Analysis
-
max time kernel
119s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 22:23
Static task
static1
Behavioral task
behavioral1
Sample
1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe
Resource
win10v2004-20241007-en
General
-
Target
1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe
-
Size
2.6MB
-
MD5
c0f890c9b99201af39fd56f688b7d8e0
-
SHA1
6ca6f2ad3d375789f061c2f78aead750025bb599
-
SHA256
1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5
-
SHA512
27e12397a0946219f60256774774a5aab5309935a717439a6a1eae1b6c68a1ac4272178cda5d8548298fa0cc22e58adefb36ffa78d58a1f318d0d9d17f697c3c
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bSq:sxX7QnxrloE5dpUpBbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe -
Executes dropped EXE 2 IoCs
pid Process 5020 sysxbod.exe 2700 xdobec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotB5\\xdobec.exe" 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4W\\bodaloc.exe" 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 384 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe 384 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe 384 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe 384 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe 5020 sysxbod.exe 5020 sysxbod.exe 2700 xdobec.exe 2700 xdobec.exe 5020 sysxbod.exe 5020 sysxbod.exe 2700 xdobec.exe 2700 xdobec.exe 5020 sysxbod.exe 5020 sysxbod.exe 2700 xdobec.exe 2700 xdobec.exe 5020 sysxbod.exe 5020 sysxbod.exe 2700 xdobec.exe 2700 xdobec.exe 5020 sysxbod.exe 5020 sysxbod.exe 2700 xdobec.exe 2700 xdobec.exe 5020 sysxbod.exe 5020 sysxbod.exe 2700 xdobec.exe 2700 xdobec.exe 5020 sysxbod.exe 5020 sysxbod.exe 2700 xdobec.exe 2700 xdobec.exe 5020 sysxbod.exe 5020 sysxbod.exe 2700 xdobec.exe 2700 xdobec.exe 5020 sysxbod.exe 5020 sysxbod.exe 2700 xdobec.exe 2700 xdobec.exe 5020 sysxbod.exe 5020 sysxbod.exe 2700 xdobec.exe 2700 xdobec.exe 5020 sysxbod.exe 5020 sysxbod.exe 2700 xdobec.exe 2700 xdobec.exe 5020 sysxbod.exe 5020 sysxbod.exe 2700 xdobec.exe 2700 xdobec.exe 5020 sysxbod.exe 5020 sysxbod.exe 2700 xdobec.exe 2700 xdobec.exe 5020 sysxbod.exe 5020 sysxbod.exe 2700 xdobec.exe 2700 xdobec.exe 5020 sysxbod.exe 5020 sysxbod.exe 2700 xdobec.exe 2700 xdobec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 384 wrote to memory of 5020 384 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe 88 PID 384 wrote to memory of 5020 384 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe 88 PID 384 wrote to memory of 5020 384 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe 88 PID 384 wrote to memory of 2700 384 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe 91 PID 384 wrote to memory of 2700 384 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe 91 PID 384 wrote to memory of 2700 384 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe"C:\Users\Admin\AppData\Local\Temp\1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5020
-
-
C:\UserDotB5\xdobec.exeC:\UserDotB5\xdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD50df908c3f34fbe60c1fe418a7842f0d6
SHA19e06bf1856e2a22d23bc18f23ea136707a3ee04a
SHA25663eaa615fe2ea566029633e313e69d4feb59dadd21f62e803a01b7c9a7a522a2
SHA5126bcccb26eda145143e3f67a45f3ab0a43734096044f513353427e5d8e861c444e809c533ae95c3b1850f74d3cc31ab1dd0efbdeaaeb7172059a177b33f5f421a
-
Filesize
1.8MB
MD5ce71db63a4047ef756d5c7390422c1a6
SHA1c31aab720f97e086fd1e8d7538cb486e86f9cf40
SHA2563c6a9e7a7b7b05a44d0a83f80d525aa0a12df149d1eddc9d9e776a841b3dec90
SHA5123afc0ac85c5881f27778fba1156b047b06a16f1f334f1d24c53efbe42b66b416588f3aa6b4ffba1a97c51d5b384dc41070d0546dbbfb5aa7a9812111c49e1ca8
-
Filesize
33KB
MD50bff6a8bffb6b865fbe4908d666b07ee
SHA15e176ff62c86ebbdaab5e545079308f50395f3f6
SHA2561eb6a2dfe3b351441008aee76bdb1d3a3300807adc21d0dad4766ded0fe17855
SHA5126a6d353a1d440a17b0b10022744e48ce835c6b0a92b97224dff9d7f00f6e0a619ae3c0ecaeb891c68baa42a686e14df25712d05c5893b56d84075279e3cf1a2e
-
Filesize
2.6MB
MD51773562780076bc0357f512c14a1bccd
SHA1c19a79776bfc220c44b3577fe3594b5ea7e48ac6
SHA256d58f8e820f627b9e38d5ba12c64762809f9751da31e545824f53336fde4fe933
SHA512ef7acc9f815c8b57128c2f01b5edc0d77e8cd20568dc7392f1dbb19f9f90a7ac3d9950e0233b508c1caa6faeb391c3ba6c141336fa0944ecea7f2fd68133f3cb
-
Filesize
201B
MD5e096f89193d31f2f5daea4549f7da64d
SHA16d8002acfd71dc968921c32b7b48fe832b43a832
SHA256877bdeac6e06a0043c0e0a808a2d25069287f546dce1fb782b93480e25bc6141
SHA51298a9a2c7126d4303444e8d82a6a67b23e7607e116e73281f518c1d5d8a3cfbb0796037f8718e70b7559c8261b35d27939d86ed278e466b1bd2df208d31eb2b04
-
Filesize
169B
MD58dd51ed7c0fd42f6ba68db74bb1f8af9
SHA11339bd2ff1b739b0e136f55201fcb05ae032d8e3
SHA2568f2896a479a10e9a773b7857d8a38880a82a73fdf0719b458ab3208bfec51924
SHA512b4c04af7d2527780af0a5397d0a8772e4488bbf02fb4e88fe4c1c42dad391dc1839e4c67a021519cb98754d8a467112049f061a3aa6b1f992a4d6e3066eceb53
-
Filesize
2.6MB
MD51e3547ecb2ca2b4c5c17873d41d67446
SHA1d98d1a1fcfb5e09e3d1351866b5577eb94e6d6e4
SHA2566525b4331b390cbdfecc329ce55aaf6009ac0e8eaf7202c76e3e80dd085ab73e
SHA5129fa15d36ce33b81a01615415965a7741936f3fbe5c1f5544b6eef2fe1327bdb02c29f5ee7ed5eddf61e49b008b670e2d5278c66def078fb9cdcf9acb1c646bed