4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe
Size

3.2MB
MD5

2ae47c0254e12328439773266291591f
SHA1

875bcb35f471b563d29c20c158382976db45c612
SHA256

4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f
SHA512

1c10705fec833da091e29127da74eae64c32fd5db4e69506d106945e52f06799b6e9aeccfe2de8fc9d799a0d81ed83cd36997f82722da227d44137bd591f98ba
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpzbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe

Executes dropped EXE 2 IoCs

pid	Process
3900	sysxbod.exe
4080	abodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeQJ\\abodsys.exe"	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid3R\\dobasys.exe"	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1508	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe
1508	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe
1508	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe
1508	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe
3900	sysxbod.exe
3900	sysxbod.exe
4080	abodsys.exe
4080	abodsys.exe
3900	sysxbod.exe
3900	sysxbod.exe
4080	abodsys.exe
4080	abodsys.exe
3900	sysxbod.exe
3900	sysxbod.exe
4080	abodsys.exe
4080	abodsys.exe
3900	sysxbod.exe
3900	sysxbod.exe
4080	abodsys.exe
4080	abodsys.exe
3900	sysxbod.exe
3900	sysxbod.exe
4080	abodsys.exe
4080	abodsys.exe
3900	sysxbod.exe
3900	sysxbod.exe
4080	abodsys.exe
4080	abodsys.exe
3900	sysxbod.exe
3900	sysxbod.exe
4080	abodsys.exe
4080	abodsys.exe
3900	sysxbod.exe
3900	sysxbod.exe
4080	abodsys.exe
4080	abodsys.exe
3900	sysxbod.exe
3900	sysxbod.exe
4080	abodsys.exe
4080	abodsys.exe
3900	sysxbod.exe
3900	sysxbod.exe
4080	abodsys.exe
4080	abodsys.exe
3900	sysxbod.exe
3900	sysxbod.exe
4080	abodsys.exe
4080	abodsys.exe
3900	sysxbod.exe
3900	sysxbod.exe
4080	abodsys.exe
4080	abodsys.exe
3900	sysxbod.exe
3900	sysxbod.exe
4080	abodsys.exe
4080	abodsys.exe
3900	sysxbod.exe
3900	sysxbod.exe
4080	abodsys.exe
4080	abodsys.exe
3900	sysxbod.exe
3900	sysxbod.exe
4080	abodsys.exe
4080	abodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 3900	1508	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe	86
PID 1508 wrote to memory of 3900	1508	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe	86
PID 1508 wrote to memory of 3900	1508	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe	86
PID 1508 wrote to memory of 4080	1508	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe	89
PID 1508 wrote to memory of 4080	1508	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe	89
PID 1508 wrote to memory of 4080	1508	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe	89

C:\Users\Admin\AppData\Local\Temp\4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe
"C:\Users\Admin\AppData\Local\Temp\4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3900
- C:\AdobeQJ\abodsys.exe
  C:\AdobeQJ\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeQJ\abodsys.exe

Filesize
3.2MB

MD5
0edce9a4eb7d36a5b4602508cd518f37

SHA1
89f48bc1ac95373be757c5a9fcc544cd27349ec0

SHA256
7df622c3430106829773e5a54812af14ab82951f83cd4a51a4ddd70dd65337e3

SHA512
6185a5bef7436565c62a4922ce246509fdf80e15d6795d0759526bd61612d3af494c4340d912a65bbc1852743838b5e678280d21775d0acff0de87433961f6aa

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
199B

MD5
11a480339f42e6ffab5dca04c28006d5

SHA1
99200682976e0b737e258610955e5675e06d09b8

SHA256
3fe0964928d6d71b8a604a61b6c4dd7edb90477b433b2fafb0816ea91d2538d2

SHA512
642b7df8867fe38ea2733c940711cc17d8cfb3f94357c6ef5a8292d5781ff908325b2366f9c881dfdbe359671f9eaa7cf3932afb8ddd9339db3a6dc8b88644ce

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
167B

MD5
27911e52de6be87b72f51be2678595a1

SHA1
ee69f198aabc534c21fb61f78a2682c1de911cae

SHA256
655e860094dd2ffee0105efb53db5779fab77520cf5373607ed8ce8aac0477b7

SHA512
68665f2b7259e5a39969f644ece1c40fffacd58c97ec77fd20f7848579e65618673471f9849e52ea476325c1e7d92a4bb97ef61f4a7ede900be111179456ab3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
3.2MB

MD5
3910689c8aa94743a2c06558df9607c3

SHA1
18025b31378944342470a702b17533d253220693

SHA256
324693aa4f1b2125b1d38c78e1136336e0514a43c70a85c402dda59b437334eb

SHA512
56c9dedcebdefc3a863d9b1a9554c40464efe7ca451793a149fcd1503dbad75b6a536669514f4bf0fabba175407cb7579ad29ad8001184c693f7c3fbae7a7986

Download Submit
C:\Vid3R\dobasys.exe

Filesize
2.1MB

MD5
f2fccf1cbd25490efaf814fe88927e0f

SHA1
95dbcae4c88e6d238657bdd8997f2e27153b5d7a

SHA256
be4fd956a24061e922fb5c14e7338ec05f1270374b90e36c089030e674a948c6

SHA512
66179312f2cfd4b50bd52ee26d2dca188a9dad58a6a21b9fbe89f57f29c0a6630c594dacdfb7eff7d6df36cd917a1eb430ca018cfdeb2bfc15aaab4f5ec80d94

Download Submit
C:\Vid3R\dobasys.exe

Filesize
8KB

MD5
b6a3be42755c871ed4a546b6cfb8e5e8

SHA1
45db3ee8541418f154843d4a791071b3c3c65177

SHA256
1b3fa51ede60d19459b442b532eb4b1d11097bb17170bf5ee14f3ea9b861a657

SHA512
a8da5f15c36d992cfc7ca775a317e0993eb466cea69d4ada5e081faf4966bd49fffeba4f7da600f3f85df157c088f8a8667bf63290d81e9aec5b08b27cd1e42e

Download Submit