4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe
Size

3.0MB
MD5

d128d026bfe11969c9b706abecb160e5
SHA1

5539a6d5737d1bdb80b49c981730d87d17540f4f
SHA256

4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03
SHA512

c9412c68a601f3ff7795726c8eeb0739b4ac35a73bb14e67883a5b16bb229b3cb7ffe743d0fabb1b0d0234be5c552fe055f8625b803722565bce7d2dae80738f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bSqz8:sxX7QnxrloE5dpUp9bVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe

Executes dropped EXE 2 IoCs

pid	Process
976	sysabod.exe
2724	devbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotWS\\devbodec.exe"	4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZQQ\\dobxsys.exe"	4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
768	4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe
768	4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe
768	4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe
768	4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe
976	sysabod.exe
976	sysabod.exe
2724	devbodec.exe
2724	devbodec.exe
976	sysabod.exe
976	sysabod.exe
2724	devbodec.exe
2724	devbodec.exe
976	sysabod.exe
976	sysabod.exe
2724	devbodec.exe
2724	devbodec.exe
976	sysabod.exe
976	sysabod.exe
2724	devbodec.exe
2724	devbodec.exe
976	sysabod.exe
976	sysabod.exe
2724	devbodec.exe
2724	devbodec.exe
976	sysabod.exe
976	sysabod.exe
2724	devbodec.exe
2724	devbodec.exe
976	sysabod.exe
976	sysabod.exe
2724	devbodec.exe
2724	devbodec.exe
976	sysabod.exe
976	sysabod.exe
2724	devbodec.exe
2724	devbodec.exe
976	sysabod.exe
976	sysabod.exe
2724	devbodec.exe
2724	devbodec.exe
976	sysabod.exe
976	sysabod.exe
2724	devbodec.exe
2724	devbodec.exe
976	sysabod.exe
976	sysabod.exe
2724	devbodec.exe
2724	devbodec.exe
976	sysabod.exe
976	sysabod.exe
2724	devbodec.exe
2724	devbodec.exe
976	sysabod.exe
976	sysabod.exe
2724	devbodec.exe
2724	devbodec.exe
976	sysabod.exe
976	sysabod.exe
2724	devbodec.exe
2724	devbodec.exe
976	sysabod.exe
976	sysabod.exe
2724	devbodec.exe
2724	devbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 976	768	4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe	94
PID 768 wrote to memory of 976	768	4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe	94
PID 768 wrote to memory of 976	768	4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe	94
PID 768 wrote to memory of 2724	768	4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe	95
PID 768 wrote to memory of 2724	768	4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe	95
PID 768 wrote to memory of 2724	768	4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe	95

C:\Users\Admin\AppData\Local\Temp\4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe
"C:\Users\Admin\AppData\Local\Temp\4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:768
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:976
- C:\UserDotWS\devbodec.exe
  C:\UserDotWS\devbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3056,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=3832 /prefetch:8
1⤵
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZQQ\dobxsys.exe

Filesize
3.0MB

MD5
6c648c3f557a678b5fd5ef5c3b230f5e

SHA1
107f3724dbe68c0202a699b5300de8024d4f2d6c

SHA256
e01f8b2c4c11bb4190fde56ef3bcb21427e5cd47012227b0959dd31e567ebb2c

SHA512
5a9b4f7137a91d3cdc2c2a892713630c043df0d5dbe0551f0e59084f4692f951286b2c1072897d6def6eb00a5572d7ebaf730024ab769531c6ff604d3cc8f11a

Download Submit
C:\LabZQQ\dobxsys.exe

Filesize
465KB

MD5
2986cdd2de584a1ddd0163579bfb8bcc

SHA1
1d371801a535fb4da3e6791d232a6afa57bc9af4

SHA256
e5593e6f73875bd630f13ce5bce074558eecbca8c7799d9b6605b32569ac40d1

SHA512
be231c8a43f96d5713c31ede91dfd0172f748dd6f276903cba5058b7f4b1f262be7942a908043d57a4066989ec4caff81e5d85892d99b87ff91505b41b920916

Download Submit
C:\UserDotWS\devbodec.exe

Filesize
308KB

MD5
ecb86671afdab56d722dfdbaeb1dd77a

SHA1
c42c6de98e313d5aebd3a56a590a090001722241

SHA256
061f4d2321acb2815360a70045dd2e0e9dffa26d8a1cbbbd53e3975a2390366c

SHA512
91f978d46ae705fcf026ca97f2ee273c416495cc0b6d41178aabb563e1b674914d8f34cd9e07b832780c89ab0ac2d5762e9299d9c73c888132f2fda05dcdfe5d

Download Submit
C:\UserDotWS\devbodec.exe

Filesize
3.0MB

MD5
3956a95ab46e533a82cf09b6e2c81a66

SHA1
53d0d0d1d0835a958f61c58308cba3952ebee74b

SHA256
45433f44e39508accbb995c11c14bccdb9a3b1c273dd9d639656bb672bbfdc2c

SHA512
ec407bd5af65d9a0f8714f2084e16015d9c1877f5374e92017e3850a18a0525f67867136c9b4b960919eac3a80287c8a96fffa2b1bee2fe18103c3e153215530

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
065237ee1665d9977435b48e2eda79ea

SHA1
bb66c8b30963fd231bff2d250823af62dcca9c0d

SHA256
dd4069f2a5ae6dfbd8a7b70d1d2b6888312cf9cdea4c3f16f90a978d8ac09e3e

SHA512
37d2137773d0d3034321ff0b650da8dab4540b3b7c5fe239af079f36193d301b6ff467c7b89c8a76591d07a626bbbca1332e6f6a41b387b41fa3b32e06029c82

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
bef69e59463e688ab0bde86ca2c38c2f

SHA1
47ff4f2798e0efc0606adf0393a0ed6a5e27868e

SHA256
69015fc3220d5a5f61ba08628e89afc38c459191ea670e2a6c091785ef259db1

SHA512
413f75a8930516c9c1bfa22f71c8f9f2590fe91a2d20301a4f02651101a033a9062292269f915b711ca7a1b6d34c8760be273cb398c1fe035073d90b2547af63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
3.0MB

MD5
42ee3e6541e9332330251d0d5c66de61

SHA1
03e7d7abbd46383355fb17f459140bf2eef26a73

SHA256
bb752af6c86da9edfe2db2b5acf13f930ed2e4d52fd2e107046ebcde51c84ad6

SHA512
c2c0ceef682e1f90dae28127587ff8e470a554c5c4b25a5d2748e5df4df6fe4cf4eab4c002d1b11db949a230ac0e6a27e7469e5fff0b209bca5e25ca0cb1e4f1

Download Submit