9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac

General

Target

9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac.exe
Size

3.2MB
MD5

0a5e46c832c8640a8806c38a90d81e0b
SHA1

300910e19197886b5c0cb240df9e4ae2da1035fc
SHA256

9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac
SHA512

8f7a8a3f4d443c3f30ef88549f27b8b580d270892fae699ec156a5d4dbebcbbfffc7e396cfb9232166eba88194398f1961b7a2adb5c72a70ebef5d073d8e7f44
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp2bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac.exe

Executes dropped EXE 2 IoCs

Processes:

sysdevbod.exexbodloc.exe

pid process

2280 sysdevbod.exe
2676 xbodloc.exe

pid	process
2280	sysdevbod.exe
2676	xbodloc.exe

Loads dropped DLL 2 IoCs

Processes:

9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac.exe

pid	process
2008	9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac.exe
2008	9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZVM\\bodxec.exe"	9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeR5\\xbodloc.exe"	9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac.exesysdevbod.exexbodloc.exe

pid	process
2008	9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac.exe
2008	9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe
2280	sysdevbod.exe
2676	xbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac.exe

description	pid	process	target process
PID 2008 wrote to memory of 2280	2008	9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac.exe	sysdevbod.exe
PID 2008 wrote to memory of 2280	2008	9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac.exe	sysdevbod.exe
PID 2008 wrote to memory of 2280	2008	9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac.exe	sysdevbod.exe
PID 2008 wrote to memory of 2280	2008	9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac.exe	sysdevbod.exe
PID 2008 wrote to memory of 2676	2008	9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac.exe	xbodloc.exe
PID 2008 wrote to memory of 2676	2008	9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac.exe	xbodloc.exe
PID 2008 wrote to memory of 2676	2008	9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac.exe	xbodloc.exe
PID 2008 wrote to memory of 2676	2008	9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac.exe	xbodloc.exe

C:\Users\Admin\AppData\Local\Temp\9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac.exe
"C:\Users\Admin\AppData\Local\Temp\9473443d72972c709118a00ca073e470bb69a0d2d479e3c1ce3c4adced7db1ac.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2280

C:\AdobeR5\xbodloc.exe
C:\AdobeR5\xbodloc.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeR5\xbodloc.exe

Filesize
3.2MB

MD5
dcf35277890de2c73e7f77aae88e472c

SHA1
b5dc04649587bff3ac1ead4bff82a2bf33d27772

SHA256
bb9c0da83e9ab2e04bd7458a0bec28ffe09cc26529573e05a5e2f635711b3476

SHA512
e84e1da47f7296dbe6b13dd858637e9359f47c556472654af8efedb209562a5aa7ebe5c701460ce650f9483343c1a4b045bbf4877c61948fe0f029d0217b5881

Download Submit
C:\LabZVM\bodxec.exe

Filesize
3.2MB

MD5
8dc57ab40af237786ee6310803e2a574

SHA1
7e0333d09b2a92f57b05f7dff5df36ea0d1fac9a

SHA256
78bf84bbfc668c14b8a79a4b7b7b97b90366a0821c5f3f8a62010bfe05dd2051

SHA512
ed14d54a4cc55bb9b8f5dd1a533af3d4ddf88b88773914c94c773e1a0c6c36e56d2bc125b96a2a809b9a5150a3fe4b80fefba408939d8c23592df3d217160b6a

Download Submit
C:\LabZVM\bodxec.exe

Filesize
3.2MB

MD5
92b11844f84652ee9da750cb336e4f0d

SHA1
20dcb708e56ae21ec51ed91b465804089ad2ea43

SHA256
9c2407be0819009a508f7ee689a584fb699d040002952b5afd6a5a6b0b8b051c

SHA512
05b489859655ed55828a8f2806e7fa9d3132e1d529051985d2140db689684485a22c058a65573b0555a87b78e8ca47390839d239ddc14cfe657753793919f6d7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
f2ec9c5c7ca5b2fcc06f3148ad8f08a1

SHA1
866d0637867235e5203f83d990539736062c5beb

SHA256
afb7a8793543e369b73aa17bf242350107d70736ea53263ead5e553b39ef19ee

SHA512
b7bbc5603b70aeeec9e56a8ea1f9463c1b8f1ce6df9bd2d6bf7d7d67f9735de63c0b96190b1cce1a859e7e83e582ce1069fc8853b6e9f65e158bb22bd698c460

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
0edf1efa7ce424593dce7d9c219908ae

SHA1
abecdb1af4a3b39979ce5ae156748f3b7081fb35

SHA256
39eeffc4c6d7249500fda97c4a7b89be2def87ba4c82c0e2c837e34524ea9923

SHA512
2f9ca8d1749c00ceec201fb816b2f58dff9bd387aca125fc3a4a4fe6633143e7a21bac945921017b9dd95dbb26221213e3e481374c6f144968caa5d3a77c9eb1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
3.2MB

MD5
1a2c7f9ecfc944fb640cb139e49cf76a

SHA1
0286130339174ae14a8e647365c813d7545ec43c

SHA256
e70dd197be532e65fe53ee27b9c8f421702d64442d1baa6ea18118e2d4972010

SHA512
ed22115376acf18fdefb33c3c9e8993ea28d7aa76fcbf81bfa05caad370ed802717d1efbdf9835acc962a27b7e72499cd2446ab215b603e5fc14aa0cd7a5e1af

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads