Analysis
-
max time kernel
150s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
08/08/2024, 05:23
Static task
static1
Behavioral task
behavioral1
Sample
f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe
Resource
win10v2004-20240802-en
General
-
Target
f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe
-
Size
2.6MB
-
MD5
5b7afcd55c9ffaa51d37f7689696aba7
-
SHA1
c3a1ced3c3a574cf959569fd7c353c7ff41704e5
-
SHA256
f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf
-
SHA512
50972d2ad3c7359e5cea795c2e6cbfffc6dd3f0ec176e0f86e0098255b07a2a7c92d89857a476b996777ba1b9a7666b70d7d9a9784cf9d81a7e4ee9d272c4d91
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bS:sxX7QnxrloE5dpUp6b
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe -
Executes dropped EXE 2 IoCs
pid Process 2308 sysadob.exe 3028 xbodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 400 f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe 400 f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvXQ\\xbodsys.exe" f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint2A\\dobdevec.exe" f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 400 f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe 400 f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe 2308 sysadob.exe 3028 xbodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 400 wrote to memory of 2308 400 f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe 29 PID 400 wrote to memory of 2308 400 f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe 29 PID 400 wrote to memory of 2308 400 f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe 29 PID 400 wrote to memory of 2308 400 f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe 29 PID 400 wrote to memory of 3028 400 f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe 30 PID 400 wrote to memory of 3028 400 f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe 30 PID 400 wrote to memory of 3028 400 f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe 30 PID 400 wrote to memory of 3028 400 f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe"C:\Users\Admin\AppData\Local\Temp\f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2308
-
-
C:\SysDrvXQ\xbodsys.exeC:\SysDrvXQ\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5c502be21f28a4e091176821b831bb994
SHA1c9de0cd2644b40708b1b9c113b35d646ca474f4a
SHA256be71c2cacccd33f2c7b9cdaaacb6e94daa2394fe57d755740f22d47b26eacb0b
SHA5126d27acccdfab5fdb0979a690539561b857badbf8bba08dc9946f5465af62514c8a7d7adab4f7b4932373ea7fceb1b5ec7d73978dd0af8779d1a1accdbec874fc
-
Filesize
2.6MB
MD5b38cd70e829565b84d09e6fd5550ebef
SHA1246fde73388f787b1c812a7f92100fd532c8092d
SHA256599a3b127f441c8f049a95e3b5606bb2ca8709b144acdce7060dfaef2a1fd71d
SHA512a9ceef302e9746b91dbc76a75ddfc8ce479b5309dfd15aa0c904c9a81c391dfcf41f3a0e00071a2e0d3442efce2926407c7bb73b92f1c850cf01685c33317676
-
Filesize
2.6MB
MD5d8ce0ab497e6188068fb036af30ea9d6
SHA1f00233d88f61f70886f6ac365983ddad3c004dcc
SHA25606af7abe6377f869836f7361ce37d399f945fd96182530e1da5f750ddafe338b
SHA5121f8c9a2a3ed1d2f99720f39167646e21fe8c0d3c166bf4d684a385620815df61a92da66e180e0962820365f520033eb472a39fd4c686734a3a36f702174f9b77
-
Filesize
170B
MD55c293b815c270baed75219b7bfc98e17
SHA1ac4d027c04a218adaae3eebb6d13e88152fd3353
SHA256b36eafa5e49e5225762477e3f61203930ecffdddb02a04427d870578b1c14c52
SHA512464a4ffa91cef218279a02ee047c31b62c058a18a84ed63fdbf155eb74cb09c7254e698dccc0393310b878485ec07760c5e39d6077b78123c80f89af7aa58b1c
-
Filesize
202B
MD5c0b058a2ef8771b459526b8874b2ef4f
SHA12e788d859a99bd1fbe5632e5e7926f3753365763
SHA25682e0af8ec59174803663e20f952ede32fc1631b89558c243d3166ef39a8219b9
SHA512d68a3d52c301e7d847a953f35ac3332753fe712859ff60f2b9951441e438f76e57ba4b71fa4982e3c190ea0dc088551f4e9c3372bf1cc2d4ae653ae68816b80c
-
Filesize
2.6MB
MD5e6ea1e5d8eed52c88043bab70091f91c
SHA152ca763f9984783cd691f3aad384e44e9d8d16c5
SHA2568577862292bdaae74a11b935040ea03433dbd5f4342f5e5beb8488632fa66036
SHA51289f9cfdfe7155f749167f6886f8a1596a0e5360bc16c130a3a9d11defcfdd0ae3c22188239e15cdf9ce01bb24aa58f5be74bbf426ce08e5ef0c1227ace7edbcf