Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 13:51
Static task
static1
Behavioral task
behavioral1
Sample
d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe
Resource
win10v2004-20241007-en
General
-
Target
d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe
-
Size
2.6MB
-
MD5
f39e661293c6eb02e1ecfe75608533cc
-
SHA1
b3ed1e1afdc8d065fdec6be89fd2de7ffb865377
-
SHA256
d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa
-
SHA512
c69121d43574de34b9babfabaf6ae3eeba9b62b54f216cea56ae9a1c318c14e9fe71affac306061ab6dd319e10b3bc371a5848a92a32b50097ca6c9947da0a7b
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bSy:sxX7QnxrloE5dpUpKb1
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe -
Executes dropped EXE 2 IoCs
Processes:
locxbod.exexbodsys.exepid Process 2744 locxbod.exe 2832 xbodsys.exe -
Loads dropped DLL 2 IoCs
Processes:
d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exepid Process 2316 d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe 2316 d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesMB\\xbodsys.exe" d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZFZ\\optiasys.exe" d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
xbodsys.exed4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exelocxbod.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxbod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exelocxbod.exexbodsys.exepid Process 2316 d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe 2316 d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe 2744 locxbod.exe 2832 xbodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exedescription pid Process procid_target PID 2316 wrote to memory of 2744 2316 d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe 30 PID 2316 wrote to memory of 2744 2316 d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe 30 PID 2316 wrote to memory of 2744 2316 d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe 30 PID 2316 wrote to memory of 2744 2316 d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe 30 PID 2316 wrote to memory of 2832 2316 d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe 31 PID 2316 wrote to memory of 2832 2316 d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe 31 PID 2316 wrote to memory of 2832 2316 d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe 31 PID 2316 wrote to memory of 2832 2316 d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe"C:\Users\Admin\AppData\Local\Temp\d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2744
-
-
C:\FilesMB\xbodsys.exeC:\FilesMB\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD535d5f2180b8da2eaecad0679e66dc251
SHA13e782e20becd6567750bacb04faafd148aadac06
SHA2562060beef29432b8908a388df4a1a966c34d69e51cbf1f836ab07935d52f94700
SHA51215f574e8e815c44b4444d3eb87af7e00b262eebc14f1ab886d4912aae01cf910dc7d4f769f884a3659bce05e28faa5a23be0190cf13a203cff0f3afdb951c493
-
Filesize
544KB
MD5aba5f0f333201565c2c429be92716b14
SHA1b60fbae703c10e223dda9e6c284d126e3ca51d2c
SHA256c8f1affcbf78049e87681848a12345417a186ca92b1a804672fff75df9b2e268
SHA5124f923dc2a20bc6eaea77a056694516c685422ff794397d93f968b7ec02ee43eb4dec4b606e988d323aca5913342ecaf08fde40e0aa7bf94d8b828b02a4846c52
-
Filesize
9KB
MD561b773990ee27e9e908970e63b267f79
SHA1522f4b8bd8207fe759634142fdb72607b71380f4
SHA2568680f82d44553da0b976a373a4c22a7847b75edeed53a8fcb3bab73b13c72c0d
SHA5126a34405c32b1ed6c0070d4c054d00db08edd60f126246e30755b99cdc98b0de4394c89b066d72ca1b9f4c4ef554bf4713874e94aae71615254c3d79bc546c29e
-
Filesize
169B
MD55bf8c635793da44279bc869fcdc09200
SHA1e4cb5e5b0192218e986679ef6fd62e50c6b2d24e
SHA2566453fdc8718d92fc01c84099b536387f7afc91641bc46464cd44970b477c7982
SHA51262ffd842fa03cc1fbe0b67645da132d17cb131dd415b8bb1eb7e5e481d96d6b884da9c6294cb536a6f2c00ce3fd71ded8e00622c12fbdc4354384be6846cf922
-
Filesize
201B
MD5ffba3267a1c07a318d35b69a51637dda
SHA1bbde65a99a8e7d1060690589ea01a7c025d5d808
SHA2564309bd60b6ecd6f4e51c94d9997a9998bb7eae89b1a641d6813ae760dd5e4ba7
SHA5123e3b8ece8f2f3d36eae48d65b3afc4a0368794e255266a3bf368f5af601ba3e731791ab7517a249326ea4e409e59ff2fe152fd185fa988a9fc9e99706d5b8578
-
Filesize
2.6MB
MD5908f94b9fcd7d9e50922ffcbbb8f1063
SHA150202d53abda9dedb5f886625328345fe8b5d69f
SHA25627f15496582653257d53efee3cf499e4201791895674636719efd847297c9ea0
SHA512b8173a941d78f899cfaeaa0e948469d7dc64b529539eafa5680332ca91fd78750486e139b7b017936316c9b463e008627b85b5d31d0c47d3febfaa9055ea05bc
-
Filesize
2.6MB
MD5ec8a9e7a3ee232f2def62ead2aaa0061
SHA17cc86174c45d28da4582c3533a2793a57551b527
SHA25681ad83d48c549b48abe065fe2949536bbff32e06ff57502f02ddf18c6e846818
SHA512bd1acb4c1c3d10aff30a7f9b1bcfc5873f0937a5b5d75ff1541606995f26c5b295f47976643a2a8a3005a39ecb17d40fcbb59c3e5285f3093e8501df86a3f8be