377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11/10/2024, 20:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe
Size

2.6MB
MD5

c3b8b760c276b560a885226c2449a497
SHA1

a1fbb0ef2687b89887b5b3cb8bc9c59400b3acf7
SHA256

377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35
SHA512

973fac4ad7f0380fe7cc8d4b149d37c1f8fcfc32bfdf3b193b85fee6ea09bf3dea21cce0e370bd0c30f9a1468a8e0bb11ba36e35551d912962dca3e5c59d5f6f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bS:sxX7QnxrloE5dpUp5b

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe

Executes dropped EXE 2 IoCs

pid	Process
2808	sysadob.exe
2844	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2720	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe
2720	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZFR\\bodaec.exe"	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesK3\\xdobsys.exe"	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2720	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe
2720	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe
2808	sysadob.exe
2844	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2808	2720	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe	30
PID 2720 wrote to memory of 2808	2720	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe	30
PID 2720 wrote to memory of 2808	2720	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe	30
PID 2720 wrote to memory of 2808	2720	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe	30
PID 2720 wrote to memory of 2844	2720	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe	31
PID 2720 wrote to memory of 2844	2720	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe	31
PID 2720 wrote to memory of 2844	2720	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe	31
PID 2720 wrote to memory of 2844	2720	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe	31

C:\Users\Admin\AppData\Local\Temp\377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe
"C:\Users\Admin\AppData\Local\Temp\377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2808
- C:\FilesK3\xdobsys.exe
  C:\FilesK3\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesK3\xdobsys.exe

Filesize
2.6MB

MD5
5cced17e5b352a32921fdf1e75a90094

SHA1
e8df7b52a58d4edc4ba9658fb6b5e9437135410e

SHA256
e70eafea0b920f29908ddf0a9ba8ef534b7c06f313706029d65d5936c2b31a9c

SHA512
7038154214a765f345ab45e209d4f5cee8366b77b8501aac2c6c35865efa8ecb71fa6dfb8a4e41ac85ea0c3281484052cc9a013e9dac89d5682a1c858f4ab2df

Download Submit
C:\LabZFR\bodaec.exe

Filesize
10KB

MD5
1b916c50de9513bd35995ff6e69aef92

SHA1
52937fef400b241d4a8b1ddd227652b7c677d4bb

SHA256
87b86902356dc8919842b25007d34f46886d02128a2a02cb251d67dde3bccbe0

SHA512
7d45f793fac4540d35fd63f20caf5172cb11727e67a9016311072bbe1de9cbfac63ba2f8cb9bc93bb3b067ce7a65d0ee23b7d88fc199ffd6728e49343007d85e

Download Submit
C:\LabZFR\bodaec.exe

Filesize
2.6MB

MD5
51ec224347a1faaacaec4c755bb228a2

SHA1
cda4da4fb01d978bcebc7e1a43830395df1b4865

SHA256
985389a296c4a63740f2a418d6fbfa065f30c3da0e2b04007aa72cdd6f804f15

SHA512
d0d4baeedf54c2828c660fc75e5baf01a31de388257f9ec2f4f747522b8b4f1aa01e2d5f1517c7df05944a5cc61a8fcf42f931b6231b10b542dd42c2f372ceea

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
167B

MD5
aac6e14e079375fa33b6fb3513b3ea50

SHA1
a14e474bed9f585e84848328859e0bdb3b01acdc

SHA256
e5643612156b7331e4ca61aa5471a75e3301f2542a020623be95afb721c5481b

SHA512
176a3da2c45bdb7e50ae47bdc0d7bef031f2c727aaddb38bb8b22a864eb11d321b9040635e99c85d9b7a114836188bc7ebcf19e7c79d40881c0c1ae539111cb7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
199B

MD5
d4aa35379b4d3ebb791a5a1533698e66

SHA1
3aeedd98f6849d892cf5d7be01f7d9661c1306b1

SHA256
69716b4ba847dd74516302a357613ade97c629600ccc62bf4dc4981d65956a84

SHA512
ba90f614a77d32c71e54f7604b12fddcfe665e9f4391b5c47a3700fc285e44ffceec223a83a1691c8ca965bb97e34c82508404af30878d771876ac07b79485b9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
2.6MB

MD5
13620d7296da1fc3bb33ac2c79b9b956

SHA1
a42ea71ec2e98a2beaf835fceb37efe0dffb09a3

SHA256
1efb789394e45111caa9d39a3d0fa05201db4bc40eebd72991d242cb785b17c9

SHA512
ba822e919a9d1876a9cb779ae519cfd98225302a6f44969f00a4f541b6757c49263575a1ff9d2de29ee7ca151868423440cfc06d643e8499359065c6897742ae

Download Submit