440b5d1536efe06c20350dff365397b4ad4647206f8281e59e17a195f03f9c78

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

440b5d1536efe06c20350dff365397b4ad4647206f8281e59e17a195f03f9c78N.exe
Size

3.0MB
MD5

95c89cc647e6e447dd96d9ebab512820
SHA1

985bd7b5201919c73de60e1de49bb6779b833567
SHA256

440b5d1536efe06c20350dff365397b4ad4647206f8281e59e17a195f03f9c78
SHA512

9d9090f8e9d1374a199f78b1c4a3e8ed61adb45645cb6ad06415c265ed697aab3755a987c6255e2f8d07e472c2e08ed1ad4ceee73eaac9d97698cb1d756d1f11
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bSqz8:sxX7QnxrloE5dpUpYbVz8

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	440b5d1536efe06c20350dff365397b4ad4647206f8281e59e17a195f03f9c78N.exe

Executes dropped EXE 2 IoCs

pid	Process
1496	sysabod.exe
1644	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2552	440b5d1536efe06c20350dff365397b4ad4647206f8281e59e17a195f03f9c78N.exe
2552	440b5d1536efe06c20350dff365397b4ad4647206f8281e59e17a195f03f9c78N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeN1\\xdobsys.exe"	440b5d1536efe06c20350dff365397b4ad4647206f8281e59e17a195f03f9c78N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid2O\\optidevec.exe"	440b5d1536efe06c20350dff365397b4ad4647206f8281e59e17a195f03f9c78N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	440b5d1536efe06c20350dff365397b4ad4647206f8281e59e17a195f03f9c78N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2552	440b5d1536efe06c20350dff365397b4ad4647206f8281e59e17a195f03f9c78N.exe
2552	440b5d1536efe06c20350dff365397b4ad4647206f8281e59e17a195f03f9c78N.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe
1496	sysabod.exe
1644	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1496	2552	440b5d1536efe06c20350dff365397b4ad4647206f8281e59e17a195f03f9c78N.exe	29
PID 2552 wrote to memory of 1496	2552	440b5d1536efe06c20350dff365397b4ad4647206f8281e59e17a195f03f9c78N.exe	29
PID 2552 wrote to memory of 1496	2552	440b5d1536efe06c20350dff365397b4ad4647206f8281e59e17a195f03f9c78N.exe	29
PID 2552 wrote to memory of 1496	2552	440b5d1536efe06c20350dff365397b4ad4647206f8281e59e17a195f03f9c78N.exe	29
PID 2552 wrote to memory of 1644	2552	440b5d1536efe06c20350dff365397b4ad4647206f8281e59e17a195f03f9c78N.exe	30
PID 2552 wrote to memory of 1644	2552	440b5d1536efe06c20350dff365397b4ad4647206f8281e59e17a195f03f9c78N.exe	30
PID 2552 wrote to memory of 1644	2552	440b5d1536efe06c20350dff365397b4ad4647206f8281e59e17a195f03f9c78N.exe	30
PID 2552 wrote to memory of 1644	2552	440b5d1536efe06c20350dff365397b4ad4647206f8281e59e17a195f03f9c78N.exe	30

C:\Users\Admin\AppData\Local\Temp\440b5d1536efe06c20350dff365397b4ad4647206f8281e59e17a195f03f9c78N.exe
"C:\Users\Admin\AppData\Local\Temp\440b5d1536efe06c20350dff365397b4ad4647206f8281e59e17a195f03f9c78N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1496
- C:\AdobeN1\xdobsys.exe
  C:\AdobeN1\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeN1\xdobsys.exe

Filesize
3.0MB

MD5
99670beeb8daea651879feba27890566

SHA1
3c016b4bc7bec6b861326c328819633f0eaeb0b7

SHA256
91739c2da91c2447052c410740958feb0c524b5d59b0d59832d6cfefce332752

SHA512
ecc0d80b62ae71e125ebf864ec9f2832a16a8a9aa58bfb4e318b28f91ef9256d224eb9774325e0fc965b4f8ec3fd3dbd044cd9e1f9cd489b4f4bc0d5f2a49cc1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
9eb523318cbce0da6fa61c6d9f20656c

SHA1
86e86e9fb1f950f0f9c6cb8213a01ce388a8b9f5

SHA256
69e65f73eebcf729f8ba2b8c7c7509eafe5abf16d38ca0fbc2dd67c6f8bd1565

SHA512
a18e3a8cac1b9386cf2554203b5c6d612fcc550828ea4d16279b64532b087a9da3aa01419411b8fa735ac6e896c23d2502a8913c4d8ef45e0e0a2c8bd9174936

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
241af8a78a7e46302a922eb8201aa10e

SHA1
64e9eab39e90bde2c09037aad806d6993a970e59

SHA256
0dc13f8940ab0b0a0c3f5837acea63b2586ac539d7f386cea34fcda5f88bb8cf

SHA512
dd9244b1d5a81010d1ea3b31a204f59cc4c7121276805e87e6e0e02c1a931ca8e3318c7ada60b5f7f8d5b173917517a4a0135e740561016110e686062b2727e3

Download Submit
C:\Vid2O\optidevec.exe

Filesize
2.5MB

MD5
2f2c014071e25d365e2685ad2131bf9d

SHA1
3f49fb252f7070d2093d9aca717dd6fafc00e964

SHA256
e2ab7470412c573455182b9f541bcb9ccabc9a5e86ddd92064cbff5f9a947032

SHA512
bb032ff10c17cfb626f9a1e121a03e4d2ed53afc657c41ea01ccf393b2e2cfb59d1653d7cbbe97166811b2d10fec066ee1beaff70e96404457ecf562e7d542ef

Download Submit
C:\Vid2O\optidevec.exe

Filesize
3.0MB

MD5
6304d86cd5847922859adccef2a6f6dd

SHA1
d4d534f9ec7c1513c257da5e3f26264f02bde3bc

SHA256
da7f675606013c0031f5c134a99b92adcb54a6eedc7366f599e23b83dbe443af

SHA512
db7c1a31ce27c83ae5b033c4fbf0296f12721f3bad0f712ee902af27f89bdb9e72d50b08223d8a109a73601be29a4c605a18baf894083aaf83ddcaae8463645c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
3.0MB

MD5
08dca09a1e9f84f1e7f74126b25b9eba

SHA1
c8fd3f614c4278a2839ea98d8caf818f7317a2e4

SHA256
cb26a3dd4412a01ed1c116b4ba3c1f4cb814a3d4be458738f2ce5507e67b6d6c

SHA512
ee00fdf7b5f7c5d6b59f142fd10aa557e51c74e3f65160b20ca94c09682b9a248cddab72cfb99ad4271315629520b97b7e1756bba8dbcba9369878c938dce55b

Download Submit