6125c0bc6e882c126e62e2e167ed7dbd95be7a657a28222b5c0adf441dfc5c97

Analysis

max time kernel
119s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b96389758a306664ea250dcd695713e0N.exe
Size

2.6MB
MD5

b96389758a306664ea250dcd695713e0
SHA1

295944fdf2f79898c3b78dc86d2a27f4d68893fb
SHA256

6125c0bc6e882c126e62e2e167ed7dbd95be7a657a28222b5c0adf441dfc5c97
SHA512

a8a0d35a72cd6946f1df07dfd97cfa4485e331157883a59bed4204abcc47edcd403bc07744b34c0dd60a5a84fb79eb402b15a39d6f9e68e09aa49956a971ec39
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bS:sxX7QnxrloE5dpUpxb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	b96389758a306664ea250dcd695713e0N.exe

Executes dropped EXE 2 IoCs

pid	Process
3976	sysxdob.exe
4760	abodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotUN\\abodloc.exe"	b96389758a306664ea250dcd695713e0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBC2\\bodasys.exe"	b96389758a306664ea250dcd695713e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b96389758a306664ea250dcd695713e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1536	b96389758a306664ea250dcd695713e0N.exe
1536	b96389758a306664ea250dcd695713e0N.exe
1536	b96389758a306664ea250dcd695713e0N.exe
1536	b96389758a306664ea250dcd695713e0N.exe
3976	sysxdob.exe
3976	sysxdob.exe
4760	abodloc.exe
4760	abodloc.exe
3976	sysxdob.exe
3976	sysxdob.exe
4760	abodloc.exe
4760	abodloc.exe
3976	sysxdob.exe
3976	sysxdob.exe
4760	abodloc.exe
4760	abodloc.exe
3976	sysxdob.exe
3976	sysxdob.exe
4760	abodloc.exe
4760	abodloc.exe
3976	sysxdob.exe
3976	sysxdob.exe
4760	abodloc.exe
4760	abodloc.exe
3976	sysxdob.exe
3976	sysxdob.exe
4760	abodloc.exe
4760	abodloc.exe
3976	sysxdob.exe
3976	sysxdob.exe
4760	abodloc.exe
4760	abodloc.exe
3976	sysxdob.exe
3976	sysxdob.exe
4760	abodloc.exe
4760	abodloc.exe
3976	sysxdob.exe
3976	sysxdob.exe
4760	abodloc.exe
4760	abodloc.exe
3976	sysxdob.exe
3976	sysxdob.exe
4760	abodloc.exe
4760	abodloc.exe
3976	sysxdob.exe
3976	sysxdob.exe
4760	abodloc.exe
4760	abodloc.exe
3976	sysxdob.exe
3976	sysxdob.exe
4760	abodloc.exe
4760	abodloc.exe
3976	sysxdob.exe
3976	sysxdob.exe
4760	abodloc.exe
4760	abodloc.exe
3976	sysxdob.exe
3976	sysxdob.exe
4760	abodloc.exe
4760	abodloc.exe
3976	sysxdob.exe
3976	sysxdob.exe
4760	abodloc.exe
4760	abodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 3976	1536	b96389758a306664ea250dcd695713e0N.exe	88
PID 1536 wrote to memory of 3976	1536	b96389758a306664ea250dcd695713e0N.exe	88
PID 1536 wrote to memory of 3976	1536	b96389758a306664ea250dcd695713e0N.exe	88
PID 1536 wrote to memory of 4760	1536	b96389758a306664ea250dcd695713e0N.exe	89
PID 1536 wrote to memory of 4760	1536	b96389758a306664ea250dcd695713e0N.exe	89
PID 1536 wrote to memory of 4760	1536	b96389758a306664ea250dcd695713e0N.exe	89

C:\Users\Admin\AppData\Local\Temp\b96389758a306664ea250dcd695713e0N.exe
"C:\Users\Admin\AppData\Local\Temp\b96389758a306664ea250dcd695713e0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3976
- C:\UserDotUN\abodloc.exe
  C:\UserDotUN\abodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBC2\bodasys.exe

Filesize
1.3MB

MD5
38a1679154245bfc49bc0f6cbf0cfd38

SHA1
1067a109841129128736c38d6148d834d365af24

SHA256
cf19c3238885b466ee0788ffaabffd4b7805a773e64baa329dfb0b651215624b

SHA512
d0112a9c20d46d20746f64fc982d6de569d6c7384a13b8daf86078292e894e48fb246cc08280fd86d972e9e6dd6e7bebc2260c30c9c075a181437d0416446024

Download Submit
C:\KaVBC2\bodasys.exe

Filesize
1.2MB

MD5
fd5a1f561508ea2dbeab37ccc413a453

SHA1
b38bdce57eeafdd529f60e8a139e3cd421d98941

SHA256
a933b32bc0a217ef427c6b8ef8c65cdeb13cbb27e8f35db01b59c75077d4ccbc

SHA512
2977cea87775f83a7b58e5a892978e91abd6335bb8248a2ba8df3ff2769a6a0cf9820cd4c2102df0eb33df410846ab75f54fba78344c5d0f3a5504e0ae4142a6

Download Submit
C:\UserDotUN\abodloc.exe

Filesize
2.6MB

MD5
a92c18d648d89239fbf0339525b27edf

SHA1
770bf75d94cf2ad8c2ccc72c80181c3706e5c852

SHA256
2cb967212b4b1987d7cf6df0b3260f03bfe65b91ed27e524d8402704ae3dd7a5

SHA512
bde59aa250216fad1dc37e8573a248a4f65132af87224eb3745a5ecba8c7a1cdfc206d4bee529b7e4ad20ee97682910128401a9156b0b49f4c48173faaea1652

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
5365e14b5b0c2164576875d292e41e87

SHA1
22b8458883e9f305177406b300fbddc34a6bc0ea

SHA256
93e7ee7bff28d092efad457c23029355b86c8ce89f515e70263e5eaee8ddafb4

SHA512
398f7619e56ab60d73c3ad8fe6bcce30a5ad903d0d43b576cfb503f5a71f63166b9c1730d98d36e0fbfacb62ca2f0b5d03ef96027e9bd09b3ebc246418ef42ba

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
496410874357837f996d12f1f4d5228a

SHA1
925a0c8bb68a5e571b3e250c97dec1ad607a2a1d

SHA256
ac545375e631f26d17ad4afc118ec9c1204ecfc14eeeca213ea370ff0a871b12

SHA512
809312c22e4f4cd5dae2975b808ae1e774ca4df70ab9be9cc820dcf66fda9d3606827c85b37eaa2c9f0dc7a4edb3a6970ad0c36860def457dd64555199bdbba5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.6MB

MD5
6050a3de17eff63e6209970dd73b833b

SHA1
eefced1a620bb4fabd92eafd0bfeb490ab0e0ee9

SHA256
c8ab3e898dd48a03ba537d1f94bb27969ee1cf24b760ca4a04a8d1eb212c173d

SHA512
75fd832bfe348fdc8b24b7190d5c77acc0930249f96ee6ebcb287d174c9b44ce9fb66826a5d7ba0b0259b0180cf11b9bf00f098741c5c60a024590a19f188a35

Download Submit