Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 23:42
Static task
static1
Behavioral task
behavioral1
Sample
7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe
Resource
win10v2004-20241007-en
General
-
Target
7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe
-
Size
2.6MB
-
MD5
5e766b1c0a77dc453ff6f67737e8bec0
-
SHA1
4de0702d4d12030108e83a9bc31696fd9508314b
-
SHA256
7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669e
-
SHA512
c116bef1e3bb97d73dcaefdb79fd8dbaf800aa7296a11f704aff28760bd278372ea578e47b88071e30b1530abb06d0f09851e72c0416a474a0faed1c68a2e338
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bS:sxX7QnxrloE5dpUpvb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe -
Executes dropped EXE 2 IoCs
pid Process 756 sysxbod.exe 2028 adobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2096 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe 2096 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB7V\\bodasys.exe" 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc2Y\\adobsys.exe" 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2096 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe 2096 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe 756 sysxbod.exe 2028 adobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2096 wrote to memory of 756 2096 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe 30 PID 2096 wrote to memory of 756 2096 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe 30 PID 2096 wrote to memory of 756 2096 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe 30 PID 2096 wrote to memory of 756 2096 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe 30 PID 2096 wrote to memory of 2028 2096 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe 31 PID 2096 wrote to memory of 2028 2096 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe 31 PID 2096 wrote to memory of 2028 2096 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe 31 PID 2096 wrote to memory of 2028 2096 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe"C:\Users\Admin\AppData\Local\Temp\7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:756
-
-
C:\Intelproc2Y\adobsys.exeC:\Intelproc2Y\adobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD520d82bd8981eb049c3df6ede779e0124
SHA17c3216eea78b92135ece40ed9e0a69b8767e0287
SHA256b852f575ddd0d25dfe886292aeeacc0dfb0e74f47e35547beaf7a2247c3aae75
SHA512e63ac5337404b07aa40f99dd4b8c39f5c9b4a7731b26a1d9be13f9660641a89ecedd9963085376cafaa7e4e9f85f45dd439d5fe63b28b8498b6492cd95682dd7
-
Filesize
2.6MB
MD5499bc390d017444ed7fc5ac767289e17
SHA1f8abafccf3511ac7c9a59594b20a0b88e7fbdd43
SHA2560e383e46e12a000f7f63aa1ae425aa36a16ef17ac2520deb278704dbedf43f9a
SHA5122b215412015f0b74421b66ea2891b25260aaa65c56eef11cf0b295ed9bd6786352a20bae2697cb4f8ba4a47ceac42ab3b27b698f9d0c275036e51a65cfc459d1
-
Filesize
2.6MB
MD568009a794ab84fea20e7a21a5345b259
SHA15cc5318ed073246644b33bafc38178f8bc175424
SHA256ce1ec465fa9b0f1af4d7a35c54759970e0c815a36d5427de8323983f87a33449
SHA5121ffdfd1109c36912ed728a39f0d8a2a73b55aacc6f1e567c053f60d2ce2588669ae6afb95af37c0f04d4acae92b476bd8e4881c8a3cfbdb1d0c8559f719ea719
-
Filesize
172B
MD5e004ed3fba0a97eeec58449d65991f23
SHA14226e8f789cdb8b59a0b9c0b9860f58b0ee034c7
SHA256eab32e48110becce1fe49a8203460b0a0ace14234a9338affa37c25bf3a74570
SHA512afd799ba9e5f188c4f241053caeaff949a8e94fc42fc8b4becb71b13b4728fde6b69052607f8f8ef10b9c2c3b6a823319fa902e474f9f052fbc6b5c3f5f3d656
-
Filesize
204B
MD54c4f9e4453297191c0089d70fb977aa0
SHA12e0213ffa1e76bc7eb6155deae22ccf094e90691
SHA25686408a6e7ffa37ad5f43b314b820d483ef1d99745cb7775b1979032ffb03da45
SHA5121f97cd51d464fa6d647521d80c9e95e492cd8bbf8614287a98c32de5d527c9cda803ff48c32cede01c3f3a90616fb7648a41b58a1d716cd14addd85e5132f734
-
Filesize
2.6MB
MD509042e04e99e6076eaa3109d0b005671
SHA15b71eeaefb4c1107f60c4329203b44d118cbf7f9
SHA2560896899e652ca86fd8afb5a69a5fe14aca20511e5a1c2f47336f7dca32e1d50d
SHA5124f6df733a611a6ddaf177a3e11581f9e072f2d6764837e2bddcb2698f608176089fe05c07ba6ff34092c376f9bbf461464584b8dbaf3801d0c6d5874fc2c6d02