196d0bfd234c8695a6e439da93ae64437f197610f98741028c1ba3672b921d03

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 19:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

196d0bfd234c8695a6e439da93ae64437f197610f98741028c1ba3672b921d03.exe
Size

2.6MB
MD5

dd394524c49d0fe66b0b926e7bb03c71
SHA1

00a718df2bca0e2d25ad8790b92fef55360b53d9
SHA256

196d0bfd234c8695a6e439da93ae64437f197610f98741028c1ba3672b921d03
SHA512

0a4e589d56d6b8cf935a5b32b4564e4cabb02ea6257f6805ca73c28121086898b5d18752a01b84645f6992a0219e12f9dc3b40d4e5cdb8e819db9cd4c90edd90
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bS:sxX7QnxrloE5dpUp3b

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	196d0bfd234c8695a6e439da93ae64437f197610f98741028c1ba3672b921d03.exe

Executes dropped EXE 2 IoCs

pid	Process
2116	sysadob.exe
1308	xdobsys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintH1\\bodasys.exe"	196d0bfd234c8695a6e439da93ae64437f197610f98741028c1ba3672b921d03.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeIS\\xdobsys.exe"	196d0bfd234c8695a6e439da93ae64437f197610f98741028c1ba3672b921d03.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	196d0bfd234c8695a6e439da93ae64437f197610f98741028c1ba3672b921d03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4076	196d0bfd234c8695a6e439da93ae64437f197610f98741028c1ba3672b921d03.exe
4076	196d0bfd234c8695a6e439da93ae64437f197610f98741028c1ba3672b921d03.exe
4076	196d0bfd234c8695a6e439da93ae64437f197610f98741028c1ba3672b921d03.exe
4076	196d0bfd234c8695a6e439da93ae64437f197610f98741028c1ba3672b921d03.exe
2116	sysadob.exe
2116	sysadob.exe
1308	xdobsys.exe
1308	xdobsys.exe
2116	sysadob.exe
2116	sysadob.exe
1308	xdobsys.exe
1308	xdobsys.exe
2116	sysadob.exe
2116	sysadob.exe
1308	xdobsys.exe
1308	xdobsys.exe
2116	sysadob.exe
2116	sysadob.exe
1308	xdobsys.exe
1308	xdobsys.exe
2116	sysadob.exe
2116	sysadob.exe
1308	xdobsys.exe
1308	xdobsys.exe
2116	sysadob.exe
2116	sysadob.exe
1308	xdobsys.exe
1308	xdobsys.exe
2116	sysadob.exe
2116	sysadob.exe
1308	xdobsys.exe
1308	xdobsys.exe
2116	sysadob.exe
2116	sysadob.exe
1308	xdobsys.exe
1308	xdobsys.exe
2116	sysadob.exe
2116	sysadob.exe
1308	xdobsys.exe
1308	xdobsys.exe
2116	sysadob.exe
2116	sysadob.exe
1308	xdobsys.exe
1308	xdobsys.exe
2116	sysadob.exe
2116	sysadob.exe
1308	xdobsys.exe
1308	xdobsys.exe
2116	sysadob.exe
2116	sysadob.exe
1308	xdobsys.exe
1308	xdobsys.exe
2116	sysadob.exe
2116	sysadob.exe
1308	xdobsys.exe
1308	xdobsys.exe
2116	sysadob.exe
2116	sysadob.exe
1308	xdobsys.exe
1308	xdobsys.exe
2116	sysadob.exe
2116	sysadob.exe
1308	xdobsys.exe
1308	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 2116	4076	196d0bfd234c8695a6e439da93ae64437f197610f98741028c1ba3672b921d03.exe	86
PID 4076 wrote to memory of 2116	4076	196d0bfd234c8695a6e439da93ae64437f197610f98741028c1ba3672b921d03.exe	86
PID 4076 wrote to memory of 2116	4076	196d0bfd234c8695a6e439da93ae64437f197610f98741028c1ba3672b921d03.exe	86
PID 4076 wrote to memory of 1308	4076	196d0bfd234c8695a6e439da93ae64437f197610f98741028c1ba3672b921d03.exe	87
PID 4076 wrote to memory of 1308	4076	196d0bfd234c8695a6e439da93ae64437f197610f98741028c1ba3672b921d03.exe	87
PID 4076 wrote to memory of 1308	4076	196d0bfd234c8695a6e439da93ae64437f197610f98741028c1ba3672b921d03.exe	87

