Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
30/05/2024, 23:17
Static task
static1
Behavioral task
behavioral1
Sample
72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe
Resource
win10v2004-20240426-en
General
-
Target
72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe
-
Size
4.1MB
-
MD5
882d05386b0ec3c2e19df624ce93281a
-
SHA1
6571d0d1042a60e97bf03475be21194437141e28
-
SHA256
72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0
-
SHA512
f0519071499f44f974f463af623fff32c8d8c5a65ca23feb42a3d1494396ecc758baca5fa26e7e0d80a514395c24409fde597b54b3300e0054af27634e34ea4b
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB9B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpibVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe -
Executes dropped EXE 2 IoCs
pid Process 2584 sysxdob.exe 2700 abodloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2424 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe 2424 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvBT\\abodloc.exe" 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZT4\\bodaec.exe" 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2424 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe 2424 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe 2584 sysxdob.exe 2700 abodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2424 wrote to memory of 2584 2424 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe 28 PID 2424 wrote to memory of 2584 2424 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe 28 PID 2424 wrote to memory of 2584 2424 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe 28 PID 2424 wrote to memory of 2584 2424 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe 28 PID 2424 wrote to memory of 2700 2424 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe 29 PID 2424 wrote to memory of 2700 2424 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe 29 PID 2424 wrote to memory of 2700 2424 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe 29 PID 2424 wrote to memory of 2700 2424 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe"C:\Users\Admin\AppData\Local\Temp\72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2584
-
-
C:\SysDrvBT\abodloc.exeC:\SysDrvBT\abodloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD56835ccedd8340b012ddfa882c99f14eb
SHA18c0db252433bad3f1b098fbe42b96bd76eecb8c0
SHA256e33744ac8578680436ca0f65ef93c7ec9f70a15ec4bc925dab2dbfd3f7f1245e
SHA512e3d8a35f5a85ae1fb415b0a7345e2458fe6dcf26b6c25a0eaf12db8c061021d87d1c9de0ab296d58dcea4628ca37d85297efd5f39be32645627366052e276c82
-
Filesize
4.1MB
MD576f0381e1802ecf861bffdcbc7f51401
SHA1a975767240a9799c39630942cbbc64847231097f
SHA2567762fba64330b940eec77b7d775c8ce968299e84efd2e6fd66634116b7f99281
SHA512cbe66932c8e459b125942035e6afe3276a71075d79fb9d265a6b2b17bf79554510dc75327ffc3852443d5fd9490e8e0451cb64ed1b968ed767108657898d5352
-
Filesize
4.1MB
MD53cedbc5d7cbf122fcdf603dd4651c067
SHA19e6185695e3e2d720f995bc9307c251a65f6120f
SHA256ab30eb6a4d95662711f5c20a1fea67f985cbce4d867ed61a6db693aad49af568
SHA512923ca9df3d94d3a35c1f8c3200ac8b7bbcf9e8a09d9cb1c30351cc02535d3125ec23bb74796ee44c92b45ebdeb6316fb63b60f8edd0f59b2df1f5538b7fad3c4
-
Filesize
168B
MD59a2ee3f23a9cd4662312ee5b032ead0d
SHA115557e7886a103eba4af3eab69614c32ec49ec85
SHA256dc9c0791894738f3d04bb685447478a6c7e87d6177479eaebd9f7492e700b438
SHA512be948bb963a930c385bb344b8c9d283e11b047a2ad2cd100998b3fe6973130a13da1b636ba61d2027801b57d414e475ab487aad30482b68e468a61aa3cbbe6c4
-
Filesize
200B
MD57cb79f61f6ca4b10a11214c6d2f1c396
SHA14bd0197bf6ac170afe56dfa7d2f6daf9e6839721
SHA2560c2a22149c468ddfeb93c758a1342693e614a28f4bc03a477d2f7ed4f61200a9
SHA51252991a6a4f9a4266e14343c430fa8a406549716c5e32d38bd7e6a6e9aa808ae13d1dccfcb562e5bbfa8f8632f6a6bc892a5ac7b1f5bde87b8f8180174f71ed97
-
Filesize
4.1MB
MD5b4e006ea794002c6b3fe6f18e62a9d5f
SHA1a7fc5c00744442be67b5fbb7688dc486d1b8c773
SHA2569dda8314177297b2b3c107ebd5dab3660b59ae9975361d0758775dee701f9ac3
SHA5124cf5a1ef32c6184a7c6b9bef6c9d06c1f046d28fa652394ee34fd04d8b029f50f91f57cdcd314fec1f9d6de0e31fe84f43d4fd523600a7bd9451644228386c4f