Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10/07/2024, 02:56
Static task
static1
Behavioral task
behavioral1
Sample
a9e73729c502f464c12c9791f74f6fadf865fc1de9dcf3e7946bcd60fe872996.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a9e73729c502f464c12c9791f74f6fadf865fc1de9dcf3e7946bcd60fe872996.exe
Resource
win10v2004-20240709-en
General
-
Target
a9e73729c502f464c12c9791f74f6fadf865fc1de9dcf3e7946bcd60fe872996.exe
-
Size
3.2MB
-
MD5
bb76efee35a2850833c15c917a07cf15
-
SHA1
9299bc360eeb6e3fa29fff85178e881a290be4c6
-
SHA256
a9e73729c502f464c12c9791f74f6fadf865fc1de9dcf3e7946bcd60fe872996
-
SHA512
d5e25ebc5b6bd6b96b3eaa37a14214408e8fb211f38e95ce8a863ebce06cd2fc44d1a3b4f2eb128a15500a3b16c8497bdb987709832b9efb3221330300bb7a03
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpqbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe a9e73729c502f464c12c9791f74f6fadf865fc1de9dcf3e7946bcd60fe872996.exe -
Executes dropped EXE 2 IoCs
pid Process 1464 locxdob.exe 3668 xbodsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesHK\\xbodsys.exe" a9e73729c502f464c12c9791f74f6fadf865fc1de9dcf3e7946bcd60fe872996.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxA3\\boddevsys.exe" a9e73729c502f464c12c9791f74f6fadf865fc1de9dcf3e7946bcd60fe872996.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4276 a9e73729c502f464c12c9791f74f6fadf865fc1de9dcf3e7946bcd60fe872996.exe 4276 a9e73729c502f464c12c9791f74f6fadf865fc1de9dcf3e7946bcd60fe872996.exe 4276 a9e73729c502f464c12c9791f74f6fadf865fc1de9dcf3e7946bcd60fe872996.exe 4276 a9e73729c502f464c12c9791f74f6fadf865fc1de9dcf3e7946bcd60fe872996.exe 1464 locxdob.exe 1464 locxdob.exe 3668 xbodsys.exe 3668 xbodsys.exe 1464 locxdob.exe 1464 locxdob.exe 3668 xbodsys.exe 3668 xbodsys.exe 1464 locxdob.exe 1464 locxdob.exe 3668 xbodsys.exe 3668 xbodsys.exe 1464 locxdob.exe 1464 locxdob.exe 3668 xbodsys.exe 3668 xbodsys.exe 1464 locxdob.exe 1464 locxdob.exe 3668 xbodsys.exe 3668 xbodsys.exe 1464 locxdob.exe 1464 locxdob.exe 3668 xbodsys.exe 3668 xbodsys.exe 1464 locxdob.exe 1464 locxdob.exe 3668 xbodsys.exe 3668 xbodsys.exe 1464 locxdob.exe 1464 locxdob.exe 3668 xbodsys.exe 3668 xbodsys.exe 1464 locxdob.exe 1464 locxdob.exe 3668 xbodsys.exe 3668 xbodsys.exe 1464 locxdob.exe 1464 locxdob.exe 3668 xbodsys.exe 3668 xbodsys.exe 1464 locxdob.exe 1464 locxdob.exe 3668 xbodsys.exe 3668 xbodsys.exe 1464 locxdob.exe 1464 locxdob.exe 3668 xbodsys.exe 3668 xbodsys.exe 1464 locxdob.exe 1464 locxdob.exe 3668 xbodsys.exe 3668 xbodsys.exe 1464 locxdob.exe 1464 locxdob.exe 3668 xbodsys.exe 3668 xbodsys.exe 1464 locxdob.exe 1464 locxdob.exe 3668 xbodsys.exe 3668 xbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4276 wrote to memory of 1464 4276 a9e73729c502f464c12c9791f74f6fadf865fc1de9dcf3e7946bcd60fe872996.exe 84 PID 4276 wrote to memory of 1464 4276 a9e73729c502f464c12c9791f74f6fadf865fc1de9dcf3e7946bcd60fe872996.exe 84 PID 4276 wrote to memory of 1464 4276 a9e73729c502f464c12c9791f74f6fadf865fc1de9dcf3e7946bcd60fe872996.exe 84 PID 4276 wrote to memory of 3668 4276 a9e73729c502f464c12c9791f74f6fadf865fc1de9dcf3e7946bcd60fe872996.exe 85 PID 4276 wrote to memory of 3668 4276 a9e73729c502f464c12c9791f74f6fadf865fc1de9dcf3e7946bcd60fe872996.exe 85 PID 4276 wrote to memory of 3668 4276 a9e73729c502f464c12c9791f74f6fadf865fc1de9dcf3e7946bcd60fe872996.