87cab3379af59c281c0e86b58e8c497ddefb693fd757c53de5d9f4fc40947f8b

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

038667b9ff12f0fb52c5d2eab925c830N.exe
Size

2.6MB
MD5

038667b9ff12f0fb52c5d2eab925c830
SHA1

108136bd34f9d12300c6c4cfd8293ca6ab64f6e8
SHA256

87cab3379af59c281c0e86b58e8c497ddefb693fd757c53de5d9f4fc40947f8b
SHA512

09f5cb3c90589cceafaf2008ba95fcb8675ec2bf80da3efb8de8e96baf9dc666f1cc769f79bf335ec6d0762ba98208ee73a60910604df0095509bef55a043f5c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpsb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	038667b9ff12f0fb52c5d2eab925c830N.exe

Executes dropped EXE 2 IoCs

pid	Process
1868	sysxdob.exe
2808	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1988	038667b9ff12f0fb52c5d2eab925c830N.exe
1988	038667b9ff12f0fb52c5d2eab925c830N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocAK\\xbodsys.exe"	038667b9ff12f0fb52c5d2eab925c830N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZBG\\bodxsys.exe"	038667b9ff12f0fb52c5d2eab925c830N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1988	038667b9ff12f0fb52c5d2eab925c830N.exe
1988	038667b9ff12f0fb52c5d2eab925c830N.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe
1868	sysxdob.exe
2808	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1868	1988	038667b9ff12f0fb52c5d2eab925c830N.exe	31
PID 1988 wrote to memory of 1868	1988	038667b9ff12f0fb52c5d2eab925c830N.exe	31
PID 1988 wrote to memory of 1868	1988	038667b9ff12f0fb52c5d2eab925c830N.exe	31
PID 1988 wrote to memory of 1868	1988	038667b9ff12f0fb52c5d2eab925c830N.exe	31
PID 1988 wrote to memory of 2808	1988	038667b9ff12f0fb52c5d2eab925c830N.exe	32
PID 1988 wrote to memory of 2808	1988	038667b9ff12f0fb52c5d2eab925c830N.exe	32
PID 1988 wrote to memory of 2808	1988	038667b9ff12f0fb52c5d2eab925c830N.exe	32
PID 1988 wrote to memory of 2808	1988	038667b9ff12f0fb52c5d2eab925c830N.exe	32

C:\Users\Admin\AppData\Local\Temp\038667b9ff12f0fb52c5d2eab925c830N.exe
"C:\Users\Admin\AppData\Local\Temp\038667b9ff12f0fb52c5d2eab925c830N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1868
- C:\IntelprocAK\xbodsys.exe
  C:\IntelprocAK\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocAK\xbodsys.exe

Filesize
2.6MB

MD5
3e533d6ba6f6adfe566228170cd870d6

SHA1
57131fc972ef2c4910c49016ad4feb3ebba6d0fc

SHA256
3acfbfc35fcda91cd10ae95991942d1eba24919e3f5ca4a50810a76d64b53ecf

SHA512
1fbd1a24d2674b97d2c669b35bde97a177d35fadfa7f168b09e8d89c1e70c8f8d536c95a228d7eed4016c76831b0c1bb62b85ba5a9f02e2a94fe7cf36e81e754

Download Submit
C:\LabZBG\bodxsys.exe

Filesize
2.6MB

MD5
232ff9c0acf3e79cd81f665cda3d386e

SHA1
655d5c8bd01403b0aaf274aa1c60748d06275d3a

SHA256
1883e05b2ef6e87916dceb946aeeec5a7f4b41091ed1fafde0254a9b8c33721a

SHA512
3f1d2a0e8ef94414bb6e67f57e1dfefadb03096c6629944950b2ee6559e9f8b32377cf108887f9142e41c36922aedcc2c7c3a85c82d6ed2725a9df83e89fbeb4

Download Submit
C:\LabZBG\bodxsys.exe

Filesize
2.6MB

MD5
0ed27394f218871cf6afd6c9963a9437

SHA1
76ca886dc2a1d00990c50c7c342f78a604163f49

SHA256
0c35dc0741e16c8867b139766c478b3f24758650905c26b3b89549079715f6f2

SHA512
77a8881aa79473af800a8529cd36c734ce584dece9839806ec6829321dd2fc54ce2312ef4f5f0433fe1d7e2bebf3f867c51384ec4479682cd237b5bfb056c1b6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
91a863146c670366b983754f4e9000c8

SHA1
a1951b3ff917696e78183d1a7deb019b162cdd4d

SHA256
c0364a7b677cbddf23303ba26584f9f3af36a843071ceab26a42d300430947f3

SHA512
f3162aad2690778329204fa904cc8aaf81da3e2226d3d49d602a51b8a8b56de9d9c602d7181c2ef52321b74764edcbd55063dd4179e945ffeb3f59968864fa02

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
e98db0d543da07924f9030f46c8fcdc1

SHA1
0dc91fdcb33c8dab90050ff4b01822d46a283f6f

SHA256
6c5d8846b323b37b71f5bb07074046394cce4805f4647552588b3f82945fa0c9

SHA512
93c900afbdb93f3aca44982d1d83b29620e5eeea87f8ecc3e0c744dd78da276a652818961d8576cc0b90c9b8493146e435e2da9e11891b1697d0b409238238d9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.6MB

MD5
f8a2ef8849e33865424db1dc31b4a395

SHA1
1b14752b288ae6e195704050e65946ae6dbff4ee

SHA256
4c1f48764f45ff20a0b497f93bf4214eaf352af42acda4d6d2c47816c17242d6

SHA512
9d145d942bcaf94038614d2811b89325a8618ea46090cff79846736dc4a136f4d562f54eab2876c80e6e28f7ddfb4a10150b39ebb076e3a54aa554c7b78ce0a1

Download Submit