bbb357a438e243df39127bfac3f89282e49bd659c5ddffcc07e1697f8353be1b

Analysis

max time kernel
149s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 04:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bbb357a438e243df39127bfac3f89282e49bd659c5ddffcc07e1697f8353be1b.exe
Size

2.6MB
MD5

5b6453d62b5770ce8b77d0b42f8563c2
SHA1

a2191e69c93d8e06ea7627ddcecfa3ec3bdcad1d
SHA256

bbb357a438e243df39127bfac3f89282e49bd659c5ddffcc07e1697f8353be1b
SHA512

1aca7a5b7cc00af2121dd371bd3293145d6d1015324c936bb1293516225f3eae822575a3ac6955d78ead1c3a086a2fdb2b03ebc171f3e8ce46014eb146a41362
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSq:sxX7QnxrloE5dpUpWbV

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	bbb357a438e243df39127bfac3f89282e49bd659c5ddffcc07e1697f8353be1b.exe

Executes dropped EXE 2 IoCs

pid	Process
4856	sysxbod.exe
4016	devbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvIW\\devbodsys.exe"	bbb357a438e243df39127bfac3f89282e49bd659c5ddffcc07e1697f8353be1b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZNJ\\optixsys.exe"	bbb357a438e243df39127bfac3f89282e49bd659c5ddffcc07e1697f8353be1b.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbb357a438e243df39127bfac3f89282e49bd659c5ddffcc07e1697f8353be1b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2748	bbb357a438e243df39127bfac3f89282e49bd659c5ddffcc07e1697f8353be1b.exe
2748	bbb357a438e243df39127bfac3f89282e49bd659c5ddffcc07e1697f8353be1b.exe
2748	bbb357a438e243df39127bfac3f89282e49bd659c5ddffcc07e1697f8353be1b.exe
2748	bbb357a438e243df39127bfac3f89282e49bd659c5ddffcc07e1697f8353be1b.exe
4856	sysxbod.exe
4856	sysxbod.exe
4016	devbodsys.exe
4016	devbodsys.exe
4856	sysxbod.exe
4856	sysxbod.exe
4016	devbodsys.exe
4016	devbodsys.exe
4856	sysxbod.exe
4856	sysxbod.exe
4016	devbodsys.exe
4016	devbodsys.exe
4856	sysxbod.exe
4856	sysxbod.exe
4016	devbodsys.exe
4016	devbodsys.exe
4856	sysxbod.exe
4856	sysxbod.exe
4016	devbodsys.exe
4016	devbodsys.exe
4856	sysxbod.exe
4856	sysxbod.exe
4016	devbodsys.exe
4016	devbodsys.exe
4856	sysxbod.exe
4856	sysxbod.exe
4016	devbodsys.exe
4016	devbodsys.exe
4856	sysxbod.exe
4856	sysxbod.exe
4016	devbodsys.exe
4016	devbodsys.exe
4856	sysxbod.exe
4856	sysxbod.exe
4016	devbodsys.exe
4016	devbodsys.exe
4856	sysxbod.exe
4856	sysxbod.exe
4016	devbodsys.exe
4016	devbodsys.exe
4856	sysxbod.exe
4856	sysxbod.exe
4016	devbodsys.exe
4016	devbodsys.exe
4856	sysxbod.exe
4856	sysxbod.exe
4016	devbodsys.exe
4016	devbodsys.exe
4856	sysxbod.exe
4856	sysxbod.exe
4016	devbodsys.exe
4016	devbodsys.exe
4856	sysxbod.exe
4856	sysxbod.exe
4016	devbodsys.exe
4016	devbodsys.exe
4856	sysxbod.exe
4856	sysxbod.exe
4016	devbodsys.exe
4016	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 4856	2748	bbb357a438e243df39127bfac3f89282e49bd659c5ddffcc07e1697f8353be1b.exe	89
PID 2748 wrote to memory of 4856	2748	bbb357a438e243df39127bfac3f89282e49bd659c5ddffcc07e1697f8353be1b.exe	89
PID 2748 wrote to memory of 4856	2748	bbb357a438e243df39127bfac3f89282e49bd659c5ddffcc07e1697f8353be1b.exe	89
PID 2748 wrote to memory of 4016	2748	bbb357a438e243df39127bfac3f89282e49bd659c5ddffcc07e1697f8353be1b.exe	92
PID 2748 wrote to memory of 4016	2748	bbb357a438e243df39127bfac3f89282e49bd659c5ddffcc07e1697f8353be1b.exe	92
PID 2748 wrote to memory of 4016	2748	bbb357a438e243df39127bfac3f89282e49bd659c5ddffcc07e1697f8353be1b.exe	92

