67717a793d36deae26c284b86f8355112edad9723901d0ff249f286183e832bf

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67717a793d36deae26c284b86f8355112edad9723901d0ff249f286183e832bf.exe
Size

3.0MB
MD5

155e9e40660fd21b1f4dfdd0d06c4a09
SHA1

eaa515cb5b64e206e002db4fa12b87bedd233fdd
SHA256

67717a793d36deae26c284b86f8355112edad9723901d0ff249f286183e832bf
SHA512

6554987660bfdc50d01cee56f02ffcf83f2ade968af0a43b7255f8b627900d99521da7eb15718b70717eef8b6690a7f05c3cd5fdd4cc9241ed86750710276a53
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bSqz8b6LNX:sxX7QnxrloE5dpUpYbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	67717a793d36deae26c284b86f8355112edad9723901d0ff249f286183e832bf.exe

Executes dropped EXE 2 IoCs

pid	Process
2004	sysdevdob.exe
3020	xbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2524	67717a793d36deae26c284b86f8355112edad9723901d0ff249f286183e832bf.exe
2524	67717a793d36deae26c284b86f8355112edad9723901d0ff249f286183e832bf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotQU\\xbodec.exe"	67717a793d36deae26c284b86f8355112edad9723901d0ff249f286183e832bf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid8B\\boddevec.exe"	67717a793d36deae26c284b86f8355112edad9723901d0ff249f286183e832bf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2524	67717a793d36deae26c284b86f8355112edad9723901d0ff249f286183e832bf.exe
2524	67717a793d36deae26c284b86f8355112edad9723901d0ff249f286183e832bf.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe
2004	sysdevdob.exe
3020	xbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2004	2524	67717a793d36deae26c284b86f8355112edad9723901d0ff249f286183e832bf.exe	28
PID 2524 wrote to memory of 2004	2524	67717a793d36deae26c284b86f8355112edad9723901d0ff249f286183e832bf.exe	28
PID 2524 wrote to memory of 2004	2524	67717a793d36deae26c284b86f8355112edad9723901d0ff249f286183e832bf.exe	28
PID 2524 wrote to memory of 2004	2524	67717a793d36deae26c284b86f8355112edad9723901d0ff249f286183e832bf.exe	28
PID 2524 wrote to memory of 3020	2524	67717a793d36deae26c284b86f8355112edad9723901d0ff249f286183e832bf.exe	29
PID 2524 wrote to memory of 3020	2524	67717a793d36deae26c284b86f8355112edad9723901d0ff249f286183e832bf.exe	29
PID 2524 wrote to memory of 3020	2524	67717a793d36deae26c284b86f8355112edad9723901d0ff249f286183e832bf.exe	29
PID 2524 wrote to memory of 3020	2524	67717a793d36deae26c284b86f8355112edad9723901d0ff249f286183e832bf.exe	29

C:\Users\Admin\AppData\Local\Temp\67717a793d36deae26c284b86f8355112edad9723901d0ff249f286183e832bf.exe
"C:\Users\Admin\AppData\Local\Temp\67717a793d36deae26c284b86f8355112edad9723901d0ff249f286183e832bf.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2004
- C:\UserDotQU\xbodec.exe
  C:\UserDotQU\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotQU\xbodec.exe

Filesize
7KB

MD5
20ec6effd447fb35f7db816f8c616148

SHA1
c8c9edd9f30b93dc161fc035c69b57e7af305dce

SHA256
43b6a06c6d792569dc3a4b802a1882bcef34d458cb6c626267bf303fc8dc3fa7

SHA512
6a01a317698e30eec8ab65c628488a1e6108d6eb9dd6bdef9a769d497807ace3b68a23452d40d010b95f19759903bb9bc1910e8d7e46fa618aaa3fbf6a80fecf

Download Submit
C:\UserDotQU\xbodec.exe

Filesize
3.0MB

MD5
6295dcbc73674ecf0dd969ef710ee022

SHA1
726be1ba1716ff8d38f675476d41693357b7d576

SHA256
ca6f9a037c41d25c4f42c9a3c600b81bd5159d17ab62f5b5233805d1bbf10079

SHA512
9ac759599869b2002b1ba805b7efc8147350496cee970d44b6bc4f7873ae02d4b17e9f4c10334409d392da20321cfa5a1517718dd92fbb5b1574940137c4753d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
c7e9f25ce9131feef326469c37a84316

SHA1
5bd2a8d084cf27f5520812ec9ad5878174207fea

SHA256
4db8dbdc50d8a15d31bafcb942e37a52d737b8e48e3c60ee6bcb09b38a88d7ff

SHA512
8cd5ebd720d5450808941c3eb82eaf357be37cbe54ffdcde5d962b1f3ec6b6454dd2da20317b3ff3b4748cab6c8528b70c76f527cc0c86f7b6261ee17fb7a3fc

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
eb54a73234b8cfd698e19e058427ec83

SHA1
7e65fdf59d4090bf4a425b5310da383f47f8daaf

SHA256
c323abb0294e2a3f0b7938cc018ab9696601076e6c1f94e8cb9f5dc8e999a563

SHA512
bf89500764a19b9b6826a9423f3b3aea9e8329e6227e89f86b5e33d9c23cf9f848c238308bee1b80e934fed30b378c002ca840fd6eee9e7182050457302297b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
3.0MB

MD5
9867b8f440cd4e25b8bbee009cb577e8

SHA1
954c434ed2a7c3defb12005f7ec40351e56a8c31

SHA256
42d73b056127d198f486701c09e366d6af52a608c2ba24f23f347861299d705b

SHA512
e34f5f4b42452fdda06c69097a6994ff5491223f0af0f33a020ce723cc52d4b1fda4624bd784127e88e785c21d1200ff0d3c9b69d2d55dae645215e78646ea8e

Download Submit
C:\Vid8B\boddevec.exe

Filesize
3KB

MD5
9d8e28197f33df66823c2ba858eaaa7e

SHA1
48f4b289f359eeccf152be5d19d7c4006b4ecd67

SHA256
65380dd7e038a2f8861675197a4c6932f96e4bc532cbf7e7deec137ed5b08865

SHA512
1a1d10aa5e90b551796abf2fe0118fc87aaad7081df59536268957e90e3c072ae5208c385357186286de2763a1ef55d05c1afd5c4bce60ad3cda63cc8bdea47b

Download Submit
C:\Vid8B\boddevec.exe

Filesize
3.0MB

MD5
fa5fff98b47f9ecd81e0bbdb6b6fad3a

SHA1
8fcfdc112ecc0f4c694060b6685b77e726623335

SHA256
4880744f5cfd4256a3a03c58c9a75e18cca26ee06f812eb827510b032eb4ff5c

SHA512
dea7b76f4cb771d3a83844c2a00baf5210b26801bd2446df68164eae19073c1ec1af9d5bb409f67499c3b427d12f56587a3d6ec3af914e3bf2a76d4345e575ed

Download Submit