c9ea54e76bdddc4e7fbffad6a3fb6554f91173aa71da329daab33c43cca0b4a7

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-07-2024 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbba3a530dc5ffb5094e36fa60a098b0N.exe
Size

3.0MB
MD5

bbba3a530dc5ffb5094e36fa60a098b0
SHA1

7ab074c0b09b395bfc7aaeee01a0ffe46174fe9a
SHA256

c9ea54e76bdddc4e7fbffad6a3fb6554f91173aa71da329daab33c43cca0b4a7
SHA512

409c0d80186c19b157d194bea4c8a382eff240ae7f55cb2b3facc33d55c906165090a661b3a95614caaa3a9126915f7959db0f81ac86b8c1f11e424f4c0cf206
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8b6LNX:sxX7QnxrloE5dpUpPbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	bbba3a530dc5ffb5094e36fa60a098b0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2468	sysxbod.exe
2920	xbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2280	bbba3a530dc5ffb5094e36fa60a098b0N.exe
2280	bbba3a530dc5ffb5094e36fa60a098b0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotPN\\xbodec.exe"	bbba3a530dc5ffb5094e36fa60a098b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax0E\\bodaec.exe"	bbba3a530dc5ffb5094e36fa60a098b0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	bbba3a530dc5ffb5094e36fa60a098b0N.exe
2280	bbba3a530dc5ffb5094e36fa60a098b0N.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe
2468	sysxbod.exe
2920	xbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2468	2280	bbba3a530dc5ffb5094e36fa60a098b0N.exe	30
PID 2280 wrote to memory of 2468	2280	bbba3a530dc5ffb5094e36fa60a098b0N.exe	30
PID 2280 wrote to memory of 2468	2280	bbba3a530dc5ffb5094e36fa60a098b0N.exe	30
PID 2280 wrote to memory of 2468	2280	bbba3a530dc5ffb5094e36fa60a098b0N.exe	30
PID 2280 wrote to memory of 2920	2280	bbba3a530dc5ffb5094e36fa60a098b0N.exe	31
PID 2280 wrote to memory of 2920	2280	bbba3a530dc5ffb5094e36fa60a098b0N.exe	31
PID 2280 wrote to memory of 2920	2280	bbba3a530dc5ffb5094e36fa60a098b0N.exe	31
PID 2280 wrote to memory of 2920	2280	bbba3a530dc5ffb5094e36fa60a098b0N.exe	31

C:\Users\Admin\AppData\Local\Temp\bbba3a530dc5ffb5094e36fa60a098b0N.exe
"C:\Users\Admin\AppData\Local\Temp\bbba3a530dc5ffb5094e36fa60a098b0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2468
- C:\UserDotPN\xbodec.exe
  C:\UserDotPN\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax0E\bodaec.exe

Filesize
3.0MB

MD5
48207e30332a61e89fa1a73e32b14a18

SHA1
3059f2e2b4ee4de8ea344d0178bd0be81c149b65

SHA256
0bd0d74f97c9756c25eb9f5b53a7616e16fdbf8a6f0cd48c209d5c272e2866a2

SHA512
107070c51da0053de324e965bedc2fb71c57820c5682204ae81bcf82900c10892bdbb0f485b7059256afe171ce0b773a0ac8013d9e4ff77fee93bc17c9633b4a

Download Submit
C:\Galax0E\bodaec.exe

Filesize
3.0MB

MD5
de9e849455ed0bd362309a9cd801c726

SHA1
c53435082cf5aad8df8fc6ff6f5c2677cee5f65a

SHA256
eb57abdc9b85377e87707d01bdd04c3af4cf7d30203bb0636ac7b934a6123a1b

SHA512
a1a2bf09081669e974a654425faf69b0a0be9941c3c09464a774188f3353748c801f3ea44e584fc9f0c249ca8c8271a6d6dcdb1d77a6baf426348d0e637aa97e

Download Submit
C:\UserDotPN\xbodec.exe

Filesize
3.0MB

MD5
3c64418b8a6bb82f5c516006712035f7

SHA1
c2fe9d27eb500937f2242b649eaaa78baab74776

SHA256
85f8e1821e45701f3c84c204082a89b07c483f532d9705caebe0a577e8494e26

SHA512
b3de8341a87ba55424fe249ea0648c0af09a015dd5cec31fcd75d79b6e43a7bf45aaf433d6bb946383e5ede944040adf875b9fddde2b0361457f45024267fb3f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
15d7b37f4fcc281c0abb738471f273f3

SHA1
ef4c91c836a7653a07a4fe7737a8dfe776e2c31f

SHA256
2004a0a76b19dd78005cec80f92bc371240e10b7f044a316b5579873c086bf9d

SHA512
b1e7952b89e77b35f697fd64de24c3cce957564352a117ef86a58261545c41b24edd6a2f3f26b23ba063d59d823a269376a63563cdac23372f0046b467071dc5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
3acfc397259054e15e55e3ba986072b7

SHA1
6fc09929f5e9f12f8753794c32559f38c2f4b5f6

SHA256
d08d9b110329a397c8743c1f3660125ffe2b6a2f6794becac59faee3dcfff6bd

SHA512
876252d3848f9c1fb881dcfea675e17a12ac2afbec8e243873bec959d49e60c51346d704c2b4e8fe163ba76a3a01c7e00a0b6570d12f50363fb048f004ee1fa0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
3.0MB

MD5
4a7b0d869cd3e3c5452cf839939e9f2c

SHA1
6be2bd5abaf7f9138282776f967aac676b20654e

SHA256
ffce2f52a320951ac02b8f303278174059f67c5768720dbb9a38842757e19e80

SHA512
ac15c821854d7a3e346def184f853f5b058b291b270fdddae89d2e86412847aa26281550479c81c7e1be6da2836370239ac34016156e03f3277ec2df11f3b1e3

Download Submit