428626300310ca87b0.exe
1368	fc11d70259730c33bc40397241af7509e6a784ed5cc144428626300310ca87b0.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe
2680	sysxbod.exe
2944	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2680	1368	fc11d70259730c33bc40397241af7509e6a784ed5cc144428626300310ca87b0.exe	28
PID 1368 wrote to memory of 2680	1368	fc11d70259730c33bc40397241af7509e6a784ed5cc144428626300310ca87b0.exe	28
PID 1368 wrote to memory of 2680	1368	fc11d70259730c33bc40397241af7509e6a784ed5cc144428626300310ca87b0.exe	28
PID 1368 wrote to memory of 2680	1368	fc11d70259730c33bc40397241af7509e6a784ed5cc144428626300310ca87b0.exe	28
PID 1368 wrote to memory of 2944	1368	fc11d70259730c33bc40397241af7509e6a784ed5cc144428626300310ca87b0.exe	29
PID 1368 wrote to memory of 2944	1368	fc11d70259730c33bc40397241af7509e6a784ed5cc144428626300310ca87b0.exe	29
PID 1368 wrote to memory of 2944	1368	fc11d70259730c33bc40397241af7509e6a784ed5cc144428626300310ca87b0.exe	29
PID 1368 wrote to memory of 2944	1368	fc11d70259730c33bc40397241af7509e6a784ed5cc144428626300310ca87b0.exe	29

C:\Users\Admin\AppData\Local\Temp\fc11d70259730c33bc40397241af7509e6a784ed5cc144428626300310ca87b0.exe
"C:\Users\Admin\AppData\Local\Temp\fc11d70259730c33bc40397241af7509e6a784ed5cc144428626300310ca87b0.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2680
- C:\IntelprocO7\xbodsys.exe
  C:\IntelprocO7\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocO7\xbodsys.exe

Filesize
3.1MB

MD5
a9e3927882621ef048020a5fcd1e5dca

SHA1
84dd4949e6adbd4b9ad75160fc6d7a6c4640c38f

SHA256
b23359a35fdf99220e8f0af516c58fe74827b6e7d8f1c5aca449390eac2b7a23

SHA512
d0ec3b1547aec55ce3906153e32ae28ce67ac541123e370b6acac78f3d74a71180b17a6011cad3e93e480e88f3e3ac31116fec4b1a96efce2b02a28a2dc5f9f7

Download Submit
C:\MintYM\dobaec.exe

Filesize
3.1MB

MD5
68ab0cd96625c66b531b08eeeb53542a

SHA1
f439d8dd0b4d56b689abd167b029c6eef70b83b1

SHA256
e96a7ab6a05f6c02f83dcdab942d2eb3e884a1e9f5c3a260eddd758b4317901e

SHA512
a84dd04c9c848b923c50b8000f122a39956e1fcfa38c3539ffffa8c5a671da2486cc1a57fd95e159ba87d0754b3ab58841dee863b5f5bdec404d7a90da5cfc39

Download Submit
C:\MintYM\dobaec.exe

Filesize
3.1MB

MD5
d7f66b5de9567fd05f05b0894cddbd83

SHA1
22518be3b628f82ffa8f697666033aa6da14b7c6

SHA256
62331aa99c1e3e8fa45939bd0480e681000c89ee2215414629d09953ef5037f3

SHA512
ee43c1195d7cff02a192bdc954465e2a86ee5167df5ef636fd28d26c7df7fe88f4be07912553ed38e7d28ee6aae33d33754dac20004f809c03e442b6f8c57e8d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
c81e5c92845214dcda4c3c0b61a57efc

SHA1
6c9a7149d4407e952d805c7e2a6e83f8cd916bae

SHA256
857bf4b393d1acc8216d48fee6dd0a7ced727ed12275aee94509390cd613d666

SHA512
eca016d37b6e6a708f628e72c26ed68c64bbe515934fc706a5f7f2a59afec44270e4b56efeddd7da2b7e60adb06c4a12662ff50d466e073e499fd61fdc054991

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
3fa7b70c4e33394dec2011b84e7de8d8

SHA1
25c6d2fc1ef308188500c068096e1ccb0221c5e6

SHA256
a7ce8be699d0218c3ec79b19636ae502fd88154858ed667064bcb71f06d24b78

SHA512
7b7b0096f9cd9186fec46e17a2da3a7be6d063e497f5e35082f8a27127802611bf46f5eece400b6c9775937be2c44924f3b5b42356708a3b2e9e2f068e1327bd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
3.1MB

MD5
c9c704275378f85c1354cf5f7fee101a

SHA1
43dfb9f3f9ef6813c699681a2a7b8929a4d7ecb0

SHA256
1e6a6e994e445c1114b96ef278aad40ea823a171a91b551d1565b3864b39824a

SHA512
1815b6787a85f418c14928edcc43520a574c6f0d3d0ffcdec4c8a76163a3b804814616d560b9ef6ed487277daa6e581b1b2cbe0906ebf1fd533544870b340a66

Download Submit