15170457bae13618cd1ec822df68ee4fa219c9cb2336508b5a9fe38173ec074a

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15170457bae13618cd1ec822df68ee4fa219c9cb2336508b5a9fe38173ec074a.exe
Size

3.9MB
MD5

50eb3046bd2c37ae147c31875d4a6172
SHA1

eb63662322ca1473a0ac69f55ff43e4f63474a62
SHA256

15170457bae13618cd1ec822df68ee4fa219c9cb2336508b5a9fe38173ec074a
SHA512

7ae212730319ed29711df3411ef67b168dde4b58e4d16b1258b9876b3ed0f87dfc3d43ed73f3ec4424f1869d283cfa982a8b38c446cf6d44ef0ff536296eec20
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp2bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	15170457bae13618cd1ec822df68ee4fa219c9cb2336508b5a9fe38173ec074a.exe

Executes dropped EXE 2 IoCs

pid	Process
2992	sysabod.exe
2508	devbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2844	15170457bae13618cd1ec822df68ee4fa219c9cb2336508b5a9fe38173ec074a.exe
2844	15170457bae13618cd1ec822df68ee4fa219c9cb2336508b5a9fe38173ec074a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZZT\\dobxloc.exe"	15170457bae13618cd1ec822df68ee4fa219c9cb2336508b5a9fe38173ec074a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotQM\\devbodsys.exe"	15170457bae13618cd1ec822df68ee4fa219c9cb2336508b5a9fe38173ec074a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2844	15170457bae13618cd1ec822df68ee4fa219c9cb2336508b5a9fe38173ec074a.exe
2844	15170457bae13618cd1ec822df68ee4fa219c9cb2336508b5a9fe38173ec074a.exe
2992	sysabod.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe
2508	devbodsys.exe
2992	sysabod.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2992	2844	15170457bae13618cd1ec822df68ee4fa219c9cb2336508b5a9fe38173ec074a.exe	28
PID 2844 wrote to memory of 2992	2844	15170457bae13618cd1ec822df68ee4fa219c9cb2336508b5a9fe38173ec074a.exe	28
PID 2844 wrote to memory of 2992	2844	15170457bae13618cd1ec822df68ee4fa219c9cb2336508b5a9fe38173ec074a.exe	28
PID 2844 wrote to memory of 2992	2844	15170457bae13618cd1ec822df68ee4fa219c9cb2336508b5a9fe38173ec074a.exe	28
PID 2844 wrote to memory of 2508	2844	15170457bae13618cd1ec822df68ee4fa219c9cb2336508b5a9fe38173ec074a.exe	29
PID 2844 wrote to memory of 2508	2844	15170457bae13618cd1ec822df68ee4fa219c9cb2336508b5a9fe38173ec074a.exe	29
PID 2844 wrote to memory of 2508	2844	15170457bae13618cd1ec822df68ee4fa219c9cb2336508b5a9fe38173ec074a.exe	29
PID 2844 wrote to memory of 2508	2844	15170457bae13618cd1ec822df68ee4fa219c9cb2336508b5a9fe38173ec074a.exe	29

C:\Users\Admin\AppData\Local\Temp\15170457bae13618cd1ec822df68ee4fa219c9cb2336508b5a9fe38173ec074a.exe
"C:\Users\Admin\AppData\Local\Temp\15170457bae13618cd1ec822df68ee4fa219c9cb2336508b5a9fe38173ec074a.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2992
- C:\UserDotQM\devbodsys.exe
  C:\UserDotQM\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZZT\dobxloc.exe

Filesize
16KB

MD5
22982414cd28f7bd963c7390fe332005

SHA1
b9780689fc2f225a5f207b3a0f2533dc5e381874

SHA256
b3c258b288b3f2ef33c6a362503e599b349febb9a0f7fab4311ba488dbb1b44a

SHA512
905aa5b5e80fa41f962d0a01ee4b2a54155d0ff7e92d1533813efa64cc4ff3ad1cdf63ac6a1e689b0a4b44c659ec4760631e0162fda9ab3741cdf0b0bfcd0cb2

Download Submit
C:\LabZZT\dobxloc.exe

Filesize
711KB

MD5
1d82f8ced51144075c314d3f58dc66af

SHA1
ea99f5f0d5ae1119bf8eca3aecbe77f5edce10de

SHA256
b4df3cd99370bf3a26fe8b08d4c4f2deea1ccda6897905fcfca4f6e8b8a284a8

SHA512
5dbe0275cd6d9cdecb638f0a7053c312474f951e513e6500ea6478ecd9bea8cffefe7b01409adffe4129309975b7548335fcaef5ef58fef093d7ae3c6843c69a

Download Submit
C:\UserDotQM\devbodsys.exe

Filesize
142KB

MD5
85034e0c40cfa21c258fdec503d76978

SHA1
cc9776b7fdaaadc5c074d93907900300e58005ea

SHA256
3c881cfadace041d098c4afc7bee1ad9f528c50c9be8f3f9f2394e3b0193e061

SHA512
5e8fc2786763be53f6827728cf28e4bdd63830b41fedfe18e854298d0ad8d2f77890a36131ee0e78c3e6e5b1e4626066d5a095154fe3502da47eeadcdec55b59

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
e6e339f93d77cce2b481167a5a555771

SHA1
d3644afd79fd3696d3e29c5d7c260b73336ee6d5

SHA256
f502b5377f30898cf6dd7aa6ff709e491db6285d138e43a412c4ac67b504de48

SHA512
f701c79146dd06060aa845a2cc24bb2b122c0cfccb31b916ace9c3681f576e496de3653e488d09bab63e62847412a7cd9286bb5171b4a5b001156302e2fb77e3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
0a65a13b6fd63087bade91b5c4f27298

SHA1
0261f365d3b5c22dd87d4406c5871675a690a8da

SHA256
de6b1327e909f013873a0d4307f64b12dde7e2a2050a07976943ce8d88c7ab97

SHA512
4afab2daa9cb052dfc76397669ce14a5a940182f3612d32cbfd3eabc3a732954f9193feaf325f4b749830a03c2dd03fa504a5e06b122a28e749dbf1f4276203c

Download Submit
\UserDotQM\devbodsys.exe

Filesize
3.9MB

MD5
d9d2fbc15260dde8eaa534c3de81d7df

SHA1
fb1f0b5bca804d8b61e729a9220ba9fa2281b6f1

SHA256
c724b68f02f7a3943ccc56e0842f7effad5fbe79633b0a7f430aca36575e7be9

SHA512
4280a5ac05f0c5b00de7d39b39c277153c45ccb31a5fb4dc39e81cb64284de77b286f386897ddc17438efc1ebceeec737cc3195cd0453c4debb88b547caae6d0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
3.9MB

MD5
28fce427ea50dd45a078d96f8fbea9d1

SHA1
51dd9ee7336fadd2f2969bfabb0f0f05da69efe4

SHA256
419d8b8faf59b1712adbb5c9dc44055b96332c4d47f0c98f64df632e37c95817

SHA512
b37be38080b5e223f894c7e2c420584980b31ce9d1649ba3f06f4c6ed9ee9e65e067c8c2c3e958753eb414f8c1e3fc7786139f218a733d99f8f6af4f9320c767

Download Submit