C:\Users\Admin\AppData\Local\Temp\bbb357a438e243df39127bfac3f89282e49bd659c5ddffcc07e1697f8353be1b.exe
"C:\Users\Admin\AppData\Local\Temp\bbb357a438e243df39127bfac3f89282e49bd659c5ddffcc07e1697f8353be1b.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4856
- C:\SysDrvIW\devbodsys.exe
  C:\SysDrvIW\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZNJ\optixsys.exe

Filesize
9KB

MD5
61b773990ee27e9e908970e63b267f79

SHA1
522f4b8bd8207fe759634142fdb72607b71380f4

SHA256
8680f82d44553da0b976a373a4c22a7847b75edeed53a8fcb3bab73b13c72c0d

SHA512
6a34405c32b1ed6c0070d4c054d00db08edd60f126246e30755b99cdc98b0de4394c89b066d72ca1b9f4c4ef554bf4713874e94aae71615254c3d79bc546c29e

Download Submit
C:\LabZNJ\optixsys.exe

Filesize
357KB

MD5
57462a5680dd7bb11803b3729ec2db24

SHA1
932486038451a41f35660d93054128cc5c830813

SHA256
e411676b352609f99a9846be9daef1e4ca8ea1175da0672b6c32dc2d18374a8d

SHA512
d730c4b97f0cbffefa1a2c8fcc963cebbe23abebcf737f0b7cf5628318334ed0a860e13ab912b90f0bc2bbae7c53b3268365c8baf689d699d169e4275b0d370a

Download Submit
C:\SysDrvIW\devbodsys.exe

Filesize
1.3MB

MD5
b2f5462801de7c5a6c2018ff36900787

SHA1
ea1033da7a443a7b47c22a060b80947125af99d5

SHA256
af40cc5dfe566ecd7732ba247023130b3fa4c60686d287ca0cd99a272f49ba9b

SHA512
78203fd95681686f0c251a4e3c8505031bccb52297f2bf3d5137cd32182e92ac383dda3fd6472e3dfa70e8f7864c2c2efcccc37571d1598d8e28cac04bdffd95

Download Submit
C:\SysDrvIW\devbodsys.exe

Filesize
2.6MB

MD5
032a9b7ee0df54b357edb824362a8296

SHA1
af9a0aa57d2f697704a64b7a9b7fbb33b1c52ab9

SHA256
14d4ecc7dfaf5aae58949abf9bd29dd8ed73a6d23b96cecbae1d19e7ca9117b6

SHA512
500a802b1cb1c1e4c564db2427c6e3914f8fb5ec9c7dadf3f127204d6b8889c5e46fbd9977050c20d7f528fbac9bab043156fd77404ebda331d125ab945a64fc

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
75417847c8d2b2511903ae3289b1b9f3

SHA1
fade094533d6e5bac7e64010731af4a0f72443a9

SHA256
1e5b3222309ae1150cd8a100f5f9663e2b185e2be5f5baebaeed9d9d02d30d4e

SHA512
8f2bee464c5bd8999f9439ff2834f6b08f3e72279fd3384c2229ac96d6e1c1aed7a5fb3228d9c562a6db07d50c32d04affad6731582c80da79d8e93909ca16f8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
2d57c01145acfe85e5f4f652b095ba84

SHA1
4e91932711c7ae0e08de16fbcde1eae2bd15f802

SHA256
ea85461d704bfe7a026151e8dfe0a5c857e456e9381685ebe145b0996837ab82

SHA512
9e26a7b1f9a75bcd8a6eed3447edfd2153377b6dcc4f25a4ba508f3db284d8163acfa8db32933d4f4076a8f5205df83506b054e474252c36cec849d50b0cc878

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
2.6MB

MD5
0b1d554fcf4eaf402e4b0fad5a7705a7

SHA1
350d45a3a72f48593979bb50eead42e6156e0d98

SHA256
34f8ee3751803997ff7d0d15988cc622bf08a269363edd695171e2aa2cb529d9

SHA512
7ebfd550f9d2fb450cfb7df16121f3666fec58dd0231f0586a60e3e4521bc5bfbb855b5661c5743e3f855bd46e1bb0e4b5a2841ae2089e830e8acf6686cb1029

Download Submit