b5a53522aa466511bb82d372461b3b4fc1ac33e9073365cd17f67b6deba1ff66

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

963572ec4604e847d367a248b9a5d440N.exe
Size

2.6MB
MD5

963572ec4604e847d367a248b9a5d440
SHA1

dd1a94469ce7d8d9071b028a9dbe7b3177a27602
SHA256

b5a53522aa466511bb82d372461b3b4fc1ac33e9073365cd17f67b6deba1ff66
SHA512

1748c1ab69ab2769a9900129210c2573f6484eeda37f9535be87a132c3e7b180a3b4b62569aa7eaea64c45068eccb047775be8dba6957fa361b8c98b2004422a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bS:sxX7QnxrloE5dpUplb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	963572ec4604e847d367a248b9a5d440N.exe

Executes dropped EXE 2 IoCs

pid	Process
2680	sysdevbod.exe
2192	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2748	963572ec4604e847d367a248b9a5d440N.exe
2748	963572ec4604e847d367a248b9a5d440N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files01\\xbodsys.exe"	963572ec4604e847d367a248b9a5d440N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidS5\\dobxsys.exe"	963572ec4604e847d367a248b9a5d440N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	963572ec4604e847d367a248b9a5d440N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2748	963572ec4604e847d367a248b9a5d440N.exe
2748	963572ec4604e847d367a248b9a5d440N.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe
2680	sysdevbod.exe
2192	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2680	2748	963572ec4604e847d367a248b9a5d440N.exe	31
PID 2748 wrote to memory of 2680	2748	963572ec4604e847d367a248b9a5d440N.exe	31
PID 2748 wrote to memory of 2680	2748	963572ec4604e847d367a248b9a5d440N.exe	31
PID 2748 wrote to memory of 2680	2748	963572ec4604e847d367a248b9a5d440N.exe	31
PID 2748 wrote to memory of 2192	2748	963572ec4604e847d367a248b9a5d440N.exe	32
PID 2748 wrote to memory of 2192	2748	963572ec4604e847d367a248b9a5d440N.exe	32
PID 2748 wrote to memory of 2192	2748	963572ec4604e847d367a248b9a5d440N.exe	32
PID 2748 wrote to memory of 2192	2748	963572ec4604e847d367a248b9a5d440N.exe	32

C:\Users\Admin\AppData\Local\Temp\963572ec4604e847d367a248b9a5d440N.exe
"C:\Users\Admin\AppData\Local\Temp\963572ec4604e847d367a248b9a5d440N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2680
- C:\Files01\xbodsys.exe
  C:\Files01\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files01\xbodsys.exe

Filesize
2.6MB

MD5
34feb26f3969b4d62226e79f66041258

SHA1
07b2177fedff0e01cee0d72726adaf6d2260e096

SHA256
9e7cd5e14c55d0efdaafd20ab4fe119ef55d2ec8aa8c5bd64e7aa5874fa95561

SHA512
547690e3f598372460463bfed5af148bddb4e13cfb45e62d5e942e7345e3d66896048f7d836c98a52d88a8f6e71a4fcb788021328d48269a2ee6a087ba2a380a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
d721110fcc9cdf8a8bac727344e39f7c

SHA1
2a5c7ca57a8c56672177064eb0b0250c90699398

SHA256
274de624e793139f392b7d52f24e5d8ddd135cd8083090c04e1909b03bab0753

SHA512
3387b0a6e457fc92d24e0b7b1d8c5dd8a3e4d9993823034a9c94ca8bab75c34573ff379474dcf665ec52cfb9b5d4e90f49895da7387b0e58afc85f00d66b2c41

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
39217b255bfa9bae30e8ff9a71cc79f4

SHA1
3239a52d11dabe91fe95aa35d687e0340eaf6750

SHA256
4faad83630b7e4860ef1c8025cda8eae10ddc82322e085b807aa97351b472df5

SHA512
ff4c5ff432e05fc54c5af8b381edb5c8b21011d277a2052e1fc2f43350d125b51e74ba8d30eba9c44474607befe7d948073386754f5199e09e19473750d78cbe

Download Submit
C:\VidS5\dobxsys.exe

Filesize
2.6MB

MD5
be94bfb7b175a4dfa73911734be2a2ea

SHA1
ccf9b82e25ea94ffb3b991863adddf1aa038d686

SHA256
dfceaf786b59d7f06429d876f6c87f82593646f8d863d4a9b9afd1de375573f0

SHA512
d72d1d2a3b51970be7537c57b162f3e588c2b052d90380ececbf883f93ad14c2cecba9c81560e98dc4ab2f089da7a1b37113730ab84ce2a4364b15894f469487

Download Submit
C:\VidS5\dobxsys.exe

Filesize
2.6MB

MD5
a7fc4d452492c6c8c3f55359788072ec

SHA1
d3896889876fc8f53c6148fba9b7436884d31470

SHA256
88e7a0c6d5c02457b0af7d40b06f719b86d39e43710b50eb57ec312061a3baa0

SHA512
de32b77540a37ed04d6e25f06f4db015ae3e92955b19502dae43ad4f7d573956672a0d690b9ba4b05172d894d9aecdd6d799b5cf7623a34da95ceea2051505ca

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
2e9e066e463f7652d85467d502b475e7

SHA1
80891252ae2a454544f009a91401581367596202

SHA256
8c81ddf052c2792503242a4211db6e28c00f93a698ead82b0ca8143455973e34

SHA512
42cef91f8a39b19ae32ab33968da92fd9804144d142ca5cf20308ea71085b397aace83758d845d9f2103ba23ca5329a6f50c8b1906c883f37e0f4df2f4ed9571

Download Submit