Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    30/05/2024, 23:17

General

  • Target

    72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe

  • Size

    4.1MB

  • MD5

    882d05386b0ec3c2e19df624ce93281a

  • SHA1

    6571d0d1042a60e97bf03475be21194437141e28

  • SHA256

    72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0

  • SHA512

    f0519071499f44f974f463af623fff32c8d8c5a65ca23feb42a3d1494396ecc758baca5fa26e7e0d80a514395c24409fde597b54b3300e0054af27634e34ea4b

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB9B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpibVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe
    "C:\Users\Admin\AppData\Local\Temp\72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2584
    • C:\SysDrvBT\abodloc.exe
      C:\SysDrvBT\abodloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2700

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\LabZT4\bodaec.exe

          Filesize

          4.1MB

          MD5

          6835ccedd8340b012ddfa882c99f14eb

          SHA1

          8c0db252433bad3f1b098fbe42b96bd76eecb8c0

          SHA256

          e33744ac8578680436ca0f65ef93c7ec9f70a15ec4bc925dab2dbfd3f7f1245e

          SHA512

          e3d8a35f5a85ae1fb415b0a7345e2458fe6dcf26b6c25a0eaf12db8c061021d87d1c9de0ab296d58dcea4628ca37d85297efd5f39be32645627366052e276c82

        • C:\LabZT4\bodaec.exe

          Filesize

          4.1MB

          MD5

          76f0381e1802ecf861bffdcbc7f51401

          SHA1

          a975767240a9799c39630942cbbc64847231097f

          SHA256

          7762fba64330b940eec77b7d775c8ce968299e84efd2e6fd66634116b7f99281

          SHA512

          cbe66932c8e459b125942035e6afe3276a71075d79fb9d265a6b2b17bf79554510dc75327ffc3852443d5fd9490e8e0451cb64ed1b968ed767108657898d5352

        • C:\SysDrvBT\abodloc.exe

          Filesize

          4.1MB

          MD5

          3cedbc5d7cbf122fcdf603dd4651c067

          SHA1

          9e6185695e3e2d720f995bc9307c251a65f6120f

          SHA256

          ab30eb6a4d95662711f5c20a1fea67f985cbce4d867ed61a6db693aad49af568

          SHA512

          923ca9df3d94d3a35c1f8c3200ac8b7bbcf9e8a09d9cb1c30351cc02535d3125ec23bb74796ee44c92b45ebdeb6316fb63b60f8edd0f59b2df1f5538b7fad3c4

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          168B

          MD5

          9a2ee3f23a9cd4662312ee5b032ead0d

          SHA1

          15557e7886a103eba4af3eab69614c32ec49ec85

          SHA256

          dc9c0791894738f3d04bb685447478a6c7e87d6177479eaebd9f7492e700b438

          SHA512

          be948bb963a930c385bb344b8c9d283e11b047a2ad2cd100998b3fe6973130a13da1b636ba61d2027801b57d414e475ab487aad30482b68e468a61aa3cbbe6c4

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          200B

          MD5

          7cb79f61f6ca4b10a11214c6d2f1c396

          SHA1

          4bd0197bf6ac170afe56dfa7d2f6daf9e6839721

          SHA256

          0c2a22149c468ddfeb93c758a1342693e614a28f4bc03a477d2f7ed4f61200a9

          SHA512

          52991a6a4f9a4266e14343c430fa8a406549716c5e32d38bd7e6a6e9aa808ae13d1dccfcb562e5bbfa8f8632f6a6bc892a5ac7b1f5bde87b8f8180174f71ed97

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

          Filesize

          4.1MB

          MD5

          b4e006ea794002c6b3fe6f18e62a9d5f

          SHA1

          a7fc5c00744442be67b5fbb7688dc486d1b8c773

          SHA256

          9dda8314177297b2b3c107ebd5dab3660b59ae9975361d0758775dee701f9ac3

          SHA512

          4cf5a1ef32c6184a7c6b9bef6c9d06c1f046d28fa652394ee34fd04d8b029f50f91f57cdcd314fec1f9d6de0e31fe84f43d4fd523600a7bd9451644228386c4f