742c574da40e41ecf3bf65e4210294806d317bca2701e3ad4f6e1b8a9ceeb98a

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 14:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a267553b2ed86fe91884285ad7f9e720N.exe
Size

2.6MB
MD5

a267553b2ed86fe91884285ad7f9e720
SHA1

bdeac1f3a341e0a8d0e3f16505601e225e888208
SHA256

742c574da40e41ecf3bf65e4210294806d317bca2701e3ad4f6e1b8a9ceeb98a
SHA512

cc0ea74c8b81f8da33c22a40368a2fe9bf503c62a78091219e5d3200e034836d5520334a5aebbef0872f1cb989c0fa11f9588b5804d6ff3db0c09ea55328a925
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bS:sxX7QnxrloE5dpUpOb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	a267553b2ed86fe91884285ad7f9e720N.exe

Executes dropped EXE 2 IoCs

pid	Process
2176	sysxbod.exe
2612	devbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2816	a267553b2ed86fe91884285ad7f9e720N.exe
2816	a267553b2ed86fe91884285ad7f9e720N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocSG\\devbodsys.exe"	a267553b2ed86fe91884285ad7f9e720N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax8E\\bodaloc.exe"	a267553b2ed86fe91884285ad7f9e720N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a267553b2ed86fe91884285ad7f9e720N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxbod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2816	a267553b2ed86fe91884285ad7f9e720N.exe
2816	a267553b2ed86fe91884285ad7f9e720N.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe
2176	sysxbod.exe
2612	devbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2176	2816	a267553b2ed86fe91884285ad7f9e720N.exe	30
PID 2816 wrote to memory of 2176	2816	a267553b2ed86fe91884285ad7f9e720N.exe	30
PID 2816 wrote to memory of 2176	2816	a267553b2ed86fe91884285ad7f9e720N.exe	30
PID 2816 wrote to memory of 2176	2816	a267553b2ed86fe91884285ad7f9e720N.exe	30
PID 2816 wrote to memory of 2612	2816	a267553b2ed86fe91884285ad7f9e720N.exe	31
PID 2816 wrote to memory of 2612	2816	a267553b2ed86fe91884285ad7f9e720N.exe	31
PID 2816 wrote to memory of 2612	2816	a267553b2ed86fe91884285ad7f9e720N.exe	31
PID 2816 wrote to memory of 2612	2816	a267553b2ed86fe91884285ad7f9e720N.exe	31

C:\Users\Admin\AppData\Local\Temp\a267553b2ed86fe91884285ad7f9e720N.exe
"C:\Users\Admin\AppData\Local\Temp\a267553b2ed86fe91884285ad7f9e720N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2176
- C:\IntelprocSG\devbodsys.exe
  C:\IntelprocSG\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax8E\bodaloc.exe

Filesize
35KB

MD5
ca883de0460390720b9823e0e4318be0

SHA1
c8eedb997c3cd0994f1e96fb269b37315e0bb954

SHA256
726d2dfaa0a24f6071954c1f8bc4281f5c3644a2c6456ee4771f9e060939cf7b

SHA512
36316b84a365d345e4d7cc03a63e5fd4584cee088f865e73369fe8e28037f53d00b370bf40a0da33ba31f3bd740b8723462fcbf17716bcf2e3d8d6d65b82b892

Download Submit
C:\Galax8E\bodaloc.exe

Filesize
2.6MB

MD5
dabdb632fba8721c234728beee925e6b

SHA1
e8551bf8401521ac5238b9d615b38db27c23ddf4

SHA256
b913f55db4da6951690842aeb51845de7f88b95e1723a4b0d6314e63f1bfc4e2

SHA512
f654a44bdc51fd4d93ca9f891b77bde2cd28e6f7fbb905182f581de11dad33a59fdebb1d1c4a3f6a076b17a14d7b9342381651e71034526c2cb3eeb3379d39eb

Download Submit
C:\IntelprocSG\devbodsys.exe

Filesize
77KB

MD5
8a073a6ae6304713ccd89ff6d97b68e9

SHA1
65ed0ca3ad8e177e278ffb4ff757de7313b1d8ef

SHA256
8d8c654bedcbe1071a79f62a90ae88552f4fe45192cfef8119a371cdae0285fb

SHA512
ad8cf1ae90fef83370aedeaba7d97d44c0a27251016c0b6458d034dabcd3641f732e6eeccee3ce42f69de7b0c99421985af0429aeff13563a7b116eba4a0c7c2

Download Submit
C:\IntelprocSG\devbodsys.exe

Filesize
2.6MB

MD5
a88c8c04565a6893bb3c776fe912bb87

SHA1
b9e0352d00a9e564235f659ab65a8708e39a18c7

SHA256
160f4a53f3b7aa5883d566880af3b65a46ba3c504ad1e906f86e04c499ef95ed

SHA512
59172790f5535a9d559b0102b6f1cd45a39df3f3da1152d54fd6c8240caef785e61b6dd4caeecdeb43702fe47e1d25a62f70ad41900550b959aa78b16d523520

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
353c71b1ce326f0e9de6fa3bbb9f7802

SHA1
1a8466f0ecd719e98438e61056046d649f97914c

SHA256
88b809a21d1af4975bd7bc82ed4e1ef9ae78535bd50395d6fab1458027426b1e

SHA512
2afada70db5e776424194bb92ae56ac190696f40c55415c2cfcdf2237c4bbe6e1d41b3b3108a5aca18742cbfc4ffd372e1d7c8221e6d6c7f6b75ecbc05f62fb5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
0eda23a1c4406cfb09dcc69194e97c01

SHA1
5ed2f1b4fffd398426ec7572b14285273409ff7e

SHA256
bfd1863fb9d091c22023cd3f3d3d83fd9fc10b8801b912e114a36a848197505f

SHA512
ba454f855e2bb043fa567316b405241d05f3a76d712ef2ca2d9bdeeb35cfca11cd1c2d4a9fc498123d98b0ca9eed84d4708765dc22c8ddb7e6bdf5abadb388a7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
2.6MB

MD5
59fcc5e8713f6cbc98e13a671703e641

SHA1
ce3922ad4902e0046a6e21b4d2ea5c709d52b694

SHA256
4b393af2c5ac38fa91e2641187d122e12fa001617a0fc25df496ed0f46f255ee

SHA512
bf65089bbda5d12a56f0fcce528de3f68d6a890c80dfd7398089d55b72c2da5071d68da30d7c39399c0542c23b3c8e1e84f4c5987775adaa96ad700134d35801

Download Submit