a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe
Size

2.6MB
MD5

5837741bd00efb728cd93cfcf6ac01a1
SHA1

a3dc0e5bc0c7228a15a3094703d7da6516f75305
SHA256

a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f
SHA512

4d4639a14be10aabe68218d6164cfc7854413043edec805ce00860ec775540989f24dfdeb8789e8f426c5ab9fba588ac5a28639d2103201789b10e20862d2380
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bS:sxX7QnxrloE5dpUpYb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe

Executes dropped EXE 2 IoCs

pid	Process
2352	sysxbod.exe
1740	xbodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1064	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe
1064	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot61\\xbodloc.exe"	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBB7\\dobdevloc.exe"	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1064	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe
1064	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe
2352	sysxbod.exe
1740	xbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 2352	1064	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe	30
PID 1064 wrote to memory of 2352	1064	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe	30
PID 1064 wrote to memory of 2352	1064	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe	30
PID 1064 wrote to memory of 2352	1064	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe	30
PID 1064 wrote to memory of 1740	1064	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe	31
PID 1064 wrote to memory of 1740	1064	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe	31
PID 1064 wrote to memory of 1740	1064	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe	31
PID 1064 wrote to memory of 1740	1064	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe	31

C:\Users\Admin\AppData\Local\Temp\a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe
"C:\Users\Admin\AppData\Local\Temp\a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2352
- C:\UserDot61\xbodloc.exe
  C:\UserDot61\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBB7\dobdevloc.exe

Filesize
2.6MB

MD5
64af141cc66f901ad3d86aedbead85d7

SHA1
faeb5f702cedf2ea3c5b1896e93777263420c2b2

SHA256
6ef05f9e9e492bdf40d5f04a599ff686ae1874d3c48ce2ff9a6a3e1f0817354c

SHA512
f3ee09abc8c5db292c735c429531fe8740cff885b2b46fae07b0909836c0a54d7321f4027b92c3bd68c1baf202cffff57979a3624fc1d71d86523a841908faf9

Download Submit
C:\KaVBB7\dobdevloc.exe

Filesize
2.6MB

MD5
c3f9ae86cd5390fbda471be3471fb6e5

SHA1
db511c9e424906fdc474d6b613fb110ae828ff73

SHA256
e8cdb17f5ff76317f2be20a087a2c501da31e5626c2cc57cbe09bd4812080f12

SHA512
8d515fa570bdcffb8dde5666ec41d52674c2f20c44845911637602de723ee173ac1939fc4c7ed9198ee9da64bf13c854d98cd51e218933a2e3125d00cb27794d

Download Submit
C:\UserDot61\xbodloc.exe

Filesize
2.6MB

MD5
1c924baab2f937da4579ea529ba679c9

SHA1
921e95970300fa91260b0e5da745cc60064c4dc1

SHA256
32f743f0f3264109f6caed32f29600cdf89e877d1138405f81f885ea0e993398

SHA512
a39659c34101e33070bc4b7b812590bdf9a81ad90bbb9eb675bc7abee2d86b6f797c07861896136de49272ca764d022dd32a7624d685df21f0b229c940ea75a1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
47e9fcbe48e30aad18c36b85c027b609

SHA1
8f275ee0ed7c1506134388d9415275e90d5644a3

SHA256
41cadfcf2bc63a4f4c0b5939a79d7b95e22342530731fcfcc285b46ef3e61927

SHA512
c319c44c086ebde46ca16feb6c73523c6b41fd7f1c886d9884eda8b7928f5da2a463c97585820d834149a535514f7867946bc6627ef7951910528f561eccc438

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
93232699cb546ce5bfae899c5f555795

SHA1
8bf5f20d6fc0773f377e981ca024d1d7e5d985ff

SHA256
3aed530eda3fc26a135184ceced8bda1e1ad442d52b4c606d6662fdd5ab507d3

SHA512
9070abf535f68bd91ac324e4e7c26049f0a3600b45c8b83716d19a478e4c180f0fb003cf9c659bf155e34f488ea0ee00e7b611695afe2245e1dcf6baa6ad580d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
2.6MB

MD5
e1f08d3e0f4a0d0763c1b69611db1479

SHA1
753a13fede4842865f6e365a6d726d5ca12dccce

SHA256
bfa708855af0ab2a22af5383da4e7ec4f940e2e2edfe7dca491001797ca05f7f

SHA512
7bf01fc45e95d3b4acb73fb4c944986876dd7c5062618d705c7a8db905e0641efd070e25a0f568ed0136379297f4266a53b112dcc8374a9d1f1a04321ac4d6cb

Download Submit