d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe
Size

3.6MB
MD5

d878c955d9081278cb8931d573558e5f
SHA1

3c27ca895e6ffa55e97e881db5343b73e39533cd
SHA256

d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e
SHA512

5fa7f01f14fc9843f96f4bbd939986a6454f9741825b860174c11d31e49a36942ed76c4118a36783b3d7752824563ce3201f1ced0db109e0d2f2cf9674efa59b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpPbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe

Executes dropped EXE 2 IoCs

pid	Process
3056	locxdob.exe
1716	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
3032	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe
3032	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvHD\\xbodsys.exe"	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxZW\\dobasys.exe"	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3032	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe
3032	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe
3056	locxdob.exe
1716	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 3056	3032	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe	30
PID 3032 wrote to memory of 3056	3032	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe	30
PID 3032 wrote to memory of 3056	3032	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe	30
PID 3032 wrote to memory of 3056	3032	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe	30
PID 3032 wrote to memory of 1716	3032	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe	31
PID 3032 wrote to memory of 1716	3032	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe	31
PID 3032 wrote to memory of 1716	3032	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe	31
PID 3032 wrote to memory of 1716	3032	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe	31

C:\Users\Admin\AppData\Local\Temp\d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe
"C:\Users\Admin\AppData\Local\Temp\d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3056
- C:\SysDrvHD\xbodsys.exe
  C:\SysDrvHD\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxZW\dobasys.exe

Filesize
2.5MB

MD5
a7b9c9a711e8a56f8902c7e50dbfc097

SHA1
d1dfe70701869e95e20fc6c04421e3dc96e549f4

SHA256
87f331fb9792d7abdd66e4664b3c34eef17f700ba3785666fbc09f173518fa9e

SHA512
dc8826da8d1271a71eeb6b38b29cf363bd30b75fa971b324d152ee5bdf1e79171547fc02869373d1a9cc0f2c0e4ab2607b7de6b3f4536df747b9bc89e99da4e8

Download Submit
C:\GalaxZW\dobasys.exe

Filesize
1.3MB

MD5
8efc2c84f39b4c66d7a8fc59348a1c85

SHA1
e17932ba9729b341ad61cdaacb2680d283991296

SHA256
836905e7a5f7e6ce2ad29a6fed567a4ef23dedefa15cf3081271582acd963075

SHA512
17f5f81abb3b3e104385263684717b67b322aec7f740c453059758bfcc21f5c48476913bbdb38557e57508a42f81d919d97d03d8741d18db64c38663b10aecb5

Download Submit
C:\SysDrvHD\xbodsys.exe

Filesize
3.6MB

MD5
3f7adcbb89dd8474cd3c32e7a2a34b37

SHA1
8c208275ce81a138f0fb42d966c1484177bfb2f3

SHA256
bc8ff06f74f2882beb885a6a8415d9252f558cbbec80da14cf8cb112560954c7

SHA512
a619a7dff99f97f9723763f9aaa8509b6135e7a73e7833e950a8bf8f8a8cbf4cb09b6cc09d51372ff2ab1ce2d9bd533418fed75ac350a9c8b0266edcb35378c0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
e16d26d258bb281b9ab4587ccdaa072d

SHA1
1d5a73f0c1ff463a34f7a6d89372cd24145e7201

SHA256
676b8c4a9a48efa4783789470f63b120549034f44f1939e5d42b542d0750333d

SHA512
fdcc862a2a60b9840b3e317876bf7d8fd989b5f02be8f83707557531eb82c5c941ab335cd463b596f11a487b6e57465769fc51fb64c6c174b89f550782b1aca5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
73df79ff835cf92b4c73467e942704b0

SHA1
1d596350065786be154b215f87858192c1c88702

SHA256
0e31f696da122b67d8afe2f75605449ce30aa1be4170fdf5ea766aaf4f2bb57f

SHA512
9d9ebad2639f38f43baa2d1958db9844e32345fecdcebba3a4ef6acecead4fca7d35a6d676d24d701b14f60866d41b5485c977201850fa85afa43da28d96577f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
3.6MB

MD5
d7883d260763c5543623e9949ac106fb

SHA1
aa2ae870bc8f41561420c2683d82af7595929b2b

SHA256
28950fe7b8d43cb4e2f4023fbb518e1807ecf4b6afdc38a3e20ecc1530dd21dd

SHA512
a710afb0c61847f7aac04d005f31e275d8433f19c72512b1e2cee446a9fdbbccd429d7e4184e98a3c32aa0b504bdd37c9c209b8c50c34717894da46adbaf4bde

Download Submit