a1a9b0cbdfbcdd509f8d1d4f397c6c9a3e75858ab74283b4f05243ff79dfbab7

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69e7875546cca40183a57b4bf1aa9260N.exe
Size

2.6MB
MD5

69e7875546cca40183a57b4bf1aa9260
SHA1

ea91a1f6d69d602ea320086e86271addf4d83475
SHA256

a1a9b0cbdfbcdd509f8d1d4f397c6c9a3e75858ab74283b4f05243ff79dfbab7
SHA512

6364e79c267285f1727a19380a85346eacd8610b89b10f8824b6e0593fd75a2533671fa6938829ebb75dbceee492eed53de33abcf318afe6b4e68cd5beae8e20
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bS:sxX7QnxrloE5dpUp9b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	69e7875546cca40183a57b4bf1aa9260N.exe

Executes dropped EXE 2 IoCs

pid	Process
1592	sysxbod.exe
3016	devbodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2356	69e7875546cca40183a57b4bf1aa9260N.exe
2356	69e7875546cca40183a57b4bf1aa9260N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot6A\\devbodloc.exe"	69e7875546cca40183a57b4bf1aa9260N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNR\\dobdevec.exe"	69e7875546cca40183a57b4bf1aa9260N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69e7875546cca40183a57b4bf1aa9260N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2356	69e7875546cca40183a57b4bf1aa9260N.exe
2356	69e7875546cca40183a57b4bf1aa9260N.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe
1592	sysxbod.exe
3016	devbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1592	2356	69e7875546cca40183a57b4bf1aa9260N.exe	31
PID 2356 wrote to memory of 1592	2356	69e7875546cca40183a57b4bf1aa9260N.exe	31
PID 2356 wrote to memory of 1592	2356	69e7875546cca40183a57b4bf1aa9260N.exe	31
PID 2356 wrote to memory of 1592	2356	69e7875546cca40183a57b4bf1aa9260N.exe	31
PID 2356 wrote to memory of 3016	2356	69e7875546cca40183a57b4bf1aa9260N.exe	32
PID 2356 wrote to memory of 3016	2356	69e7875546cca40183a57b4bf1aa9260N.exe	32
PID 2356 wrote to memory of 3016	2356	69e7875546cca40183a57b4bf1aa9260N.exe	32
PID 2356 wrote to memory of 3016	2356	69e7875546cca40183a57b4bf1aa9260N.exe	32

C:\Users\Admin\AppData\Local\Temp\69e7875546cca40183a57b4bf1aa9260N.exe
"C:\Users\Admin\AppData\Local\Temp\69e7875546cca40183a57b4bf1aa9260N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1592
- C:\UserDot6A\devbodloc.exe
  C:\UserDot6A\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintNR\dobdevec.exe

Filesize
2.6MB

MD5
ac2dd37dea638b621216a3ba4c193aab

SHA1
832a7964b5c3d52bb0dc7a76db43d1e5821d3bdd

SHA256
f5823f254b231bd8e3040ff7b7b658eee51a6e531adec045a0ca0e32b63154ff

SHA512
13991c9d4d07553e0209af977e97bfd5e24aa40fd950fc4a62e47cb34e6daa5b7c79adbc238558cc985997b2a5edaebb4f55b70a869ecb9a9f3db8a1dff6fb93

Download Submit
C:\MintNR\dobdevec.exe

Filesize
2.6MB

MD5
f0b30107cbfc3928d6f6f7622fdacafb

SHA1
6ea68faee04829565d230d357f720765fa0430f3

SHA256
d4f654631f2860ca47b10246174dbdac4ba2452f6bbcc23d1149c348c72dba0e

SHA512
926b3b62eb59d5323b6da7a6c6deeb1bbbccb77f287481bc0897461ea14571d0488f540b1a74b4d08f25297c851f9e7da8b053487900c4ae0bb868c37bbf99dd

Download Submit
C:\UserDot6A\devbodloc.exe

Filesize
2.6MB

MD5
8ebec9475e23100e9cb6aa1abc44728b

SHA1
d6665f0c4777d69d91f61919b2c7dd8b9e68f6b9

SHA256
482f287b2cf623d7a6f70868fd5ca137252488db2a00f6be6fdbf6bc95ad79b7

SHA512
3da400bab941c15bbe1b289b441fabee81512602f10cccad990a504a3d2019356525d4e0fa7d7178a5645f65e43141c74a1603060e4b2c3bd7b0e14338b37cd0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
998f04c743bc67466be13aa86f907a30

SHA1
e254db07cb280cc3b2b3ae40dfadb1746f8c5fe9

SHA256
3f1fbe83dae8027954fa4806afd231b3a291940eefb9a6a3c9e498332f9a4842

SHA512
39203c802624b1b42fbf120bf4a2d9c067c4339b825c8e036273ba9eb55315753011241a8620357459169f822bfd628584e93b57dd05212f65cf3c9d4e0b21e6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
cbcc9ca0db62918570ac9aa665a0ba98

SHA1
47679eab1d1ef4c580c407c3efdb7237d13a8b23

SHA256
6af7fa031ff61d3a33bfa084291acede0eb1b58374f1b4dda8e911cc648f76e6

SHA512
40edaf594b76508260ca6f865e65f9a6520f4860f39f9a4836d91e80677d5865a0575ef178c09b88d70edc8dc7601280d2e419d8e5b67bf2fb16449f0c4f5241

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
2.6MB

MD5
1ad698452fe287ea500e91e544e2b5c6

SHA1
8b453807bebe9b6c1c3d8329797d03d759a8831c

SHA256
29b75b282dd67de138a072dd028e7583b42910be651a75a11e73d0a0cdb74218

SHA512
404fc681471a50942f95247eda265a548bce68e0c2e730f0a126e1fe852e09a98a24ae90d4956df9d4912b5ee8fafe6c4caf606e00326e1e7d6fb01d77797792

Download Submit