dc29021ebd4e79103b43d91397b6592749e7170273a8323e4dc9a26e3c7b3bb7

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34b5125109082072036165cbebf0bed0N.exe
Size

2.6MB
MD5

34b5125109082072036165cbebf0bed0
SHA1

410a3d0a4d7e5ab174b47d0767d18a272c35cac9
SHA256

dc29021ebd4e79103b43d91397b6592749e7170273a8323e4dc9a26e3c7b3bb7
SHA512

c2d3f0bde9ab69f1e44e579491a5b67beccdc1d6369bf33747580a32979f3fd8200f56eabce6e7d905724eaca130771f0c4c01840329b4f45c0382b6f8ff8498
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bS:sxX7QnxrloE5dpUpKb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	34b5125109082072036165cbebf0bed0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2296	sysxdob.exe
2116	devbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
756	34b5125109082072036165cbebf0bed0N.exe
756	34b5125109082072036165cbebf0bed0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBN1\\dobxsys.exe"	34b5125109082072036165cbebf0bed0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotU3\\devbodsys.exe"	34b5125109082072036165cbebf0bed0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34b5125109082072036165cbebf0bed0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxdob.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
756	34b5125109082072036165cbebf0bed0N.exe
756	34b5125109082072036165cbebf0bed0N.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe
2296	sysxdob.exe
2116	devbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 2296	756	34b5125109082072036165cbebf0bed0N.exe	31
PID 756 wrote to memory of 2296	756	34b5125109082072036165cbebf0bed0N.exe	31
PID 756 wrote to memory of 2296	756	34b5125109082072036165cbebf0bed0N.exe	31
PID 756 wrote to memory of 2296	756	34b5125109082072036165cbebf0bed0N.exe	31
PID 756 wrote to memory of 2116	756	34b5125109082072036165cbebf0bed0N.exe	32
PID 756 wrote to memory of 2116	756	34b5125109082072036165cbebf0bed0N.exe	32
PID 756 wrote to memory of 2116	756	34b5125109082072036165cbebf0bed0N.exe	32
PID 756 wrote to memory of 2116	756	34b5125109082072036165cbebf0bed0N.exe	32

C:\Users\Admin\AppData\Local\Temp\34b5125109082072036165cbebf0bed0N.exe
"C:\Users\Admin\AppData\Local\Temp\34b5125109082072036165cbebf0bed0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:756
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2296
- C:\UserDotU3\devbodsys.exe
  C:\UserDotU3\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBN1\dobxsys.exe

Filesize
1.2MB

MD5
0f5b91492a26a174f344c46ade769c2a

SHA1
616ca67d48c45c92508799156d6543bafec2649b

SHA256
718ad4896867d99db1eb270e4fc7ceebbd1ce96b5062f741ff1375f58296a4b7

SHA512
e1fad7924ca766994190c28215587b60a1cf562e009ee9a20e481b53157b5bc2a40a3515578bb31f881d0e0dd61398f47314d85ce3b5b22aa8739c66d0e6eeaf

Download Submit
C:\KaVBN1\dobxsys.exe

Filesize
2.6MB

MD5
87f9b919a09e3bde5098e2d58ea27de4

SHA1
61439fd966dfe80f2e7bf7c841e4a3b78d9caaeb

SHA256
c3b8a4b169eaa7380647a76aff56ab389bc2472d6019ea9b81efc31beea29615

SHA512
a95b088ae0cbf49e1019965b77f8fbc9204f29fe9c775707c006a56ccd8070f03383af1be4687dbc191c8758077237d73d1a504380e1e9703991dd34672218a9

Download Submit
C:\UserDotU3\devbodsys.exe

Filesize
5KB

MD5
b1bff5461f6eccee15bc13b90b862c37

SHA1
9b68b3e8bd60c2c4b00d1ff961e9c20b00350466

SHA256
31ee37ebd445cdf1397bb80f305ea15a1b3d12fced2d3dd773fe436cbaaf9498

SHA512
fc655a29154ddbd88a87bbe6eff59a7e0654e6306682a7ea2f70c240b99f1e7026089df3a2803df3ec6f1a12c75d0ea1438ffc856440b95121dbfdcbc15800b0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
ac587df0a54bfc272b90b141be956a0e

SHA1
1ffb25eab92b06d3e4ecdc38d48a75350c504e37

SHA256
340734de65146972249c91cc77d41e95b93d61b039f417c366ee4279b256e807

SHA512
5f4e772366c753c8b02874822915c6869401614cf28de75e79527e9ac7ac31e24c8acb1747f7c6111c130804e5d0b59a21d84f19ac668edddb0275182678e770

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
29ec9a4fda707578b1a745bfe50f0c33

SHA1
75a47d7deec230b6ccead23aa341ab12f221ce70

SHA256
963b1c7a4d8f6baa59d8eb4ea3e4557db2546d6f352c7680395486e0e6809c41

SHA512
a34e57437e95ef636af123ef0cbf4c7f05b7795a342c7c46ece8e4cb2b35f07c75e440b602da4285ff3b7374e907c700276b3c4761318636128379606472d8c5

Download Submit
\UserDotU3\devbodsys.exe

Filesize
2.6MB

MD5
dd66589d312d06d0e1f41ca149051633

SHA1
a04bdb17488f8f54b754a76131653cce6b8e6108

SHA256
ac716c024493f1ccc841ee8ff634531b541efd8f7009f77cdb1720a684b84263

SHA512
bfa85559c2f7b19dd806b57d38d3339ebb9ab0e89d1017613be49088778e6b5ba442c8728b9c5e58eef0efdef0619f79a913dcb87052100a2dbfc89d60f06db8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.6MB

MD5
040383c273c084dbf47d66b79b2b29a3

SHA1
a0fde05a3472af241c2f1b8c5aa7f9b42276fdb9

SHA256
737bbb7d3350ee09f3ff8243d55d7be7661811c631d6b41b7e92c42d0a6f4444

SHA512
353fea5336dddb85ac803ffe12528f6e5ef3b8fbabd45acb169236a31378dbe3e97115d87ee1a3d203d0f0bcfde4888053199fb1fd356f51c676dc6013f9ed93

Download Submit