Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 19:48
Static task
static1
Behavioral task
behavioral1
Sample
57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe
Resource
win10v2004-20241007-en
General
-
Target
57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe
-
Size
2.6MB
-
MD5
e1555873a42a82d6f39b1081fb561cef
-
SHA1
e993f5ef7cd73bc52cc4be8d25a012e06a552f17
-
SHA256
57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8
-
SHA512
71c0f07368d1a06f026c9ceb58c85a3cbe0f1743665041b0a58545486f85d72095df10d6e61c149d008edcb379fe0975391ab3d71eee1fdc24ad3762e986718b
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSqv:sxX7QnxrloE5dpUphbVv
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe -
Executes dropped EXE 2 IoCs
Processes:
sysdevdob.exexbodloc.exepid Process 1684 sysdevdob.exe 2836 xbodloc.exe -
Loads dropped DLL 2 IoCs
Processes:
57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exepid Process 2296 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe 2296 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZ6\\xbodloc.exe" 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxAH\\bodasys.exe" 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
sysdevdob.exexbodloc.exe57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exesysdevdob.exexbodloc.exepid Process 2296 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe 2296 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe 1684 sysdevdob.exe 2836 xbodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exedescription pid Process procid_target PID 2296 wrote to memory of 1684 2296 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe 28 PID 2296 wrote to memory of 1684 2296 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe 28 PID 2296 wrote to memory of 1684 2296 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe 28 PID 2296 wrote to memory of 1684 2296 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe 28 PID 2296 wrote to memory of 2836 2296 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe 29 PID 2296 wrote to memory of 2836 2296 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe 29 PID 2296 wrote to memory of 2836 2296 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe 29 PID 2296 wrote to memory of 2836 2296 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe"C:\Users\Admin\AppData\Local\Temp\57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1684
-
-
C:\IntelprocZ6\xbodloc.exeC:\IntelprocZ6\xbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD54a98f28708d3b69fdba2ca1820cda614
SHA1c4abf96ac618b923c0204eb9777c83d5e7794817
SHA25621705ad76cea6bb93cbebe83333d4bebb4950f6ddd80a4d878997b2229f06f7e
SHA5123603079eae5ecf203489ddff84b1dec20c50ed56951f420917f8d27a31d4e31b9dd076dc1e2362401fadb678613b9176c9f931ff0b16fdb70cdfb09f6872f313
-
Filesize
73KB
MD5dc15e86e319ef185540511b77b43aa8f
SHA18a43b3cafc32391559f9308331f6eeb2dc06f750
SHA256511c0ba1c55934b3abb666a5d065ba70ec22b6f46bcd10f359acf311132fb4e6
SHA512c2c2794a0105d7e9a74f5ba6beb99c6e6fab698f142944719234ee326b39f342b36164b40a802c4d2352002fc8aa637a11ef4632c81ab1cad3cc933d6142a667
-
Filesize
2.6MB
MD5c63623d7d58f5985f5af1d647fe48af2
SHA1502f2fe423a9e727ee91f3310b6dcacbd8897fc6
SHA25619999e66557bd54152a8ed7b7b95d66bdcd4a3947eeb7407d731ab6c968767cd
SHA512b6bde127ff85b0addb5a039591fbeb4172fe7582f4243a8bfcbb209dd337ef718be579d533b6dc9ecdde52f266fa9cf20065ac67735977be4714e1d9c4e6137f
-
Filesize
175B
MD53311d824d5b2c425559a6b6cb02e8531
SHA1351518052ea3f92dd0059667b65a0146dc2ebf89
SHA256dff2eed3eed9529f1070ef2ef4abd48217672eb0c9f9a94bbaa9b4073800c1ec
SHA512e1c12d477271d5cfd6a7d25b6f9bb42645304186d4d541851b2cbecf8a323b0641c9ac9719849b3fa7969db76157f321da06e8d89e43184f4ba999835a2f1402
-
Filesize
207B
MD5a561986076a98ec2699d986e70254643
SHA14eb20f47f9f3205d143801a325f07c00784a83a9
SHA2567a1ae1610cd149c3fc346c6697e30e9a20bb72af9b6e03418e803e68b916491a
SHA51290567f0061d05b03dcd5f65c8ac71e1937a487b9a20d433badab5bca403238c28613aa3ddd03488ac16064127987cf09e1a7fe61667113c9e198b550c258e3c1
-
Filesize
2.6MB
MD55063d8562e42e3f6ea51dfa0df6cec2c
SHA1d617c2bea44b07707e27b3b2f724f5de1b5cc17d
SHA2566f7758eb0c085f21dff1c2d27405a3adf12953a36448ffe4c9b38dec5a990379
SHA512d9b32593973f85b027ac691964de3af4e7fb59a61328cfa2697571c3ea84335309342f11e158f94891829774de0a6d6694e2c8c88b3dba11410432b31abff8fe