956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe
Size

3.2MB
MD5

96dc40b005b55467c16f2329b9f97bda
SHA1

15ddbf6cb790e76bc1bfdcff78ff129ab75f2ada
SHA256

956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc
SHA512

44daa0ae4c7e46a16401816cd8d3af7f2612c5c936f811f5d26740714310b46b04b278898019e35759707748462187df1ac2c79872d15abc58356a6fdb36ff39
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpSbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe

Executes dropped EXE 2 IoCs

pid	Process
2656	sysxbod.exe
2684	abodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2424	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe
2424	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidD6\\boddevsys.exe"	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc5E\\abodloc.exe"	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2424	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe
2424	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe
2656	sysxbod.exe
2684	abodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2656	2424	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe	30
PID 2424 wrote to memory of 2656	2424	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe	30
PID 2424 wrote to memory of 2656	2424	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe	30
PID 2424 wrote to memory of 2656	2424	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe	30
PID 2424 wrote to memory of 2684	2424	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe	31
PID 2424 wrote to memory of 2684	2424	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe	31
PID 2424 wrote to memory of 2684	2424	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe	31
PID 2424 wrote to memory of 2684	2424	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe	31

C:\Users\Admin\AppData\Local\Temp\956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe
"C:\Users\Admin\AppData\Local\Temp\956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2656
- C:\Intelproc5E\abodloc.exe
  C:\Intelproc5E\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc5E\abodloc.exe

Filesize
3.2MB

MD5
a014b9356678313b5b363b555a6d5f6c

SHA1
ba9ed28aac4ca3d51b30f51d21e064cca0c09895

SHA256
61fce2ac073341426d02443ebb6be548c2bf74d21400b2be18e3f78766cabaac

SHA512
d2c95bbe36fa41f706dbbe1c627ba7d4acdfd5b476f8e32fdf03911582fd61ef1fb610ce9e63a6660ade04d2033430560c45df239f2bd7c984186bbe2dfdbf0d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
c581b2f27b1b4c7cfc2e1dc602f90f37

SHA1
0953f1bc7b2582819a5fbedfc79f986ed760d234

SHA256
964008771cd3ade99b96d2ed7be617f8073df0ae758a02a55df733df3b421b8b

SHA512
0ba20601d1ff3f248ce2c926c876f8a134a114d234f83dbe313eb4cdaa2121fd6d4c7d1d2a749736cb0bf44073f41508eb9b15bdf9e535dbc0336233484248e8

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
41748239ea1b55a60c8934ec5fc379f7

SHA1
e03a63b8438fd0426431bbd2a55a6d5380644b13

SHA256
97649f3e3e602ef94c8db653cdfa3436b95e7678fe6c1cbc377a8275eab49e6f

SHA512
00746ed0917f0acdd20c6120f066d4cd286e2a05f4a3e731ea5984fac26a7c545e8400ea9ddad80a0f171fe1bea9dd1bb3c417edd28f5128d52e88a2fd6e12c4

Download Submit
C:\VidD6\boddevsys.exe

Filesize
495KB

MD5
84083a69fa7600061e6188c3191a6914

SHA1
3f6e2c10514e7ed798e6a77ec5d3258dd0b691d3

SHA256
191269ace7854b193228d989093942a9d8b903d2e65174128bb677ee1ed5e1c9

SHA512
8ea9c40b4c680fea43993a4981d4b45d76a38591b81cc28d718213e5b568c14ff994536e79c7f84e117d29ee2441d9055f7064b2541d8da6f7bcfd1a32d49231

Download Submit
C:\VidD6\boddevsys.exe

Filesize
3.2MB

MD5
805948e8aa1ed853cdafafa85e877612

SHA1
26fac77e7b33f56b934846b53b545e6b3f32f23a

SHA256
fa67bb20982595cce1377b9796d491415b33d675f1748e6ec94d61d023712f1e

SHA512
aa051ea3f89c81521b60fa78446bb95862b6eb03c407250d5128207872403d8819da13085347b32c85a65f08a2aeb4d98b5471c66d3ee2c866e3d79028780a0d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
3.2MB

MD5
7ea12652ff14a490d35e7630e13c05c7

SHA1
4806e5036eaccbbca23e251d6d0f70ec1c07a65d

SHA256
d0646db54b8f54878c0d6285644cc1752d310e8cafc6cca50870ea0706e825e4

SHA512
a4d39c467a48e30e56043a572f72415b754be7fae04812061b99aa714fffe37c9234727d07d966e1980914dc2f05b0f58fb58b21f8382647158b9db2d60dfecd

Download Submit