Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 17:02
Static task
static1
Behavioral task
behavioral1
Sample
fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe
Resource
win10v2004-20241007-en
General
-
Target
fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe
-
Size
2.6MB
-
MD5
a954123375b68224644745c7d4caf4f9
-
SHA1
ad91f8c88f9414ce194d49898df6286671e14eed
-
SHA256
fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30
-
SHA512
9a1cde7ae63c7dbecde7b5c9150ce88074cec75980ad76c266a28e610e84ecaf3bbe02ff6ef2e7217ef61fdab126b005acc68b7f686b09836ef35cee218af648
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bSqX:sxX7QnxrloE5dpUpIbVX
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe -
Executes dropped EXE 2 IoCs
pid Process 2752 sysxdob.exe 2672 xbodloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2180 fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe 2180 fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvL6\\xbodloc.exe" fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidUE\\dobdevsys.exe" fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2180 fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe 2180 fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe 2752 sysxdob.exe 2672 xbodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2752 2180 fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe 30 PID 2180 wrote to memory of 2752 2180 fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe 30 PID 2180 wrote to memory of 2752 2180 fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe 30 PID 2180 wrote to memory of 2752 2180 fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe 30 PID 2180 wrote to memory of 2672 2180 fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe 31 PID 2180 wrote to memory of 2672 2180 fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe 31 PID 2180 wrote to memory of 2672 2180 fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe 31 PID 2180 wrote to memory of 2672 2180 fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe"C:\Users\Admin\AppData\Local\Temp\fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2752
-
-
C:\SysDrvL6\xbodloc.exeC:\SysDrvL6\xbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2672
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD50860ba7ab87e6dbf893e728aa4621778
SHA16296ec6dd59bc3b8a68b647437f788d3632c62db
SHA256dae0dd40453db7d1814b71e7428dae76ec100c87d90429cfe275f635828912b2
SHA5126b72d47a2829acfcf1490f689278dd8559279bed5d5c4557d0d0a5168428051f1906438558ebacac45c8aee6d3c2408cb4723e18b3d3bcc087625db5239ebaef
-
Filesize
2.6MB
MD5041dc284b91064ab8f65bbb0c896da88
SHA10d22fa16a6f47cdbd8f725b0f9e9bd434e2e1aa6
SHA256fbe867e6060f0d6b7f662ac08fc3f9ecc8c982058cd99177f78075fd51fb3df4
SHA5129d122fe764d412fdfb0f86c2fe734a0ffac6f6bd7160305cb67c6be27a6384bf3398bc7199c61e7f8ddc140ae5cfbd21e14c0ab3ae97195b9e265893d04c9689
-
Filesize
170B
MD583cc3848b71ecc575fff5e2c636801ab
SHA160fe80f1a018733f5d3c479ae010594b8b954b3c
SHA256f1253ff44f4a03b2e5205cd0be12da50020a3f5b27647391d8508d7c626708c3
SHA5127c19ddd9f042931979c7d0ff3adc61ac1563a1ddd43c918550d08c3acf0b5bd230d9ac605e656b9df6c68255ffc5e81e1f4a26fcdc5400a3518eeb3d75d68545
-
Filesize
202B
MD57d4802bc054bce832268988623554ab9
SHA1f3dacdb1b1e57cd2a2ca30b8bff9077117f807b7
SHA256102b4a8055ff7964fea1436e423ccfd38528e738e0af7303cecda233c977535e
SHA512dbdfeb8be600dabb4032b542252858ce15375207f38c6fba67d25a0166348a22b2baf04f3c0d27c4e8e5c31c73ccd9671650862901c8ac0b2a5e75d4896cae67
-
Filesize
2.6MB
MD5aec5969d646c0bae3722930622715bd8
SHA1f10127d7715ced86c08b46905ea0bdac8221a158
SHA2562fee50b0289bdf20a500c87533c01f680ee7742bf20468782678d9debbdb634b
SHA5123dacf03231fb3452b9e6a8258f3ea3e53566d356fac4e9df909c7263f02a30e6ec08ed53f9821b9862bc3508bedc2a6e53a9aba401ecbbdf29030f1866118f98
-
Filesize
12KB
MD55ce46de9d1c8ab23eeb8a98bb0b2232e
SHA1eb2b026ffaf5a7802065fa5971c5c4495fa6763a
SHA2560f99b7bc2b192971b8bed8dbf4f50389b59e62d5cae4d0fbbb58657c2730a6b0
SHA512173969eb6ea4e493f9c0d1c1df5c1080fb72fc38f0fc13e5eaffdd7eeae658b9464603a66d0a918d3f86bca65b97dccfd201cd7d66c1758e452476026a290712
-
Filesize
2.6MB
MD5b3cb1b4185d70856f37547ebd63f6e24
SHA13f03a47f40997caa4ce4ff749375d271915350e6
SHA256d48a016cf5780ff92b11496b518932b02600a4f9d6106877d399585f33b8e213
SHA51279092c07bcd67fb3228502c46c16d5795c7397984136d27914b7380a19810c5f77e146c4373bfdb8ca917811b0ccb6e7bc5066fd8aced404fc5472a293b68a16