fdf3dd27233c683d1eb40fa1e78235a9d7a47ea0042181f690d57241332ea721

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-09-2024 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1440106da82fa1a98020be948cab990N.exe
Size

2.6MB
MD5

b1440106da82fa1a98020be948cab990
SHA1

862fd6505c7c365e2cd9285bcb50c3e08ee9d21f
SHA256

fdf3dd27233c683d1eb40fa1e78235a9d7a47ea0042181f690d57241332ea721
SHA512

20d48a5b0ac20f10b113cad79972677f3a1f4b8d844b55c0c458a48e3943f65094937275ad44fb3895df9f2b7bf6edf5236acf6fcc80316210ab90a396372c49
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bS:sxX7QnxrloE5dpUpub

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	b1440106da82fa1a98020be948cab990N.exe

Executes dropped EXE 2 IoCs

pid	Process
3024	sysxbod.exe
2432	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2428	b1440106da82fa1a98020be948cab990N.exe
2428	b1440106da82fa1a98020be948cab990N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc2Y\\adobsys.exe"	b1440106da82fa1a98020be948cab990N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB7V\\bodasys.exe"	b1440106da82fa1a98020be948cab990N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1440106da82fa1a98020be948cab990N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2428	b1440106da82fa1a98020be948cab990N.exe
2428	b1440106da82fa1a98020be948cab990N.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe
3024	sysxbod.exe
2432	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 3024	2428	b1440106da82fa1a98020be948cab990N.exe	30
PID 2428 wrote to memory of 3024	2428	b1440106da82fa1a98020be948cab990N.exe	30
PID 2428 wrote to memory of 3024	2428	b1440106da82fa1a98020be948cab990N.exe	30
PID 2428 wrote to memory of 3024	2428	b1440106da82fa1a98020be948cab990N.exe	30
PID 2428 wrote to memory of 2432	2428	b1440106da82fa1a98020be948cab990N.exe	31
PID 2428 wrote to memory of 2432	2428	b1440106da82fa1a98020be948cab990N.exe	31
PID 2428 wrote to memory of 2432	2428	b1440106da82fa1a98020be948cab990N.exe	31
PID 2428 wrote to memory of 2432	2428	b1440106da82fa1a98020be948cab990N.exe	31

C:\Users\Admin\AppData\Local\Temp\b1440106da82fa1a98020be948cab990N.exe
"C:\Users\Admin\AppData\Local\Temp\b1440106da82fa1a98020be948cab990N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3024
- C:\Intelproc2Y\adobsys.exe
  C:\Intelproc2Y\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc2Y\adobsys.exe

Filesize
2.6MB

MD5
0f7dff2644226790bb3de7175ed557c5

SHA1
3331239e42ca41e49907a0c922507225953b924f

SHA256
8fa3b2d9db81458b3254ce0106e98c99bc45f0e2ff19df5a7c3209fa681a8642

SHA512
b2395e8e77b86ccd1e0f109e1bef7440f1c5d21fc5a29fd75c9c81868b43d41b963eb06a55a11d512b38d404bc2ea270c4b3009daa7610125091bae008b6caa7

Download Submit
C:\KaVB7V\bodasys.exe

Filesize
2.6MB

MD5
1e6adafe5f995d91b26ba9142de89560

SHA1
e8d620a0d84652663e71dc79286b150677014e42

SHA256
9758a29ef15c841a168b22217b648c79a63ea3fa670f04a8a308bd37b7a175aa

SHA512
9e2edad756faa7957ad4f7db907d1ef6ccaffad394816e678df931dc93bde1ec37b5c90af143a4cecdec5c3a34413a21ef6dae05cc8526711550bd833dad8d57

Download Submit
C:\KaVB7V\bodasys.exe

Filesize
2.6MB

MD5
7b8c0560d79511d2d3b7a8d6ec337dc9

SHA1
cdb8f681840f44c85e13058c62c5dbe7351892ec

SHA256
c096f2d31cb2ec611746f9767a6a0fbd3c0fcf5425077e02cd3c653f5419538d

SHA512
da0f7cc1092c482b275f51709b10b7c6c2e83343bc665b332d793d7977bd2a1ba9a78c6c7c626547533bd52ba03287155239da4768d210c3295f37ad0cb74d7d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
e004ed3fba0a97eeec58449d65991f23

SHA1
4226e8f789cdb8b59a0b9c0b9860f58b0ee034c7

SHA256
eab32e48110becce1fe49a8203460b0a0ace14234a9338affa37c25bf3a74570

SHA512
afd799ba9e5f188c4f241053caeaff949a8e94fc42fc8b4becb71b13b4728fde6b69052607f8f8ef10b9c2c3b6a823319fa902e474f9f052fbc6b5c3f5f3d656

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
4c4f9e4453297191c0089d70fb977aa0

SHA1
2e0213ffa1e76bc7eb6155deae22ccf094e90691

SHA256
86408a6e7ffa37ad5f43b314b820d483ef1d99745cb7775b1979032ffb03da45

SHA512
1f97cd51d464fa6d647521d80c9e95e492cd8bbf8614287a98c32de5d527c9cda803ff48c32cede01c3f3a90616fb7648a41b58a1d716cd14addd85e5132f734

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
2.6MB

MD5
4397862a7f3dbe169cff6678ba3678de

SHA1
e567049287515a4e3e83c7831d47f1f20cfffd90

SHA256
b0c0aeb045cb7199f6d1a19d521f8824002a2dac75e3806d5edcaf272fc0df9f

SHA512
68f32735af189e7343d899477f9ea82e70b9c676f0f4f5fe7c8bc91301c69832e05e30cec598956089f87684fe15a004322399d48dc740270d32d021f429bbf5

Download Submit