Analysis
-
max time kernel
120s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2024 21:19
Static task
static1
Behavioral task
behavioral1
Sample
e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe
Resource
win10v2004-20241007-en
General
-
Target
e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe
-
Size
2.6MB
-
MD5
3d3ea83b2b8f6d254c654505521506b0
-
SHA1
a4480aae27dfb526384eb179b3896e6d2fada447
-
SHA256
e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276e
-
SHA512
639eeee85e8d6884a1d383f7808702b9d957b71e7914a2fbd3e976b30b61dec755adfde21505b030f53365aabcb1312d761f5ac3a26ed527dc2d6c917275a881
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bS:sxX7QnxrloE5dpUptb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe -
Executes dropped EXE 2 IoCs
pid Process 3160 sysxdob.exe 1920 xbodloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvIF\\xbodloc.exe" e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidZ1\\bodxloc.exe" e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1892 e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe 1892 e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe 1892 e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe 1892 e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe 3160 sysxdob.exe 3160 sysxdob.exe 1920 xbodloc.exe 1920 xbodloc.exe 3160 sysxdob.exe 3160 sysxdob.exe 1920 xbodloc.exe 1920 xbodloc.exe 3160 sysxdob.exe 3160 sysxdob.exe 1920 xbodloc.exe 1920 xbodloc.exe 3160 sysxdob.exe 3160 sysxdob.exe 1920 xbodloc.exe 1920 xbodloc.exe 3160 sysxdob.exe 3160 sysxdob.exe 1920 xbodloc.exe 1920 xbodloc.exe 3160 sysxdob.exe 3160 sysxdob.exe 1920 xbodloc.exe 1920 xbodloc.exe 3160 sysxdob.exe 3160 sysxdob.exe 1920 xbodloc.exe 1920 xbodloc.exe 3160 sysxdob.exe 3160 sysxdob.exe 1920 xbodloc.exe 1920 xbodloc.exe 3160 sysxdob.exe 3160 sysxdob.exe 1920 xbodloc.exe 1920 xbodloc.exe 3160 sysxdob.exe 3160 sysxdob.exe 1920 xbodloc.exe 1920 xbodloc.exe 3160 sysxdob.exe 3160 sysxdob.exe 1920 xbodloc.exe 1920 xbodloc.exe 3160 sysxdob.exe 3160 sysxdob.exe 1920 xbodloc.exe 1920 xbodloc.exe 3160 sysxdob.exe 3160 sysxdob.exe 1920 xbodloc.exe 1920 xbodloc.exe 3160 sysxdob.exe 3160 sysxdob.exe 1920 xbodloc.exe 1920 xbodloc.exe 3160 sysxdob.exe 3160 sysxdob.exe 1920 xbodloc.exe 1920 xbodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1892 wrote to memory of 3160 1892 e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe 89 PID 1892 wrote to memory of 3160 1892 e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe 89 PID 1892 wrote to memory of 3160 1892 e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe 89 PID 1892 wrote to memory of 1920 1892 e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe 90 PID 1892 wrote to memory of 1920 1892 e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe 90 PID 1892 wrote to memory of 1920 1892 e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe"C:\Users\Admin\AppData\Local\Temp\e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3160
-
-
C:\SysDrvIF\xbodloc.exeC:\SysDrvIF\xbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1920
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5576ef3a9e8cd8716a2cedaa9cf1d6b67
SHA1a0936459aba43cbdd7b505ddb40ceb7de397b6d8
SHA2562d1a5c269342c32a22489d3dc974186d752594115eb79c50e6125c0c4cf90e5e
SHA512c8c2cb616e3aead71f01e76cf431c35515e99e76b110063b10d67f6a8c84a820cd629ee9d502b790710e34504f1caaadb6a0797d92c4c19845e830f09c0a00f9
-
Filesize
200B
MD57cee29388ba0d0de65f3d14e7d2bbd5d
SHA1a870404eebe93d7dc944d93ddac4c42ad10b3adc
SHA25632af582136688e66af7dc6272e71e99cbc9f3a0be13abb4c82e7a7f28619d019
SHA512dcf4c99beba76b35d79be60b939956e6ff6ffe42ac6a3e51ad0e06a4c3484a947a8e7baf9dcde1c68735a4f553579ad35a55f982cc2e216d0fa2b239d23a0733
-
Filesize
168B
MD54aef080a70ed79f33c03f5617e0da61f
SHA13a0403d246de1f1ee60c08df5731679c62e78b21
SHA2561e8383c00a5384d18d989218c441e6f9c4db6f3b91392d98fedf697dd32a52b2
SHA512416708497847b1a18bebe7df1615ac870833091261df3be3aea41be7394c06e4a0311e414bf904cc7f589f48134eb256845bccab74607b5c43a6848e82e5affd
-
Filesize
2.6MB
MD5faa8721dd03581d270e2aaac555e2580
SHA176fcc9623d8b495176718f50a95dc62d36525116
SHA256d7e3f33a2f6fa4e65a199e49b79273afec67ce32ba8a8b26c7bf64c1f7627eb5
SHA51290061eddcd7d3685d3ac7867178cbf91829089695be73feeb9947631b5052b419eabb6f080fce3b0b5ff56cf49a7f1f0d3cc3a976ce5f2e23976c33169146019
-
Filesize
1.8MB
MD581c2db7655bb61d8128f7d54f9af69df
SHA1617e0ec2bdda81d7e6318ca99bb930a4bba478fa
SHA256728c48d8f2543ea2820d9f2ea78745c84c1c8898104b3a5d80b54583882aedbc
SHA512ef9ef4493cae656fd28c2f18fb2a02b02021378d8fea87e8bfb5285dadd75485d1f0bd2be7aa151a9294e8106b2d24814e1bbaeb2f6353d71d95464e4acbfdf9
-
Filesize
7KB
MD520ec6effd447fb35f7db816f8c616148
SHA1c8c9edd9f30b93dc161fc035c69b57e7af305dce
SHA25643b6a06c6d792569dc3a4b802a1882bcef34d458cb6c626267bf303fc8dc3fa7
SHA5126a01a317698e30eec8ab65c628488a1e6108d6eb9dd6bdef9a769d497807ace3b68a23452d40d010b95f19759903bb9bc1910e8d7e46fa618aaa3fbf6a80fecf