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9e73729c502f464c12c9791f74f6fadf865fc1de9dcf3e7946bcd60fe872996.exe"C:\Users\Admin\AppData\Local\Temp\a9e73729c502f464c12c9791f74f6fadf865fc1de9dcf3e7946bcd60fe872996.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1464
-
-
C:\FilesHK\xbodsys.exeC:\FilesHK\xbodsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3668
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5f159d0ea35b9adda7be63eddc95fcad1
SHA111b2af80c1f16215e3ce8577d63b42cd65184eb9
SHA2564f2351f92707a1861b760da87cf765906b0d7f3058f75b66edffbfadda9c553e
SHA512756f0599d59c6165bd0fddf4bb99b8c9e375f34bfcebce503384901b6b26e36ef226ebab79f65f2278eb3d97236614a0401c679f280153341508689a2550b1e8
-
Filesize
3.2MB
MD5461ada0467cedf2751fb8ede07e303f4
SHA1720f69f093712485c9f6d7203702843c30131c46
SHA256fc758a7ec5d2317f8c57468e46475644946df717ed1e40e3b5a63dfbac6de27c
SHA51299771e44bc2129faf35baf1119e03ef81affc7c34cdd9b31040b8ffe14791d8c70015d98e7db8824f35be9582aa44cbb61d9a1575ee8a65445df89d379bd6597
-
Filesize
1.4MB
MD50b40ebf7c96e3ddcddc69e604ff2d0db
SHA1317d28680097a82ac6077bf2c419ae9b799b7650
SHA256e7913f442d1d4c78dc2849b0ca1a935c2191cd0c206bb5bd173969be96c3a2a7
SHA512c8459db7801d96806ee843d7f95e44dc2f9d85877974decd81a5a95f0ff53014960cf7f35a2ca28158fa1b29584e5a5655f34c01be468fdb044f45899a24232e
-
Filesize
3.2MB
MD595cd68785cd59004b5e8e537db22d2dd
SHA163fc1b413f6787e08c9aeec78e3cd5ad53679fb9
SHA256bb03f6aa9e5435ebc3b8fb45f915e909679601013f12b04e42f4f99546bb8e12
SHA5122f53e5bf33f88ee9eefd9a43cd92aae8724e326f6927ac3c41ad32d55740d8aa2941aee3968aaf0732d2ac20b7ec0d933f05570b559426d6751322e04189be26
-
Filesize
203B
MD53187b896cb3ebd9b31cd812640985c80
SHA1de67dd5c53b505bee58a17e903c12cdf15603c95
SHA256c10d73e043089ec9ee09271f1c83e18a2ae26ff441c6ae4879e9455d6f775417
SHA512603cbe2f6e3c2520c33390263bc641e890797d6b4f5921fb657f683f1cc02e16d9a5c2e705b356251be2bfd097e3b0457b56590c8b4f1f78e1cafadb32a2e7ec
-
Filesize
171B
MD503e7de64b8a8350da6bd26b4ff859305
SHA16a66ad102d441bcc0e12f0bbde88e19c7fbb734d
SHA256d27e44285549f5be4f833a9e54d144a5b662adaf92736c6974bb5dc163314537
SHA5123fa7609abbf786c9376703a359fe635b9b220304b4c184ba9f9d0ec6a7657f286bab45a328ec338ca81abfcd1163db8a5f0a0e1a8625605fcbdbacb2de69f4f8
-
Filesize
3.2MB
MD5b751be73f74a7983430d0a890b290d7b
SHA11d47b1a46cc3e05802298017189a8d58366366b7
SHA256d2baf29b20f85863eb86e68348b40decf9680ad949ce51eb87c5e581bf703c31
SHA512c3b9ee5c8cbf3dc9d67e3c00c1b089cc275bc702be5960ac06fd2006ab760c8d82a60b7e3acc6cc8f3cb8e515b2ee24f6df2bea835afe497bbed9466e266eb93