76e140da0ccc8813d6d715ffa5df61b69d447a559a510376ecacc66aab5885ad

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76e140da0ccc8813d6d715ffa5df61b69d447a559a510376ecacc66aab5885ad.exe
Size

2.6MB
MD5

960350ec533c53da1133fb61ed4d55ed
SHA1

ee23eebfcee4a7d58b0859b3135b259a2ed1f38a
SHA256

76e140da0ccc8813d6d715ffa5df61b69d447a559a510376ecacc66aab5885ad
SHA512

0916c0cc3811470ea8bfcc7d344dd8df1989f02caec353bc3e72135867db8e299def0fc7f535fe5a1a5b06484445a3095cf4780b48174482a9ac068de4b2dc03
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUpyb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	76e140da0ccc8813d6d715ffa5df61b69d447a559a510376ecacc66aab5885ad.exe

Executes dropped EXE 2 IoCs

pid	Process
1464	sysabod.exe
3580	xbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvJN\\xbodloc.exe"	76e140da0ccc8813d6d715ffa5df61b69d447a559a510376ecacc66aab5885ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxQN\\dobdevec.exe"	76e140da0ccc8813d6d715ffa5df61b69d447a559a510376ecacc66aab5885ad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3328	76e140da0ccc8813d6d715ffa5df61b69d447a559a510376ecacc66aab5885ad.exe
3328	76e140da0ccc8813d6d715ffa5df61b69d447a559a510376ecacc66aab5885ad.exe
3328	76e140da0ccc8813d6d715ffa5df61b69d447a559a510376ecacc66aab5885ad.exe
3328	76e140da0ccc8813d6d715ffa5df61b69d447a559a510376ecacc66aab5885ad.exe
1464	sysabod.exe
1464	sysabod.exe
3580	xbodloc.exe
3580	xbodloc.exe
1464	sysabod.exe
1464	sysabod.exe
3580	xbodloc.exe
3580	xbodloc.exe
1464	sysabod.exe
1464	sysabod.exe
3580	xbodloc.exe
3580	xbodloc.exe
1464	sysabod.exe
1464	sysabod.exe
3580	xbodloc.exe
3580	xbodloc.exe
1464	sysabod.exe
1464	sysabod.exe
3580	xbodloc.exe
3580	xbodloc.exe
1464	sysabod.exe
1464	sysabod.exe
3580	xbodloc.exe
3580	xbodloc.exe
1464	sysabod.exe
1464	sysabod.exe
3580	xbodloc.exe
3580	xbodloc.exe
1464	sysabod.exe
1464	sysabod.exe
3580	xbodloc.exe
3580	xbodloc.exe
1464	sysabod.exe
1464	sysabod.exe
3580	xbodloc.exe
3580	xbodloc.exe
1464	sysabod.exe
1464	sysabod.exe
3580	xbodloc.exe
3580	xbodloc.exe
1464	sysabod.exe
1464	sysabod.exe
3580	xbodloc.exe
3580	xbodloc.exe
1464	sysabod.exe
1464	sysabod.exe
3580	xbodloc.exe
3580	xbodloc.exe
1464	sysabod.exe
1464	sysabod.exe
3580	xbodloc.exe
3580	xbodloc.exe
1464	sysabod.exe
1464	sysabod.exe
3580	xbodloc.exe
3580	xbodloc.exe
1464	sysabod.exe
1464	sysabod.exe
3580	xbodloc.exe
3580	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3328 wrote to memory of 1464	3328	76e140da0ccc8813d6d715ffa5df61b69d447a559a510376ecacc66aab5885ad.exe	91
PID 3328 wrote to memory of 1464	3328	76e140da0ccc8813d6d715ffa5df61b69d447a559a510376ecacc66aab5885ad.exe	91
PID 3328 wrote to memory of 1464	3328	76e140da0ccc8813d6d715ffa5df61b69d447a559a510376ecacc66aab5885ad.exe	91
PID 3328 wrote to memory of 3580	3328	76e140da0ccc8813d6d715ffa5df61b69d447a559a510376ecacc66aab5885ad.exe	95
PID 3328 wrote to memory of 3580	3328	76e140da0ccc8813d6d715ffa5df61b69d447a559a510376ecacc66aab5885ad.exe	95
PID 3328 wrote to memory of 3580	3328	76e140da0ccc8813d6d715ffa5df61b69d447a559a510376ecacc66aab5885ad.exe	95

