815fa8ccb51eb9a32a7ce6ba039fc8bf933f688ce52bf69d69bfa434c4a00e9f

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b22d746c3f1a3d9dac251f7e782a1580N.exe
Size

2.6MB
MD5

b22d746c3f1a3d9dac251f7e782a1580
SHA1

3f367ea3cc2edec81797d822920dd4009248c613
SHA256

815fa8ccb51eb9a32a7ce6ba039fc8bf933f688ce52bf69d69bfa434c4a00e9f
SHA512

cc7819cc7410db397956a3f5f6fbadafedd11f7a64ee12ac0014310fd0e80e1749de724ff3261dc7c715bd9680e198f9489a4b35b0bb27c0748113658ee8ad0f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpub

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	b22d746c3f1a3d9dac251f7e782a1580N.exe

Executes dropped EXE 2 IoCs

pid	Process
2660	sysadob.exe
2708	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1976	b22d746c3f1a3d9dac251f7e782a1580N.exe
1976	b22d746c3f1a3d9dac251f7e782a1580N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotVA\\xbodsys.exe"	b22d746c3f1a3d9dac251f7e782a1580N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZY0\\boddevec.exe"	b22d746c3f1a3d9dac251f7e782a1580N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b22d746c3f1a3d9dac251f7e782a1580N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1976	b22d746c3f1a3d9dac251f7e782a1580N.exe
1976	b22d746c3f1a3d9dac251f7e782a1580N.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe
2660	sysadob.exe
2708	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2660	1976	b22d746c3f1a3d9dac251f7e782a1580N.exe	30
PID 1976 wrote to memory of 2660	1976	b22d746c3f1a3d9dac251f7e782a1580N.exe	30
PID 1976 wrote to memory of 2660	1976	b22d746c3f1a3d9dac251f7e782a1580N.exe	30
PID 1976 wrote to memory of 2660	1976	b22d746c3f1a3d9dac251f7e782a1580N.exe	30
PID 1976 wrote to memory of 2708	1976	b22d746c3f1a3d9dac251f7e782a1580N.exe	31
PID 1976 wrote to memory of 2708	1976	b22d746c3f1a3d9dac251f7e782a1580N.exe	31
PID 1976 wrote to memory of 2708	1976	b22d746c3f1a3d9dac251f7e782a1580N.exe	31
PID 1976 wrote to memory of 2708	1976	b22d746c3f1a3d9dac251f7e782a1580N.exe	31

C:\Users\Admin\AppData\Local\Temp\b22d746c3f1a3d9dac251f7e782a1580N.exe
"C:\Users\Admin\AppData\Local\Temp\b22d746c3f1a3d9dac251f7e782a1580N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2660
- C:\UserDotVA\xbodsys.exe
  C:\UserDotVA\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZY0\boddevec.exe

Filesize
2.6MB

MD5
af699d7bcb0c03a0495b8e955da7796f

SHA1
d46dfeeab3c5bbd86d0eab8750a3f405b1ec6208

SHA256
fb7b873fb69a06104e04e0a278398014de8cb9eea515bc2df4e14c9c63fd0ec3

SHA512
bef4fe0162470a422a74d1f254cf89372807c3de80c5c684632f2ee2d41e7fac306525874f0dc65b4683d23e2895cc854456bf056495d22eab1605b5962d52bd

Download Submit
C:\LabZY0\boddevec.exe

Filesize
2.6MB

MD5
f84d406ffec0fd4313039d4a8ac3ffb2

SHA1
8a7e3e8ffa610b38e1cf156fc45c68c55cfa1eb7

SHA256
28c159fc12e4e5e57a838bdbf45aa4ec3c9284aeb796daa5c73a2c889cb2d236

SHA512
9ffeb8f9965df71c096b18799a137ddb3b5f36452f55d241f2d23d3c4c0410db1efdc4792291656aca7e8100e552256429ab91520426483fe822d263fd7b4953

Download Submit
C:\UserDotVA\xbodsys.exe

Filesize
2.6MB

MD5
c90179757e98267e01dd4b6f4dd34642

SHA1
fef3ebe3984955b9a72b1c89909bb813bebdfe26

SHA256
ce7cbdb91c4aef88062daae875fb87b2683cbf5f6fbc85b9b0ca4d16ee233149

SHA512
7ffb385f27941baa5baa4a9f3fc5d4500069f86e493a85246419fe8210bbbcb3e7a5088ee814e25312e35bd720ab7065ebb5fbdc475bf8133959f5727960ddb0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
a6afb21af98512a78f8a927b09784fbc

SHA1
6eb8e0c66a1b3e81606efff8232e5cb32f0ab8ed

SHA256
1d2df637c60b7525f81d4825cbd1b40bdb12c4401258530f0b081ddee47e4272

SHA512
4d0b33179ca8e01ab5689307031f43a41db7bd0a5e369d076d511cbfa1f97830213c8986704e799ef79305d99b8bc8c7cb1a9f19a205c654773fccd8151ae318

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
2b3e5da0178820e0f41ed311861b91d5

SHA1
8507a63ec32b66f89ea2b85d91016341f158651d

SHA256
05c8885dccfbe65459d64fc82004bd74ec0d14c08abd16d299054f53f890ab05

SHA512
eb5058638cb49d42f5e71aca95b12245b30ed4af2b5c0c62b61390aadf7e9b5396f01f13b088443ec924a0bb586847f207cb07159cc346db7e7f042d385664dd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
2.6MB

MD5
68e2ea9b8bc2b514e769a6ce5f68b4f9

SHA1
5c42937f3cc9090e4e620dfd432049358ea761d0

SHA256
7322889887f712d2fccc77f87be2f5401b8ca824db985c5e3553fc4626888dfb

SHA512
1b7d44631e9431a997f2c16c66e0c55508dfafed7d44b186c434c6d7c0417776e97acf890f975db649ab2c46b03f6d5c21f9a9d1eeee176ef1ea7ba2dd66ba30

Download Submit