Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 19:55

General

  • Target

    148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe

  • Size

    2.6MB

  • MD5

    42e4fee316404e8b073aaa70878e8685

  • SHA1

    d2c60fdbe4c1fedec87905a15bc9b517a4352b1c

  • SHA256

    148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8

  • SHA512

    a7f205f5ca2f9e9d794d0568f7da3d7f956677c7f9ca7a99adc73ed7615dfb16c0ca838d455f3308ccdc898465f1473cfa84dd827a97b3fbcd461117b99ec761

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bS:sxX7QnxrloE5dpUpVb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe
    "C:\Users\Admin\AppData\Local\Temp\148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2580
    • C:\UserDotO3\xdobec.exe
      C:\UserDotO3\xdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\UserDotO3\xdobec.exe

    Filesize

    2.6MB

    MD5

    957a39666e25bf80d1ed5809fa76036c

    SHA1

    5b5c5266f1b79753476432ea132ecf544f96b664

    SHA256

    282bf58490cefc230795ee0038c35025b602249cc8faa2883ee6882a19a21a8f

    SHA512

    54e7267bb2a1503d4272cc7d3b1821e9f180a01c4993ce714613f05eb09bcfb7f3ea0ab5dd49901e5f4973e8b3ecd83ef347b1e1cfa1fba2838175d3a12b31f1

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    169B

    MD5

    3377d25c1e4aa583d09e54c1135c10af

    SHA1

    6b282327e493dd46dd70ce4bfef98cec7160f12d

    SHA256

    11b9c6f0db493867c647604d73dfe0ddd46f65095953083411658de61d879e97

    SHA512

    291fd0e199e97adf1ca78abc62641d6e44c2589bd5fb624f96764c3eac96a34a1e7464341e445d5ec7ac58a194165cad0aa5bd7117d4c6cc9ccf09f71fe676d6

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    201B

    MD5

    ed9328d873f1735d182652806f7e26e0

    SHA1

    e15aff4c693ed36f0d73a51cd44884c829e7ff8f

    SHA256

    d3a650d5cb6684b81faa7daea7b58fde5c2dc6dcd3c4cfe79f718e4fc600b7e9

    SHA512

    f246c01894211e358625a1f010a7b668df75ba6821fd97a434a4266e7a9a489fbbe603b9e1b8f0ad9a5d4b3585c71886a66f63d98d9e15c480c2a2d579a8bd90

  • C:\Vid1D\boddevec.exe

    Filesize

    2.6MB

    MD5

    c5a26dd1a0af79834cf3e2df527322b6

    SHA1

    baf93c715acad086ecf1600c0f2d16e75845ccf7

    SHA256

    c7c1528098007a7d7608107796d9e76944c6ef170369b354f99addd5151272b9

    SHA512

    904e286398dbac2bcb8047209ef47e26f245b8a5860bf59ce8845c0477d34e296da39885b7aa4d7f44aa58bc729fccc693cf4264ed0745ca23c2abcd499687e9

  • C:\Vid1D\boddevec.exe

    Filesize

    2.6MB

    MD5

    f2db5967cc0aa113384f5ba4fa7035ef

    SHA1

    a44f5b2ebf144552e1d264557eb7c81f10ee8a98

    SHA256

    b307360de7ff458d1ee47aad9ef95378ea84a596b6d897c73aef2c825a9b1d7c

    SHA512

    70f01c35a557cace6370dbcd95d2428f52549c64ac6918e08a06d236a5162ade299c35e974545aa9b0c0a16699f502bb66f57f540bec417ba8ed8e565246721c

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

    Filesize

    2.6MB

    MD5

    773500367c23b829cb40f300d2032665

    SHA1

    f053673df87ec20a98813cc126cce771e01feaa0

    SHA256

    5107b5f121b37545cacd3c78fce0aa3d4f052ee8f39c04f1826b2e345c42127c

    SHA512

    2c33bc80b7d3ba5240bc715fe5522fbaa7c144d7e21e161e9aa54562cb009c180d946f326beb31ec41451602d7959fac318d7d3172f450789861b63e82e1e98a