C:\Users\Admin\AppData\Local\Temp\196d0bfd234c8695a6e439da93ae64437f197610f98741028c1ba3672b921d03.exe
"C:\Users\Admin\AppData\Local\Temp\196d0bfd234c8695a6e439da93ae64437f197610f98741028c1ba3672b921d03.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2116
- C:\AdobeIS\xdobsys.exe
  C:\AdobeIS\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeIS\xdobsys.exe

Filesize
2.6MB

MD5
ce3aec014e222f178d4f8d4396755c29

SHA1
8687489a43517fd11dc2711a4f845e118bc3c8e1

SHA256
448ab0005d81d3ecb42d3f706f8bd5691909b37d136c12f9a787a5949beb6a67

SHA512
7db09307348f11ab74433080c40dea4415c53e92f3ca1e1d496f91fb780d690829a33c94b4e0a2d08656cff31fe3b0ff4b29e17ef9c402ef7693ae25f484fca0

Download Submit
C:\MintH1\bodasys.exe

Filesize
2.6MB

MD5
0348053f7aa9eec6c586a48573014e60

SHA1
58c22e5d0394788562aa567e5f58e8d984ebaff8

SHA256
4f741be03137e3a07c259e1851b464ca77547e95c60c1b0f1219c4e16a3c141d

SHA512
4c81dec3460c5d2c35962960966725f3b201500e3b97edef6d19383ab3cc58c0c2269e2bcf231e6029f1eefe2e717cf3464fe995ce5d0861b15a28eb2a1be9f5

Download Submit
C:\MintH1\bodasys.exe

Filesize
151KB

MD5
0ab19685d8f6160d13a819a58b898a62

SHA1
681c1c28512717f0ab02608de5045939bddcebd9

SHA256
8f205d15898db8fc18e37cf100373e1f51b6e053fc71cb104746a1585540c935

SHA512
9f4e0909ab5c8de838198aef0b48848f2ac9e141657d1128524eddcd86c3d8f551c52caa7e59b5cdcae740d45441b43f5141930eeb892fe335e33498a3355e99

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
f8259994458e9e4c8e103fb293c90b71

SHA1
fd0838eba58ede33fb0969050fd1530e664ad057

SHA256
dfc4eefec35a6f9c5120849d7151b31cda76d9d6ee7768e8767f01fbd9f24a49

SHA512
232adf410686e509919219add52e709c328b025647d114e1f756775709ce9eb8591150e4eab439482fe6a0a81d8257a82ab36de53d38cff5dfd0f502bb2207d1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
5cd7d2af0139b97e6dc9b69a4dd6a440

SHA1
4a2ef764762c4db3ab5596bbad99f6d09dfd6abd

SHA256
d1c7088bea97ad85e5443fc38a510cacd18728d630132a7c26e89dea550a1bb0

SHA512
89217723c64a438c264d8e61e36b2606a6e5dd60562e5dbc53f7050435892aa39a905188388de1a2b6429fcd0f6f436d6fccd586ddc1431d0e98e1488cd4a171

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
2.6MB

MD5
bb893e773738a417ac991554f2638bad

SHA1
79f29f6b78686208dcca369dd23c11ed4327e8df

SHA256
dce756c1dc02d8605fe912eb1bc0d85d33cd6f1096e1420a82b69b4e2f822951

SHA512
494f104b251f6872f451be811852118da53654d3b87a4713d9470e5d0b69ff2e9123832052d3665ef7fc259c8efedf621c5d7e903e66d58089ff42386acc7c68

Download Submit