17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059

Analysis

max time kernel
149s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24-08-2024 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe
Size

2.6MB
MD5

31aaa86082487967ae1f7644660e8902
SHA1

4196115f67f867e8b8364e7ab8bb22fb910668de
SHA256

17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059
SHA512

b1a4892b2ad5bbbad26f77d17b6146fd5463af62a4feb5aeea8abe9ee827bbc89db64916c089e519a65b2755edc79a4fea5e5d23ecd0d1191f69c46eb675f71c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bS:sxX7QnxrloE5dpUpHb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe

Executes dropped EXE 2 IoCs

pid	Process
2756	sysabod.exe
2772	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2936	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe
2936	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvA0\\xbodsys.exe"	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBZQ\\bodasys.exe"	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe
2936	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe
2756	sysabod.exe
2772	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2756	2936	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe	30
PID 2936 wrote to memory of 2756	2936	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe	30
PID 2936 wrote to memory of 2756	2936	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe	30
PID 2936 wrote to memory of 2756	2936	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe	30
PID 2936 wrote to memory of 2772	2936	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe	31
PID 2936 wrote to memory of 2772	2936	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe	31
PID 2936 wrote to memory of 2772	2936	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe	31
PID 2936 wrote to memory of 2772	2936	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe	31

C:\Users\Admin\AppData\Local\Temp\17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe
"C:\Users\Admin\AppData\Local\Temp\17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2756
- C:\SysDrvA0\xbodsys.exe
  C:\SysDrvA0\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBZQ\bodasys.exe

Filesize
2.6MB

MD5
fd8ea4dceabaac1a3da1f07271b06d20

SHA1
8e4d7664ced7abf6013708aba741d39a4da47c7f

SHA256
c03b45bc50c025879dd2f1350280d6433af96053f46a65675aeda2beed9b5aff

SHA512
5fc76c0941f79776faac273c9976f3864892149aee4515fa12548b949f2c093a2aa70abf3064ee9db8b97751781bec6449c0934b9a9e2e485c63f9eca34e129a

Download Submit
C:\KaVBZQ\bodasys.exe

Filesize
517KB

MD5
2dd36c9c59c251cf3ea4f1644d0c417f

SHA1
ca42366de4dbc9f55877b33a6eb0d2ea0c95bf29

SHA256
2ad912f1aefba2b71d301e820269807db6c03098ae2c54c89adac94aed73768e

SHA512
5a027547c70b87170432d15f61fcb181de2f3ce5b2667a7603528d6e6b455070a94db12c2083ebea536b74f4c4bed6a3dc833128a5b8db986eccec0e4595b8a2

Download Submit
C:\SysDrvA0\xbodsys.exe

Filesize
2.6MB

MD5
49a5c3850d1603a6b149234dc571b894

SHA1
ee4562855bdcb380ace55ad3dcdde06abe8cd66c

SHA256
1db6277d8e4d8d5f2f4871737bb535ae3e3cb03dfd41b18b5004d10c8acb829e

SHA512
d4d92430bde4c9010bbbcf85a159aac67494765d27b3c1ca53486635ddef1c3d1356e5cc8ec124b7e68385f2a32fdd4f03c2c2e57182bce87e9eabf8630121f2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
ea0c61755cd5f630fee7e3edc677bde4

SHA1
68f1c034914a844b50c5cbfa1313c3eecc39b44b

SHA256
42d5d0626ddd570685a0a2e30d0959bec2f07dd336f9c261a4ff5f4a18cc1ba8

SHA512
8af4ddc5655580b7b1b991138b56d40cd569dc092ae8d00615ccc35566276f65d99fe740c97bd41eee83e45ff9aed8cecee37ee75b6077bbf712402f826c263f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
0de0dc7abd1ed6bce4ae125499d41640

SHA1
43d2e816e4d27309f89717a403a93a71a9370bab

SHA256
941e93f500b74604c04d952c2199d246afe3e1e3de35edac686dc57cee778939

SHA512
bd81c3b064b1c1a7c8d9990892375f7141fdf6dbcafff088a75df4edcc9ef4c81d53ded4d7ecf418d2356d26e16647461778c2fac2528637241227c4a4d36a02

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
2.6MB

MD5
e1a23ec394e67585495f55060afcd482

SHA1
cb970f824c51e6b5a4fb26770c7cae2d8fde982f

SHA256
f12ac61fbbc19893c5423a184aed509e66888cf484054de2eba036436d3c3c47

SHA512
c4dcf3503e8f956da41c5ad581da765c75a97d8c30a62746adeb2e779fa22e077e4533c9efb4805589167d45e8ed14798bcbfabf41524c1f5d0fcaf56e1532ee

Download Submit