305f20ffc5426d0ddff2f5e4a58fc4ef347fef51eb97c51884f184954b43e1dd

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32ba56e63a16c88dd288decb2f1311a0N.exe
Size

3.2MB
MD5

32ba56e63a16c88dd288decb2f1311a0
SHA1

0d55bde3992e1ac40a5743c8464c8dc1af2467d2
SHA256

305f20ffc5426d0ddff2f5e4a58fc4ef347fef51eb97c51884f184954b43e1dd
SHA512

f54d56d91e55d5ae95c01cf79cb32895c96624243d42e499d0c66ce61fcfdb4a6c47012849547eb043a0000485eff7cab51728101f5e02cf90dd8f4e28e843ff
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpobVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	32ba56e63a16c88dd288decb2f1311a0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2120	sysdevbod.exe
2656	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2796	32ba56e63a16c88dd288decb2f1311a0N.exe
2796	32ba56e63a16c88dd288decb2f1311a0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files01\\xbodsys.exe"	32ba56e63a16c88dd288decb2f1311a0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidS5\\dobxsys.exe"	32ba56e63a16c88dd288decb2f1311a0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2796	32ba56e63a16c88dd288decb2f1311a0N.exe
2796	32ba56e63a16c88dd288decb2f1311a0N.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe
2120	sysdevbod.exe
2656	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2120	2796	32ba56e63a16c88dd288decb2f1311a0N.exe	31
PID 2796 wrote to memory of 2120	2796	32ba56e63a16c88dd288decb2f1311a0N.exe	31
PID 2796 wrote to memory of 2120	2796	32ba56e63a16c88dd288decb2f1311a0N.exe	31
PID 2796 wrote to memory of 2120	2796	32ba56e63a16c88dd288decb2f1311a0N.exe	31
PID 2796 wrote to memory of 2656	2796	32ba56e63a16c88dd288decb2f1311a0N.exe	32
PID 2796 wrote to memory of 2656	2796	32ba56e63a16c88dd288decb2f1311a0N.exe	32
PID 2796 wrote to memory of 2656	2796	32ba56e63a16c88dd288decb2f1311a0N.exe	32
PID 2796 wrote to memory of 2656	2796	32ba56e63a16c88dd288decb2f1311a0N.exe	32

C:\Users\Admin\AppData\Local\Temp\32ba56e63a16c88dd288decb2f1311a0N.exe
"C:\Users\Admin\AppData\Local\Temp\32ba56e63a16c88dd288decb2f1311a0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2120
- C:\Files01\xbodsys.exe
  C:\Files01\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files01\xbodsys.exe

Filesize
3.2MB

MD5
fbb940ec9ca0ffdcb2409ffd137fdbf9

SHA1
ea199d5571a0668322553c545b1520e9f7ba33db

SHA256
9afc6a00e660793bc208a58ed41a766fb60dafd821e38c90eaefb5596f0c640a

SHA512
053b6d7c8c0a2cc34d5c9d68c83479c0530bf691c46820762fe80511661e3deac82774fe3754e3120c4bcb984aafa0187e28faa64111cc723c3d42f2bb9e612f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
d721110fcc9cdf8a8bac727344e39f7c

SHA1
2a5c7ca57a8c56672177064eb0b0250c90699398

SHA256
274de624e793139f392b7d52f24e5d8ddd135cd8083090c04e1909b03bab0753

SHA512
3387b0a6e457fc92d24e0b7b1d8c5dd8a3e4d9993823034a9c94ca8bab75c34573ff379474dcf665ec52cfb9b5d4e90f49895da7387b0e58afc85f00d66b2c41

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
39217b255bfa9bae30e8ff9a71cc79f4

SHA1
3239a52d11dabe91fe95aa35d687e0340eaf6750

SHA256
4faad83630b7e4860ef1c8025cda8eae10ddc82322e085b807aa97351b472df5

SHA512
ff4c5ff432e05fc54c5af8b381edb5c8b21011d277a2052e1fc2f43350d125b51e74ba8d30eba9c44474607befe7d948073386754f5199e09e19473750d78cbe

Download Submit
C:\VidS5\dobxsys.exe

Filesize
3.2MB

MD5
e488a17925da226b01bc28e782d79f1b

SHA1
0da95838a9cf49bbd669b280246427fdf8c248b9

SHA256
a7a04de9cc1c1f95f744ca48a6d7e114104971053866157e8676a5a537249de9

SHA512
15d070feebf792c0f7c3c13ae6e46928eafe615e7035a436366abc9f2402f2ebf3198aee042dafa21eb5e625c6e6936827d88e8443132a4867bc7dce6c9f0c3a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
3.2MB

MD5
50ab168b9c856e08cd5e35b3a4818c8e

SHA1
b118c2d28f480643e362f392cf6326847967f413

SHA256
8ccc55d7292ce1a0f1ce2b24dece0f6503168396f49fb537408d113857db4c84

SHA512
42397ea8ba6b09d7caaf22038c4d6cb9bca6955dc63c6e5e83aa7615ba2473e6044ae1fdf6c51f44de999ef6736d4ccc9c7a0d8c2f2dfbf0fe88fe2a95caf3d3

Download Submit