16605d3c20dfda31d67f33bc58edb61db93f6b03ad834368ea4f12a563641865

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

135b5d1a525c6cc808b6ff25f7e7d420.exe
Size

4.0MB
MD5

135b5d1a525c6cc808b6ff25f7e7d420
SHA1

4f1680212850f213f5e89821ae2da2eed44efb71
SHA256

16605d3c20dfda31d67f33bc58edb61db93f6b03ad834368ea4f12a563641865
SHA512

ed2668b753edb3bb057d4e8ccc2ee1bcb8f853ba8a196d3ba360fcda6cea4b6abf7f9637e55e2e3313d58f5e440a5c8c40d9e61864ec7e828cde2c4ecdb14175
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpjbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	135b5d1a525c6cc808b6ff25f7e7d420.exe

Executes dropped EXE 2 IoCs

pid	Process
4796	sysdevdob.exe
220	xbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeLI\\xbodsys.exe"	135b5d1a525c6cc808b6ff25f7e7d420.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidFW\\dobxsys.exe"	135b5d1a525c6cc808b6ff25f7e7d420.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2312	135b5d1a525c6cc808b6ff25f7e7d420.exe
2312	135b5d1a525c6cc808b6ff25f7e7d420.exe
2312	135b5d1a525c6cc808b6ff25f7e7d420.exe
2312	135b5d1a525c6cc808b6ff25f7e7d420.exe
4796	sysdevdob.exe
4796	sysdevdob.exe
220	xbodsys.exe
220	xbodsys.exe
4796	sysdevdob.exe
4796	sysdevdob.exe
220	xbodsys.exe
220	xbodsys.exe
4796	sysdevdob.exe
4796	sysdevdob.exe
220	xbodsys.exe
220	xbodsys.exe
4796	sysdevdob.exe
4796	sysdevdob.exe
220	xbodsys.exe
220	xbodsys.exe
4796	sysdevdob.exe
4796	sysdevdob.exe
220	xbodsys.exe
220	xbodsys.exe
4796	sysdevdob.exe
4796	sysdevdob.exe
220	xbodsys.exe
220	xbodsys.exe
4796	sysdevdob.exe
4796	sysdevdob.exe
220	xbodsys.exe
220	xbodsys.exe
4796	sysdevdob.exe
4796	sysdevdob.exe
220	xbodsys.exe
220	xbodsys.exe
4796	sysdevdob.exe
4796	sysdevdob.exe
220	xbodsys.exe
220	xbodsys.exe
4796	sysdevdob.exe
4796	sysdevdob.exe
220	xbodsys.exe
220	xbodsys.exe
4796	sysdevdob.exe
4796	sysdevdob.exe
220	xbodsys.exe
220	xbodsys.exe
4796	sysdevdob.exe
4796	sysdevdob.exe
220	xbodsys.exe
220	xbodsys.exe
4796	sysdevdob.exe
4796	sysdevdob.exe
220	xbodsys.exe
220	xbodsys.exe
4796	sysdevdob.exe
4796	sysdevdob.exe
220	xbodsys.exe
220	xbodsys.exe
4796	sysdevdob.exe
4796	sysdevdob.exe
220	xbodsys.exe
220	xbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 4796	2312	135b5d1a525c6cc808b6ff25f7e7d420.exe	87
PID 2312 wrote to memory of 4796	2312	135b5d1a525c6cc808b6ff25f7e7d420.exe	87
PID 2312 wrote to memory of 4796	2312	135b5d1a525c6cc808b6ff25f7e7d420.exe	87
PID 2312 wrote to memory of 220	2312	135b5d1a525c6cc808b6ff25f7e7d420.exe	88
PID 2312 wrote to memory of 220	2312	135b5d1a525c6cc808b6ff25f7e7d420.exe	88
PID 2312 wrote to memory of 220	2312	135b5d1a525c6cc808b6ff25f7e7d420.exe	88

C:\Users\Admin\AppData\Local\Temp\135b5d1a525c6cc808b6ff25f7e7d420.exe
"C:\Users\Admin\AppData\Local\Temp\135b5d1a525c6cc808b6ff25f7e7d420.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4796
- C:\AdobeLI\xbodsys.exe
  C:\AdobeLI\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeLI\xbodsys.exe

Filesize
4.0MB

MD5
091acce38a0f62a5f78de510f507e8c7

SHA1
e1692f489cd2403c8961047c6b955dd9ec0b8066

SHA256
85c062935d2e1b3f6bd6b79334d6f8bc6facbf2a7cc816f609f835d86ed200c0

SHA512
c1544398f01059eeeccb454e8c64d49d174aaa3d39a9af3732df8f897522bb140a4846a46d4ac03b5107e1d73186999632b1dacc7ec9434b916d95a91076ebe5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
55e069bb781674826f5a73373d9d3be1

SHA1
b2fd7280465b006211aed3e5187ff79251eb00a0

SHA256
312cfd9b136a47d999c1220a1dc50f78c47e9d642f31311dfe6768f11fa4f878

SHA512
04ed0252e2508aa7669fb95372575367114b09ee9386c1691b53a1773c0d7ff8d1b2d3791211220a3f1b4827092df39cd950f9db7081cde67c21ba01689f1f4d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
d7f741d97b255f72ef7f156b98f44af8

SHA1
4d117f27026281b98ac14bb44cafc52f91e71003

SHA256
e3b4b35e9e2f1328b92895a194db09456cfe0452dfb1a91306feefab86cb5179

SHA512
c4e7b9f7b4c299f6c22029abc0581d3502996d4da0871ef7fb49daf915361252d4734a3b8819db80a082e1c93e74bbf49eed85aa10c674f4c96d09290b0de837

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
4.0MB

MD5
01ed811e56ee826146c0afa65756518a

SHA1
9e31e793e40b603101886a30378c5f1ff3d9df95

SHA256
8546a58c933654f971eef47e42b0d99cc816c060d0e141840c011e8f4341f807

SHA512
5730d5571538df7c2a59941fff31ad73849942ca637903b35328e668aadeef287c4ff10db6bedbfde230b1d4bb68a9a1cdf1cb198ece10ba31ad4efd7f10fcec

Download Submit
C:\VidFW\dobxsys.exe

Filesize
906KB

MD5
d7e00d7f33f119148bb746ea443292bc

SHA1
30c95f05ac542db2297645b68cf6fb9a212361f6

SHA256
1e0f667aa6f6c0b4ad029f34235c54196b667f44d0061df060fbd9607a0d556f

SHA512
fd6a3d8aba3b2fe4fd5668d19e47b15ca823a16c0c1f3e19e0f51558bb7c4de83a9cc6476bfacf02131335568cd959d12d1475cea1ab7fb8903605094b31caa2

Download Submit
C:\VidFW\dobxsys.exe

Filesize
104KB

MD5
c109c3680ee00e25928b80b3778ef64f

SHA1
590082ade69cb461c78bbce45615b21a2a519939

SHA256
d02e834846fee62e8f2b05a1db8bcade3a513567306355ec6e26ff8897008ac7

SHA512
18dd4cf9d73db8942aa1f6dba39d2930b13b91af931da75ee59a9571fa6df77b826e183820c41a11725ea410db67dcbc360327fc1d04d188bbd696a2ace589da

Download Submit