08cb9224781f9a1e7d49ace80eb3542bbd3e7429b00b1a4196d4a68670be2f52

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08cb9224781f9a1e7d49ace80eb3542bbd3e7429b00b1a4196d4a68670be2f52.exe
Size

2.6MB
MD5

294ae43cab39d60ade8845bb46183634
SHA1

0b68dfa8bf32d0a34fad449aaccaf8037f7c7449
SHA256

08cb9224781f9a1e7d49ace80eb3542bbd3e7429b00b1a4196d4a68670be2f52
SHA512

7b1bd16e071579260c52cce941000cd5ed2891cdebbc1f2450a54da27540c5ddbca6372f08da20568edac948e2875f5dfdcf63f4e33bb49cf6e8aa0cbf3e1117
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBhB/bS:sxX7QnxrloE5dpUp6b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	08cb9224781f9a1e7d49ace80eb3542bbd3e7429b00b1a4196d4a68670be2f52.exe

Executes dropped EXE 2 IoCs

pid	Process
2940	sysadob.exe
5096	xbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotTW\\xbodloc.exe"	08cb9224781f9a1e7d49ace80eb3542bbd3e7429b00b1a4196d4a68670be2f52.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxTN\\bodxloc.exe"	08cb9224781f9a1e7d49ace80eb3542bbd3e7429b00b1a4196d4a68670be2f52.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08cb9224781f9a1e7d49ace80eb3542bbd3e7429b00b1a4196d4a68670be2f52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1188	08cb9224781f9a1e7d49ace80eb3542bbd3e7429b00b1a4196d4a68670be2f52.exe
1188	08cb9224781f9a1e7d49ace80eb3542bbd3e7429b00b1a4196d4a68670be2f52.exe
1188	08cb9224781f9a1e7d49ace80eb3542bbd3e7429b00b1a4196d4a68670be2f52.exe
1188	08cb9224781f9a1e7d49ace80eb3542bbd3e7429b00b1a4196d4a68670be2f52.exe
2940	sysadob.exe
2940	sysadob.exe
5096	xbodloc.exe
5096	xbodloc.exe
2940	sysadob.exe
2940	sysadob.exe
5096	xbodloc.exe
5096	xbodloc.exe
2940	sysadob.exe
2940	sysadob.exe
5096	xbodloc.exe
5096	xbodloc.exe
2940	sysadob.exe
2940	sysadob.exe
5096	xbodloc.exe
5096	xbodloc.exe
2940	sysadob.exe
2940	sysadob.exe
5096	xbodloc.exe
5096	xbodloc.exe
2940	sysadob.exe
2940	sysadob.exe
5096	xbodloc.exe
5096	xbodloc.exe
2940	sysadob.exe
2940	sysadob.exe
5096	xbodloc.exe
5096	xbodloc.exe
2940	sysadob.exe
2940	sysadob.exe
5096	xbodloc.exe
5096	xbodloc.exe
2940	sysadob.exe
2940	sysadob.exe
5096	xbodloc.exe
5096	xbodloc.exe
2940	sysadob.exe
2940	sysadob.exe
5096	xbodloc.exe
5096	xbodloc.exe
2940	sysadob.exe
2940	sysadob.exe
5096	xbodloc.exe
5096	xbodloc.exe
2940	sysadob.exe
2940	sysadob.exe
5096	xbodloc.exe
5096	xbodloc.exe
2940	sysadob.exe
2940	sysadob.exe
5096	xbodloc.exe
5096	xbodloc.exe
2940	sysadob.exe
2940	sysadob.exe
5096	xbodloc.exe
5096	xbodloc.exe
2940	sysadob.exe
2940	sysadob.exe
5096	xbodloc.exe
5096	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 2940	1188	08cb9224781f9a1e7d49ace80eb3542bbd3e7429b00b1a4196d4a68670be2f52.exe	89
PID 1188 wrote to memory of 2940	1188	08cb9224781f9a1e7d49ace80eb3542bbd3e7429b00b1a4196d4a68670be2f52.exe	89
PID 1188 wrote to memory of 2940	1188	08cb9224781f9a1e7d49ace80eb3542bbd3e7429b00b1a4196d4a68670be2f52.exe	89
PID 1188 wrote to memory of 5096	1188	08cb9224781f9a1e7d49ace80eb3542bbd3e7429b00b1a4196d4a68670be2f52.exe	90
PID 1188 wrote to memory of 5096	1188	08cb9224781f9a1e7d49ace80eb3542bbd3e7429b00b1a4196d4a68670be2f52.exe	90
PID 1188 wrote to memory of 5096	1188	08cb9224781f9a1e7d49ace80eb3542bbd3e7429b00b1a4196d4a68670be2f52.exe	90

