1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe
Size

2.6MB
MD5

e85314befe69377f737ca5192f3b16d3
SHA1

f7dc6a51bb6c995449a5f31710cb76cd4ad72ba5
SHA256

1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472
SHA512

18b523766a99cb932ad2cf5b54ef19bcde64e864e83e04bae2d55ae4fdc65046049c1592d532c1f9824e6299081d86e982e0c293a12671e36ae4de6026c146e9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUpmb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe

Executes dropped EXE 2 IoCs

pid	Process
3004	sysadob.exe
1372	xbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
1952	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe
1952	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe96\\xbodec.exe"	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax1Q\\dobxloc.exe"	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1952	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe
1952	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe
3004	sysadob.exe
1372	xbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 3004	1952	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe	30
PID 1952 wrote to memory of 3004	1952	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe	30
PID 1952 wrote to memory of 3004	1952	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe	30
PID 1952 wrote to memory of 3004	1952	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe	30
PID 1952 wrote to memory of 1372	1952	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe	31
PID 1952 wrote to memory of 1372	1952	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe	31
PID 1952 wrote to memory of 1372	1952	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe	31
PID 1952 wrote to memory of 1372	1952	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe	31

C:\Users\Admin\AppData\Local\Temp\1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe
"C:\Users\Admin\AppData\Local\Temp\1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3004
- C:\Adobe96\xbodec.exe
  C:\Adobe96\xbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe96\xbodec.exe

Filesize
2.6MB

MD5
16ca3c642ccd6e8dfe0339f93a6b3299

SHA1
a03864c2387641bcd8323ddbbe37d0c0879ee3a3

SHA256
60b4ab6ce2ed638ec25edbd3e0739e08ffe34efd333fffd8799f4ba40cdab796

SHA512
b2fc9c3295a8dba409c413d64159b52826b0a623620fcad71ec357a495a8cd20b81eed4d34f1417d9e84d17665404bc2b8e0d9c64c9ecd155b1a8f35fab792d3

Download Submit
C:\Galax1Q\dobxloc.exe

Filesize
396KB

MD5
544f00a9f99c64c3863752512c76c463

SHA1
f5fab52880510b1199a10c4cdf2d8acb6db0027d

SHA256
f788859726432dcb48aa65529bf65675324777d398faf565f2ec6dfb585b587c

SHA512
71a9c1b0e0bd3d8e72b034608ebaaec3e7324e8ccfa3a859348e92d403f873d884f932e1a38905508e69a47adce88e0c94158a5eb61ce8957ab838984ccf3e61

Download Submit
C:\Galax1Q\dobxloc.exe

Filesize
2.6MB

MD5
e490d63d75f4fa602fad0ccc3e9fb47b

SHA1
14e8a0b53aa80fbf38f9091a689da5b856b455e3

SHA256
3e76b5d9631278de87e4468f21b5efbc88d99760bbb52fdddb4bceea875ef2ef

SHA512
a4992b3386e68c7eecc88141904debfd17576b228359a249b48141b5b9f7479d79fdadb7c121c8ad0728b7078cc793f0ce3a8a10aaea2cb7bfb2abf49247100f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
c58a572df842b7204b2b49b43d79ba29

SHA1
fe4f78757cccb82e74922a94c39f20d8a3019ce9

SHA256
0af0ecbe338e991459d18fd2ed4a5eeaa8a9512bc6dc112f469a8687fa69fc27

SHA512
6fe5b0804c02ade160905de9c3149ff1573aecb1117868164e6ce216c1f966de4b0a0260f8cf2e6e5a88db1bd08a7b66a7f80ddecb818de205d35d860224bb38

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
985bb2aa17607ca49546bed4995e6910

SHA1
66d264920f8e7713a45e1c4c30e1ee4697748f2a

SHA256
7414a0aba2dd36af2a7720724c28c8f576306908c4378457a3c12199a21220ae

SHA512
a6ea807344a4975e537dbb852869e3d2cf69f557dcdf6d861d20049d1f1847f1c0d877416e1150f70a9bd7d614f9cf4a75b1fb4a765c9fdc7f59abfaed6d5ba1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
2.6MB

MD5
28c5dc097125078cd4d0548876073cc9

SHA1
6f65d7aaab40999638ccee9eba1f3828cfc55294

SHA256
b86a673193ff73433a7849fc4c3e3d61da3cb3713e33d6444564af912de1e093

SHA512
42e2fee2fbd4847624d85e628c7c2627577fbe07c3d9e1f21971d83f37faeec83215a04043e8c488d4596260cacae09c54f01d81dd6e05b354e059973f27a9c9

Download Submit