085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b

Analysis

max time kernel
149s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe
Size

3.1MB
MD5

4c5d0fbae00c38eed59d9199f4e2dcbf
SHA1

e5e072dfa48b7afb272108d63f11897a818cce82
SHA256

085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b
SHA512

c8372a26491237538d9df3f4e20c2589991534fb7e38cdbbd98e39b6a34379974bae865b74de818551d3e27c2f0d78fc94c8800565502c2fb6889e99033a5f28
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bSqz8:sxX7QnxrloE5dpUpsbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe

Executes dropped EXE 2 IoCs

pid	Process
2088	sysabod.exe
2904	devdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotO5\\devdobsys.exe"	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax91\\bodxsys.exe"	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
748	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe
748	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe
748	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe
748	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe
2088	sysabod.exe
2088	sysabod.exe
2904	devdobsys.exe
2904	devdobsys.exe
2088	sysabod.exe
2088	sysabod.exe
2904	devdobsys.exe
2904	devdobsys.exe
2088	sysabod.exe
2088	sysabod.exe
2904	devdobsys.exe
2904	devdobsys.exe
2088	sysabod.exe
2088	sysabod.exe
2904	devdobsys.exe
2904	devdobsys.exe
2088	sysabod.exe
2088	sysabod.exe
2904	devdobsys.exe
2904	devdobsys.exe
2088	sysabod.exe
2088	sysabod.exe
2904	devdobsys.exe
2904	devdobsys.exe
2088	sysabod.exe
2088	sysabod.exe
2904	devdobsys.exe
2904	devdobsys.exe
2088	sysabod.exe
2088	sysabod.exe
2904	devdobsys.exe
2904	devdobsys.exe
2088	sysabod.exe
2088	sysabod.exe
2904	devdobsys.exe
2904	devdobsys.exe
2088	sysabod.exe
2088	sysabod.exe
2904	devdobsys.exe
2904	devdobsys.exe
2088	sysabod.exe
2088	sysabod.exe
2904	devdobsys.exe
2904	devdobsys.exe
2088	sysabod.exe
2088	sysabod.exe
2904	devdobsys.exe
2904	devdobsys.exe
2088	sysabod.exe
2088	sysabod.exe
2904	devdobsys.exe
2904	devdobsys.exe
2088	sysabod.exe
2088	sysabod.exe
2904	devdobsys.exe
2904	devdobsys.exe
2088	sysabod.exe
2088	sysabod.exe
2904	devdobsys.exe
2904	devdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 2088	748	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe	88
PID 748 wrote to memory of 2088	748	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe	88
PID 748 wrote to memory of 2088	748	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe	88
PID 748 wrote to memory of 2904	748	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe	89
PID 748 wrote to memory of 2904	748	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe	89
PID 748 wrote to memory of 2904	748	085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe	89

C:\Users\Admin\AppData\Local\Temp\085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe
"C:\Users\Admin\AppData\Local\Temp\085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2088
- C:\UserDotO5\devdobsys.exe
  C:\UserDotO5\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax91\bodxsys.exe

Filesize
3.1MB

MD5
0145c787de61a19202fae8fde7fb585f

SHA1
18ad3b3fd4cf8914b83bbe257c1e5c1a80bd0f16

SHA256
c2cc953aff8acacf2a8d771ce624c24d79abfb8502d78a2e56c78e5cf2aa94c6

SHA512
cb941e005b59b263a9fdcd1607677ad07f7372bcd962c564bbd876a71be4200679d03a41757c7e36f8a58d381cefcd8d90fe92cb5cb4bdd81012d10086220b12

Download Submit
C:\Galax91\bodxsys.exe

Filesize
11KB

MD5
4b15a8dc60fb28ba194308947f8d0bdf

SHA1
addcf6f0cc5dc9577f5354dd3efdf91843caddb2

SHA256
eeda459c0f86c4f2c639edc7bc26cc6dc4f508b51063a31d85ac8a6f6e64b152

SHA512
35c0dcc269feb3a6378ec13dde959d0dbc121e4ec5236b5910536beee95f1128b58b5d7711ee4f05359371d8097a799e57a11fa6b9dbb26c543666dffd669e7e

Download Submit
C:\UserDotO5\devdobsys.exe

Filesize
3.1MB

MD5
4c43d33e3fcc197dea6543d231a58149

SHA1
a05660ec8c5a6b4f5387502adcbea1f697930f07

SHA256
f1dc144dae8fa2ad18a170ef5491821420391393c29e7837bf19c1a06de06b99

SHA512
43ec4ac7965261032611b3ab475fffac591ee05ac81e9cb7a832d87d7d9cfa23ee7bbafe4ea1124e6fcd679ea887d6c0323074cd706d734567b6711698626776

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
dd5bedf0a5095614681cbc886c2384af

SHA1
3ded7e56c17b1c2cf4f540d9401699a94605a176

SHA256
22afd178c61ec74276e60c838bc83a42fa97b14bbc2b3eb4000a330380ec8ecd

SHA512
cc775aa7c93438f7d4b0e5b52493071122deb3a46409f4eaf940c0e0f09c085850f912e17af78039c3c1be3d9a5c8ebf0e9190aab7a3bfe553a29c0dba5b07d0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
9358e9a6d4d59b80a22cc9d20808e1f9

SHA1
ea0b382ef856b519c8756e72d02787ccea2509c2

SHA256
f433d94c02f16eedf64d09af2dc647123c696cc5ffe541fea3ea34f7dcfccde6

SHA512
4be4304722fe1e1f62e5e0b05b2411f3e86df7cd380dfbf61283b823bd7a5d00eda7a8a637037b649d92ed171220b731906b3bac56f8e5b4e181862c7b6b798b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
3.1MB

MD5
9b54eb295f857182f57fc35d9efc86e3

SHA1
24de80cc4882ac7bf4d8dfa1141e83c30343b733

SHA256
a68b1a663c2f030d130541864e89cae0a0792398a8b3b38954ff9cb7836e1a5e

SHA512
5c81f4b0477dd1e07ff7b8c305636c52d2047193c927f0f774236af6cbcfcd99b0886ecb5c1b12b57caaa43146a4779c2b304a94046cf1fd9c259efcc585c4c2

Download Submit