C:\Users\Admin\AppData\Local\Temp\08cb9224781f9a1e7d49ace80eb3542bbd3e7429b00b1a4196d4a68670be2f52.exe
"C:\Users\Admin\AppData\Local\Temp\08cb9224781f9a1e7d49ace80eb3542bbd3e7429b00b1a4196d4a68670be2f52.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- C:\UserDotTW\xbodloc.exe
  C:\UserDotTW\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxTN\bodxloc.exe

Filesize
1.5MB

MD5
f639b86b5ac478da6d836683073e1e17

SHA1
5cfd50ddc7b60f96032876402bbd211c38dda98f

SHA256
a486838fd921067628e4855191908993f2736145a1d7c63e8a5b8dddb47a87a4

SHA512
73d80f573f1f890c25836bc1cae5714ea2cbaeda993c904c55256a6dd028c85b5ae5ceb03816b77a55bd7df9b69fb693e7614476a9eef8c7aa8b93fa03cff977

Download Submit
C:\GalaxTN\bodxloc.exe

Filesize
2.5MB

MD5
cdd80ac7b826ad69b7ac5c0779ee0bb2

SHA1
78eb4d6db10462c7561b8ad473d6fc62392864f6

SHA256
432b3cda66ff2fbf52ed95b4373cc7344e724afc3136c5b17986d5c0b7220875

SHA512
5ef0b17b58afdaca85339e8a53f2e35c79ae7eaa2f10e9be6ec95e901c1b3dd8d77edc73c2f1b0762f368df39c7cb05ae59923c9caa4a00946fabf4404e4f599

Download Submit
C:\UserDotTW\xbodloc.exe

Filesize
149KB

MD5
79f46bf9c3416bfe000992ee8a836b12

SHA1
b9224a09f5a33e00bdc26964f7bc8666de2104cb

SHA256
82eaa89f64f12698b78c29b79b95812183f8a2c5c337ce1ef4db2fdb4aed0666

SHA512
b17d8f3f2dcbe119ced2c1ce791e2723322cd72795f1a87dfee177cf162d8493363a5232c299f41f255101fc979fd66fd7d0a144ca8aaa3c5d5d942b810057cc

Download Submit
C:\UserDotTW\xbodloc.exe

Filesize
2.6MB

MD5
219e803a1a7432ec57c585ee74e49d9a

SHA1
99ad4ccb925b898a931ef69d5eca1704010f7c2b

SHA256
d10d30cc75d5f982c56d2dd93a36d0879890e9f51cdb0e5bd76156cf2acf57ec

SHA512
c36e72bdd651f88f75697d55a9fb0778576609ed5a30f458f0f0a90ec1089390a5cfecf5af9314cbd91b1181a1a39917b80abf7448aa08b1359370dbff7e6ddf

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
7f08053c38ba675975c011fa03993da0

SHA1
8fa55c016fab52a7c43f112f7de466b6199239ab

SHA256
2ece54bcb98f550b6b4dc8eb90e996b91bdf7c802736f40b7650e8fa0576874d

SHA512
fd80bc432adb1f338224ab875b0d06fc37dc1584bf84089648131e1d4e852cfb80e533539509dc651fa96207f5e9a753d3d95722c7dddbb44ebb52dd7dfdb9f1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
1c5e36b15720141e61da1ed5af0d0ad7

SHA1
1480773a231ea9c32b7362d6714933efacd8da58

SHA256
110bfd8915a10f013feeec102634c9a71c2d1765ae0e90ee00990bd16dc5fece

SHA512
012bf4ce9a7cebcacbab6bbce93d1ae06db751d6943b37b6195863550da968ddc2ce14d9477c2ebb6397f1df7906da16ce8faca1719f935e73284d06efa60205

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
2.6MB

MD5
f71884bc3f38594cf20c87b9e99d98c5

SHA1
43fcf40aecd84420620a3f6ac26e95a19951b5dd

SHA256
f36b39351ba8ecc1fefd55fb2dc18d0b5395e76f56efeb4cba35311d86c92fa9

SHA512
787201811623ed5776f09b090b72f529e2e75795322070e652001db99153bfe57e90edd28892d46e49048454b5db0706cdf4c3f2cc3b31161c66e41458b654fc

Download Submit