7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe
Size

2.6MB
MD5

a2e3c966cc08cce0c578426b140170dc
SHA1

c7ae35599b9ed0c25019ec290723157d73da53de
SHA256

7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180
SHA512

0c049584d0c595472c7a7ff4ad53cab168c86a083ff6aa72dcaa1cf10b35f3791e6eef439cfc285bd1a9445e7750312c3078f8a97c40c5b58e070262f591df9d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bSG:sxX7QnxrloE5dpUpIbH

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe

Executes dropped EXE 2 IoCs

pid	Process
3060	sysadob.exe
2732	xbodloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKK\\xbodloc.exe"	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBK7\\dobxloc.exe"	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2744	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe
2744	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe
2744	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe
2744	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe
3060	sysadob.exe
3060	sysadob.exe
2732	xbodloc.exe
2732	xbodloc.exe
3060	sysadob.exe
3060	sysadob.exe
2732	xbodloc.exe
2732	xbodloc.exe
3060	sysadob.exe
3060	sysadob.exe
2732	xbodloc.exe
2732	xbodloc.exe
3060	sysadob.exe
3060	sysadob.exe
2732	xbodloc.exe
2732	xbodloc.exe
3060	sysadob.exe
3060	sysadob.exe
2732	xbodloc.exe
2732	xbodloc.exe
3060	sysadob.exe
3060	sysadob.exe
2732	xbodloc.exe
2732	xbodloc.exe
3060	sysadob.exe
3060	sysadob.exe
2732	xbodloc.exe
2732	xbodloc.exe
3060	sysadob.exe
3060	sysadob.exe
2732	xbodloc.exe
2732	xbodloc.exe
3060	sysadob.exe
3060	sysadob.exe
2732	xbodloc.exe
2732	xbodloc.exe
3060	sysadob.exe
3060	sysadob.exe
2732	xbodloc.exe
2732	xbodloc.exe
3060	sysadob.exe
3060	sysadob.exe
2732	xbodloc.exe
2732	xbodloc.exe
3060	sysadob.exe
3060	sysadob.exe
2732	xbodloc.exe
2732	xbodloc.exe
3060	sysadob.exe
3060	sysadob.exe
2732	xbodloc.exe
2732	xbodloc.exe
3060	sysadob.exe
3060	sysadob.exe
2732	xbodloc.exe
2732	xbodloc.exe
3060	sysadob.exe
3060	sysadob.exe
2732	xbodloc.exe
2732	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 3060	2744	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe	87
PID 2744 wrote to memory of 3060	2744	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe	87
PID 2744 wrote to memory of 3060	2744	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe	87
PID 2744 wrote to memory of 2732	2744	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe	88
PID 2744 wrote to memory of 2732	2744	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe	88
PID 2744 wrote to memory of 2732	2744	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe	88

C:\Users\Admin\AppData\Local\Temp\7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe
"C:\Users\Admin\AppData\Local\Temp\7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3060
- C:\IntelprocKK\xbodloc.exe
  C:\IntelprocKK\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocKK\xbodloc.exe

Filesize
2.6MB

MD5
8d4fac40ee64f62e087b96bc4b8d10fc

SHA1
0cfaf5bd9c44924246dff09236c9d3e1f7612fb8

SHA256
1a303946a89d87485136d9f5180aae410de848be4d98a529c24d36a98e216f52

SHA512
79fcc8177b9f0dce27e4b52632f1e13e02d64dfc56d05003b417ee10b1f628415ae0f8cfcaf7570737235a294f378b51b707bab2512af21ede6995b0a27b41ee

Download Submit
C:\KaVBK7\dobxloc.exe

Filesize
2.6MB

MD5
db9c711da471bab89ef1c08e3a5365bf

SHA1
c04e565f95f02131e5b6cf9d3ea3e5c154576c04

SHA256
98cf19106b536f82694e62f07b120d902f73f474369f40e81e8074533fad8b90

SHA512
b33e0481752aed13e55cb3bbecb6e0bc7193ef5088df364470bdbe00240619ae7439bfe579b8d436b54be7dcef408366c7bac9d35ce991fa3112cfdbb6d304c2

Download Submit
C:\KaVBK7\dobxloc.exe

Filesize
168KB

MD5
eee8ea98dcccbbdcc8eee3640e3e867d

SHA1
00b2991e7729860aa8fc5d4279ec0a15bfc44b94

SHA256
f76d0e160740d8422bf24ca3c88fa441d21322a861128abea1bafe09ee85e004

SHA512
b63eab26bfa3f85a17aaac09985ed4f5c4da425590f7901a6f245d3779a35640315afde563538433bf0ba8df9586607656ddc91335a57a3a4e7d7a4a4922327a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
b7c2bd84807c448eb96215f7586d1a12

SHA1
28168624090ed2267d2ef9378fb7f6afb668ce3c

SHA256
df41175b01752081bb714360ca1b074406c16e78c2d1b9f5182692296faf199e

SHA512
a40cd38fe8035c20397e66d3b907121f1b53020feab3c5d81db2b7731e7646701f3660422274e40f8d0da1ed203b1963625dc4450f544092c581bc9e62f501be

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
92769745a748ce4d7f4d9b51eb0f16ae

SHA1
50f5a2268fc737b5586a410a45f061d554a0fb95

SHA256
20d05eb2232032f56b35000e7493612becb264dc020d28b86eb5e69e1ab98e89

SHA512
3499424955e3dd56c64405493900f7b33a54ba52afde25f2ab5826996842dd4b8687855a3787c908de5147cf021993363b0725e9bdfb3c38b86bb6300ca071ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
2.6MB

MD5
9c5ce784ff80ccc014ee5cf829a08a69

SHA1
cee8585fb35b4ea68eb9b6caf0466eb69f30bef6

SHA256
a6a1e7cbfa88dc5d6aa55a7b5a5fbc729c2b213b24f307e80f383e4b6eee732b

SHA512
1ab9696b268bccc4f27779eb0ecf4a7e6f6ba759ed4a5a7500f6e32b322d0e94ef88e6353ce228b3fc337d716e4cf1d4f7ed2ac0fb0398b87a9205ee366d5415

Download Submit