7476915618ff5b7c002633837d6c9b1ba2a6fa04b9569054713c3b2858960c90

Analysis

max time kernel
119s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae35361913d320c3069363fa3fa3ade0N.exe
Size

2.6MB
MD5

ae35361913d320c3069363fa3fa3ade0
SHA1

83743b5c8258414b52fbf433e1ed3eaf2f6b441c
SHA256

7476915618ff5b7c002633837d6c9b1ba2a6fa04b9569054713c3b2858960c90
SHA512

fac4e27ef436c49df0e9ff87b8f66afcc72e6f5b7f723db6f3a148030f4b274ced028680abadeb8cde97e41426c60d7f92294f7fa9492949eba78144b6197114
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bS:sxX7QnxrloE5dpUpob

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	ae35361913d320c3069363fa3fa3ade0N.exe

Executes dropped EXE 2 IoCs

pid	Process
548	sysxbod.exe
3444	devbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocAZ\\devbodsys.exe"	ae35361913d320c3069363fa3fa3ade0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxBQ\\bodxloc.exe"	ae35361913d320c3069363fa3fa3ade0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae35361913d320c3069363fa3fa3ade0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3460	ae35361913d320c3069363fa3fa3ade0N.exe
3460	ae35361913d320c3069363fa3fa3ade0N.exe
3460	ae35361913d320c3069363fa3fa3ade0N.exe
3460	ae35361913d320c3069363fa3fa3ade0N.exe
548	sysxbod.exe
548	sysxbod.exe
3444	devbodsys.exe
3444	devbodsys.exe
548	sysxbod.exe
548	sysxbod.exe
3444	devbodsys.exe
3444	devbodsys.exe
548	sysxbod.exe
548	sysxbod.exe
3444	devbodsys.exe
3444	devbodsys.exe
548	sysxbod.exe
548	sysxbod.exe
3444	devbodsys.exe
3444	devbodsys.exe
548	sysxbod.exe
548	sysxbod.exe
3444	devbodsys.exe
3444	devbodsys.exe
548	sysxbod.exe
548	sysxbod.exe
3444	devbodsys.exe
3444	devbodsys.exe
548	sysxbod.exe
548	sysxbod.exe
3444	devbodsys.exe
3444	devbodsys.exe
548	sysxbod.exe
548	sysxbod.exe
3444	devbodsys.exe
3444	devbodsys.exe
548	sysxbod.exe
548	sysxbod.exe
3444	devbodsys.exe
3444	devbodsys.exe
548	sysxbod.exe
548	sysxbod.exe
3444	devbodsys.exe
3444	devbodsys.exe
548	sysxbod.exe
548	sysxbod.exe
3444	devbodsys.exe
3444	devbodsys.exe
548	sysxbod.exe
548	sysxbod.exe
3444	devbodsys.exe
3444	devbodsys.exe
548	sysxbod.exe
548	sysxbod.exe
3444	devbodsys.exe
3444	devbodsys.exe
548	sysxbod.exe
548	sysxbod.exe
3444	devbodsys.exe
3444	devbodsys.exe
548	sysxbod.exe
548	sysxbod.exe
3444	devbodsys.exe
3444	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 548	3460	ae35361913d320c3069363fa3fa3ade0N.exe	89
PID 3460 wrote to memory of 548	3460	ae35361913d320c3069363fa3fa3ade0N.exe	89
PID 3460 wrote to memory of 548	3460	ae35361913d320c3069363fa3fa3ade0N.exe	89
PID 3460 wrote to memory of 3444	3460	ae35361913d320c3069363fa3fa3ade0N.exe	90
PID 3460 wrote to memory of 3444	3460	ae35361913d320c3069363fa3fa3ade0N.exe	90
PID 3460 wrote to memory of 3444	3460	ae35361913d320c3069363fa3fa3ade0N.exe	90

C:\Users\Admin\AppData\Local\Temp\ae35361913d320c3069363fa3fa3ade0N.exe
"C:\Users\Admin\AppData\Local\Temp\ae35361913d320c3069363fa3fa3ade0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:548
- C:\IntelprocAZ\devbodsys.exe
  C:\IntelprocAZ\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxBQ\bodxloc.exe

Filesize
1.6MB

MD5
f4c9953475a57f69852518f4202293a9

SHA1
e2bc0cea0f534515b3bd373f4241ccc294191f0d

SHA256
35416fdcfcc0e7e7ab942c1c6e66785d5597f6db24296c602840395b0e7f407b

SHA512
26329a853276f10575d8f8b86bc67de1f2cce819406b986a14b1351b195ac8037bfa62bc15c60cbcbcf2cb7cb6e132eb4b21242009f9212f06fddb92171a7299

Download Submit
C:\GalaxBQ\bodxloc.exe

Filesize
2.6MB

MD5
5d1a5d7751488617917523ad6ff93882

SHA1
b22c1cfa6fd5a0df55c2e435b5201f19839e8375

SHA256
e0a507f28af18b40b3fb1611e9b36453d5d541209a1d69502ea4ebc912e6e95a

SHA512
a41d5c599c3d445243efde19dd02c4941052a552475f6cc057aee6de3efa01f6d36189329f335ddd3f522f2e23a4b13637141ebc02efdd67e36e088a08689b7a

Download Submit
C:\IntelprocAZ\devbodsys.exe

Filesize
2.6MB

MD5
241c585e676275eb808bba8d28bc69bb

SHA1
a9da3da14d177251868968b26bc0d7ed8deee8c8

SHA256
54774b76fa73c5b5bbaab7d24cb9c4bfc52329dbf3185d2f36fb334e0e35af28

SHA512
5baa0f569390e4597ad65c0eaac1bb6c2937321e6bfa47afc2ecaf07d22eece11fbcdd0d2779e064d552527f21c436825dbcef5cb73fb09271ec1d50177592a9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
d28fc3b6b309eadb165dd9c84d381a1a

SHA1
77e294b809acf2ee087fc7a806b8d1ea95a312b0

SHA256
553626010462faac469cece11f38c11ebf35b500563334f02ae658d3c6ebf91d

SHA512
013ebd4972290707e9e6d8d6ba271cf1cc43c9cdf8432fab5943b89094e45edd62b0e4527a52082d4155c3f65135947f21bfd558cae68a984d94be5bb1862dea

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
175B

MD5
df06cdb3563ae0d968df18b795cc9ec7

SHA1
2ddf8afc47ce709e9f6a4013d666a69535a8f3f0

SHA256
38e69d2aa533c06f431d8979539a23669ffa1ac91e669b7690608fb9277566b3

SHA512
01fe1ba3cdb66f5e4a0bef6c9f4795fcaedf1dd6fcb0528ca57382a87197e980c88540b3558666e49ec07834e9387bffae6bac930890f5b1d003ed31a12206ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
2.6MB

MD5
4475c4799b5cf0b051d8e8f4a9138c7a

SHA1
bd26aa826fa38ebfd037a633dc625caa6a6ff26c

SHA256
9e6694da4dd8954052ca7b61991a1c65ed9b39e08142b2270a8d3c74752948d7

SHA512
aa4a0fabd1807f0f9f74ae2f2ab88baac58a795f966fc5742938a9fadabfdc6b783c22d6fe495189f8edc641c9b4eb734b75b2ba9d7122b552d204f39e4c8261

Download Submit