79651e8616f701122275edd7444d7f62478bc2a786d204ec2c59e9f01a5d417b

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virussign.com_c527d92958bc1247a6471765e5449c60.exe
Size

2.6MB
MD5

c527d92958bc1247a6471765e5449c60
SHA1

84fba87a0998698d3b6040dcfb83667a3eb2109b
SHA256

e9b4211e90f2c15e783c73a5998e3284b75b4afe70dae956e6dab0eb17732125
SHA512

1fdcac718581fa8fbdf15b3d3cdb0c2cf06f6a9a56facab47cf1841578264a1a6014cc51c07488939005852a569ae8c4c45b61b54e0b99d4d1f0bc78c1daa8da
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bSq:sxX7QnxrloE5dpUpUbV

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	virussign.com_c527d92958bc1247a6471765e5449c60.exe

Executes dropped EXE 2 IoCs

pid	Process
2600	sysabod.exe
2140	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2460	virussign.com_c527d92958bc1247a6471765e5449c60.exe
2460	virussign.com_c527d92958bc1247a6471765e5449c60.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocHC\\xdobsys.exe"	virussign.com_c527d92958bc1247a6471765e5449c60.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidQP\\bodxloc.exe"	virussign.com_c527d92958bc1247a6471765e5449c60.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	virussign.com_c527d92958bc1247a6471765e5449c60.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2460	virussign.com_c527d92958bc1247a6471765e5449c60.exe
2460	virussign.com_c527d92958bc1247a6471765e5449c60.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe
2600	sysabod.exe
2140	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2600	2460	virussign.com_c527d92958bc1247a6471765e5449c60.exe	31
PID 2460 wrote to memory of 2600	2460	virussign.com_c527d92958bc1247a6471765e5449c60.exe	31
PID 2460 wrote to memory of 2600	2460	virussign.com_c527d92958bc1247a6471765e5449c60.exe	31
PID 2460 wrote to memory of 2600	2460	virussign.com_c527d92958bc1247a6471765e5449c60.exe	31
PID 2460 wrote to memory of 2140	2460	virussign.com_c527d92958bc1247a6471765e5449c60.exe	32
PID 2460 wrote to memory of 2140	2460	virussign.com_c527d92958bc1247a6471765e5449c60.exe	32
PID 2460 wrote to memory of 2140	2460	virussign.com_c527d92958bc1247a6471765e5449c60.exe	32
PID 2460 wrote to memory of 2140	2460	virussign.com_c527d92958bc1247a6471765e5449c60.exe	32

C:\Users\Admin\AppData\Local\Temp\virussign.com_c527d92958bc1247a6471765e5449c60.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_c527d92958bc1247a6471765e5449c60.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2600
- C:\IntelprocHC\xdobsys.exe
  C:\IntelprocHC\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocHC\xdobsys.exe

Filesize
19KB

MD5
d016b0ad254ae9664284c6bec29c5ba6

SHA1
7ae5e9559a1832a9fb2100c1032f300c8dc78e9e

SHA256
7c02f64b740ff9995b503e0f1e0c8c01d837aa4bd8585709cf0f8dfe61831374

SHA512
c22c1b33c86d3a40515e18681d66290f6976b7510b3d4fce432a93ed4220ed0ce1cc8d8f3ddbabfe38b8176b15e6f826172e59fc74b34f4e1ca4414306ea2430

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
9454bee31b3795e04256fcbd4e290042

SHA1
3e57545cf71bae5f685a5e0bd81a4772e91ef56f

SHA256
d5a2b70eecaf935ff758e6e99ec2006a225839ea1df1721ac9fa609724f7c5bd

SHA512
837cbcd73670b4024e286b81576ec85eb5c610780e92196f1c2ac29be09984b6ebbadef576dfc6742f9b6cfb279068c20f017b24884e17fce2237e6d1480d96b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
2af94f48ff9dced27a3785d72af884de

SHA1
101c9119bfde9d5c7b27717d3caa9a7c46d5ad6f

SHA256
b336db40b6ed0dbe9bd11f7165592775b4f05b484dd75bb06096af29b785586f

SHA512
d3c0c78dae55a5ed12f88309a4fed8746a30f2324ea0bdd4f153d88dfe86d52e09d7496854b4186f27203336fa150161ff5e51d3a77c62c61696a3fe38bd3555

Download Submit
C:\VidQP\bodxloc.exe

Filesize
23KB

MD5
3802e70e50917db6adbff13a6824dce7

SHA1
1ec74804dcbb5eac9158cc01b922116000bd27f6

SHA256
b81d5b38681149b114bf47a1e7fa43ddd85131b90d90958a3b1ff715a6be3573

SHA512
2ae50667aa5c3bf216c71d67c60ef19a77841a00f44d71976aa8f97b9a6fd7f512a1183679559970fb5175722a27db103b3b44cbae08e134908cdae961b88b2b

Download Submit
C:\VidQP\bodxloc.exe

Filesize
17KB

MD5
b368be22b6f3efa4cb1810b4e2cb27d5

SHA1
96d9349871e2237380f6a6a964652272f27904cf

SHA256
0ce0efd3c2aeed662f19833d3c79744b8359494af12b382b3e7777d0c7994675

SHA512
af2f2195302b6a944a5992be11177f07c76f88b892b66482c2c157ae316974d20fe28185e8aebe84e480ad1d768f3116cf63f72f7876477c9534741de1d0a0c9

Download Submit
\IntelprocHC\xdobsys.exe

Filesize
2.6MB

MD5
af030635e6a935a5cd827038223e0436

SHA1
cdf2e653674b8e0b30982eeef4c79ed4a4740b7b

SHA256
59b1b28f177d0f2a2292a8145696829ed61555696428519957e0533490dd5458

SHA512
2505ef8f6e4b37049a46142aef04d3e11b51c745df5e919cf2f34f420c823d8ee3cdcc8801834ed0f45df09aa9e36438069e83f9e51b7d96223f91c45e80c6fa

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
2.6MB

MD5
ecaba78b402ab9183055cde8cbe5afe1

SHA1
b5848862eb03291848694e0e25b836a06f64a2cc

SHA256
ddb2a6fd6902091d5ffc7079620960ef778d007d0b1085b920d100c027f4b02c

SHA512
72638e870004ed98301b88619a6d792237b62f7f7a09ab921934f1970e6848798a9e2f74f7f669b0d28e73010f7da03d3c8910d1f891f55e22d6b80b8ae9444c

Download Submit