Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 16:57
Static task
static1
Behavioral task
behavioral1
Sample
4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe
Resource
win10v2004-20241007-en
General
-
Target
4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe
-
Size
2.6MB
-
MD5
6de03fab414e9990d9061dd0ed693020
-
SHA1
55d0e3b1d8f296d32158205df82ee427cd06bcf4
-
SHA256
4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7
-
SHA512
98fe4cb7ea453a279a1df75a5162cfe0802ee52aa82412f98f16ffeb02b47048ae624ead2b88aa382464865b4d16cb2dfd568899396c61cc136720bd3e7a9c15
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bSq:sxX7QnxrloE5dpUpFbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe -
Executes dropped EXE 2 IoCs
pid Process 4264 sysxbod.exe 4844 xdobec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotB5\\xdobec.exe" 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4W\\bodaloc.exe" 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4100 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe 4100 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe 4100 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe 4100 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe 4264 sysxbod.exe 4264 sysxbod.exe 4844 xdobec.exe 4844 xdobec.exe 4264 sysxbod.exe 4264 sysxbod.exe 4844 xdobec.exe 4844 xdobec.exe 4264 sysxbod.exe 4264 sysxbod.exe 4844 xdobec.exe 4844 xdobec.exe 4264 sysxbod.exe 4264 sysxbod.exe 4844 xdobec.exe 4844 xdobec.exe 4264 sysxbod.exe 4264 sysxbod.exe 4844 xdobec.exe 4844 xdobec.exe 4264 sysxbod.exe 4264 sysxbod.exe 4844 xdobec.exe 4844 xdobec.exe 4264 sysxbod.exe 4264 sysxbod.exe 4844 xdobec.exe 4844 xdobec.exe 4264 sysxbod.exe 4264 sysxbod.exe 4844 xdobec.exe 4844 xdobec.exe 4264 sysxbod.exe 4264 sysxbod.exe 4844 xdobec.exe 4844 xdobec.exe 4264 sysxbod.exe 4264 sysxbod.exe 4844 xdobec.exe 4844 xdobec.exe 4264 sysxbod.exe 4264 sysxbod.exe 4844 xdobec.exe 4844 xdobec.exe 4264 sysxbod.exe 4264 sysxbod.exe 4844 xdobec.exe 4844 xdobec.exe 4264 sysxbod.exe 4264 sysxbod.exe 4844 xdobec.exe 4844 xdobec.exe 4264 sysxbod.exe 4264 sysxbod.exe 4844 xdobec.exe 4844 xdobec.exe 4264 sysxbod.exe 4264 sysxbod.exe 4844 xdobec.exe 4844 xdobec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4100 wrote to memory of 4264 4100 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe 87 PID 4100 wrote to memory of 4264 4100 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe 87 PID 4100 wrote to memory of 4264 4100 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe 87 PID 4100 wrote to memory of 4844 4100 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe 90 PID 4100 wrote to memory of 4844 4100 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe 90 PID 4100 wrote to memory of 4844 4100 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe"C:\Users\Admin\AppData\Local\Temp\4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4264
-
-
C:\UserDotB5\xdobec.exeC:\UserDotB5\xdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4844
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD5b5c0de4a0aeb209ef138246a7fb84861
SHA1d1d8776f857ca62f150a0ff55e52436c1f0d285e
SHA25653a2e937a09f39809cf6cc39c9c16b6f04c72a56da860d85c5682e9c42221093
SHA5128238641d9edf8d17ca4b133742898b11a31eaac6d0c14fb8b9bcd281980e0e91d247b5a07b0fdbf51312d51d7595a1ea2edc4a7e6a4ec65cbc9474b4dfd896c7
-
Filesize
2.6MB
MD5c5fdb4b9a0515c491c6b5362fe13900d
SHA141417bc36274c7e90bba38e3ca9c453b55fe41a7
SHA2566f1c709d3a2eb4c7e74d5ce6bc53d92057a6b2e105a779882f63157bef1b22e6
SHA51230906c7bcf7edb03c1830922c695efee6caa321d26cfeef027028f508ff22a08076501889520cfe14e39010766b488374f126d4127ab10d091a7ae4d8dc8fc20
-
Filesize
2.6MB
MD59aa9611efc6843522ae5df48d37410ef
SHA145ba78ad660eceac178116c3f62a657b5037ce54
SHA2561fff33631ec6692dccc1bcbb29702613e03c3ff95a9bb094c29581210fecf964
SHA512aae57c228b44af99eb737f6d2a9b67b45fe7fcf9fc7d6a1dbf45d4bb8ead94d404c644f6876c85b82f5127a647b752c6c313e9d4ebf439b54acd5036c3597c10
-
Filesize
201B
MD5e096f89193d31f2f5daea4549f7da64d
SHA16d8002acfd71dc968921c32b7b48fe832b43a832
SHA256877bdeac6e06a0043c0e0a808a2d25069287f546dce1fb782b93480e25bc6141
SHA51298a9a2c7126d4303444e8d82a6a67b23e7607e116e73281f518c1d5d8a3cfbb0796037f8718e70b7559c8261b35d27939d86ed278e466b1bd2df208d31eb2b04
-
Filesize
169B
MD58dd51ed7c0fd42f6ba68db74bb1f8af9
SHA11339bd2ff1b739b0e136f55201fcb05ae032d8e3
SHA2568f2896a479a10e9a773b7857d8a38880a82a73fdf0719b458ab3208bfec51924
SHA512b4c04af7d2527780af0a5397d0a8772e4488bbf02fb4e88fe4c1c42dad391dc1839e4c67a021519cb98754d8a467112049f061a3aa6b1f992a4d6e3066eceb53
-
Filesize
2.6MB
MD559d5f4a5ba8cdbe8a58480fce0fdd6b8
SHA1949edb9f117c6881fa1f0cd8f66e799b3a12641b
SHA2568723c1868bc6c93e46afe3894308de08a731c7bb82af3ff70cc24eef2ff76ab6
SHA5122cdd5bd9cd8e23ae7a0b5abf3750046651a2ac389a9e9bb5ea163ca0a54950b7eabb847a838ae337bd6cfdd0b7ab6b999810b76bea1147c74ab1765d7cb4d4ed