C:\Users\Admin\AppData\Local\Temp\76e140da0ccc8813d6d715ffa5df61b69d447a559a510376ecacc66aab5885ad.exe
"C:\Users\Admin\AppData\Local\Temp\76e140da0ccc8813d6d715ffa5df61b69d447a559a510376ecacc66aab5885ad.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1464
- C:\SysDrvJN\xbodloc.exe
  C:\SysDrvJN\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxQN\dobdevec.exe

Filesize
2.6MB

MD5
1e35562946cfc244c4bf9e0d4fa765d5

SHA1
78b9b8631f61a6cf45b6a1a0e49116a77ab9b185

SHA256
33d790006b37c86db2451c001b56bc630fb94ec9f1f58ea88410d07c0c6b4f0d

SHA512
8fb868d790ad343188969aefc4fa24f3e14c52ef726592ba74a4ca8ed4d7ddcd384de97e24c876403218c92fb6f1d0319669de2792ba6f19153f53abe827dc8a

Download Submit
C:\GalaxQN\dobdevec.exe

Filesize
2.6MB

MD5
72110b901607235c7371ea6a3e80feaa

SHA1
ac29f7d2c9e2b710b4650411bc0b05f756d1f152

SHA256
58f746204c52db1f9a846825912312aeae2b890051f9cee2e726bcdc1967a795

SHA512
ac425e12d3b54c7d0961d9f290928a383376130a343a7948c5c3285b29a77073172c0470facfa8bca9a861757df1389a57f771a98a0d199ced3bbf59dcb4f71b

Download Submit
C:\SysDrvJN\xbodloc.exe

Filesize
15KB

MD5
10e6df3619bbbd1a2464d5000a56fbb5

SHA1
9080f324c059847c04fbc434d62d8ab2e06140a9

SHA256
e437e0733cdde421f32dedbcb49fb69873f23116dc2523e2a45b18e005fd1559

SHA512
9cf956066c20f94e36fc21e8c536ef7625e51e279c3c9794d5029cac42d155db5a2e79ccfe4010364e50c34b0675745a5fc121a112892a31b331ab14427ac6ff

Download Submit
C:\SysDrvJN\xbodloc.exe

Filesize
2.6MB

MD5
7c8f7b009905ca7162013f2fce0ee6c5

SHA1
020d5a955e241a9a6610f7835beb8eb771beeff7

SHA256
0350fa1d09e46943f80048fb99be482eb924894749cb4b64cab60f3e0848c89a

SHA512
617bf59bc26c558e8e5cdd2dea96894a34363aa651d2aa1e74a2f7f79807791daecd78f7b932fead67967c7a8f1bfabd321c21e71c0be2397661183e98d38f9e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
971d4e97313fd6c8dd4389a9cbe6c57f

SHA1
5560e9bc0990c2b9e5a08b2e276eee94d843a163

SHA256
ecaac23e2869f92b004070e918e266dcbec03ec8cd1c75f24cd2019977a92698

SHA512
c13bdda7b94a033e1160b204a673776976855b0fd0636f7d5b232918b03ec4a61aeec1389721ccff30b8e1c94bac24ba4fd76f9d93760040b6001a7e035c6dd3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
051617ca0ec40f04f5a58a5e7023a091

SHA1
6e8aa9b44ce33271ff576977f6e652608fadf129

SHA256
7dad74ca10592c18461339d938a3daf4d6296b3e156fe187f02c9433b93dc5e3

SHA512
db8c742ae1c3adb7894b356d71b3f5721d6e2709eb2c94e33a7d0c97c552201249c43e724d09718a9e3470e9e460f4a5e2cedb559aff7bd5a64caf4ea312e4b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
2.6MB

MD5
b39d0e8241f4599f5df22072ab3842d9

SHA1
304f5776c0921442e63ff660c9a0f74274cbbbd6

SHA256
67f79a493e7d3da05eeef0d8c97ac4282b87c41ec173c55114a6814a7646fbb1

SHA512
3bac09a39126a226f7d96654a703bd1c520599f7c5000ef228475f6d4b86025fd79082387c1a4f31d89cfe816e8cadd75b7cd2dc9b144c5899d28f2d0b28d397

Download Submit