83fb7c417e544ceb18fcabe8d7a7f3e5558628f8f9151d07fd8b3371e04189c0

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83fb7c417e544ceb18fcabe8d7a7f3e5558628f8f9151d07fd8b3371e04189c0.exe
Size

2.6MB
MD5

a5d4a8bde0f1c82bdc3eb9b10dbd2145
SHA1

43c91b1b5120b064440ea82e24fb645d82f78276
SHA256

83fb7c417e544ceb18fcabe8d7a7f3e5558628f8f9151d07fd8b3371e04189c0
SHA512

a18db9e07bf4f88d7551fdfe3b6b3c6e7470ceaf41d7e31b7e72076dbdadb23498980b25be481a4832efcd18d68c7a427d825fdf4ed31bffd2f443211a612fdb
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bSi:sxX7QnxrloE5dpUpIbl

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	83fb7c417e544ceb18fcabe8d7a7f3e5558628f8f9151d07fd8b3371e04189c0.exe

Executes dropped EXE 2 IoCs

pid	Process
2740	sysadob.exe
2704	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2964	83fb7c417e544ceb18fcabe8d7a7f3e5558628f8f9151d07fd8b3371e04189c0.exe
2964	83fb7c417e544ceb18fcabe8d7a7f3e5558628f8f9151d07fd8b3371e04189c0.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocUS\\xbodsys.exe"	83fb7c417e544ceb18fcabe8d7a7f3e5558628f8f9151d07fd8b3371e04189c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidHO\\dobaec.exe"	83fb7c417e544ceb18fcabe8d7a7f3e5558628f8f9151d07fd8b3371e04189c0.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83fb7c417e544ceb18fcabe8d7a7f3e5558628f8f9151d07fd8b3371e04189c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2964	83fb7c417e544ceb18fcabe8d7a7f3e5558628f8f9151d07fd8b3371e04189c0.exe
2964	83fb7c417e544ceb18fcabe8d7a7f3e5558628f8f9151d07fd8b3371e04189c0.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe
2740	sysadob.exe
2704	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2740	2964	83fb7c417e544ceb18fcabe8d7a7f3e5558628f8f9151d07fd8b3371e04189c0.exe	30
PID 2964 wrote to memory of 2740	2964	83fb7c417e544ceb18fcabe8d7a7f3e5558628f8f9151d07fd8b3371e04189c0.exe	30
PID 2964 wrote to memory of 2740	2964	83fb7c417e544ceb18fcabe8d7a7f3e5558628f8f9151d07fd8b3371e04189c0.exe	30
PID 2964 wrote to memory of 2740	2964	83fb7c417e544ceb18fcabe8d7a7f3e5558628f8f9151d07fd8b3371e04189c0.exe	30
PID 2964 wrote to memory of 2704	2964	83fb7c417e544ceb18fcabe8d7a7f3e5558628f8f9151d07fd8b3371e04189c0.exe	31
PID 2964 wrote to memory of 2704	2964	83fb7c417e544ceb18fcabe8d7a7f3e5558628f8f9151d07fd8b3371e04189c0.exe	31
PID 2964 wrote to memory of 2704	2964	83fb7c417e544ceb18fcabe8d7a7f3e5558628f8f9151d07fd8b3371e04189c0.exe	31
PID 2964 wrote to memory of 2704	2964	83fb7c417e544ceb18fcabe8d7a7f3e5558628f8f9151d07fd8b3371e04189c0.exe	31

C:\Users\Admin\AppData\Local\Temp\83fb7c417e544ceb18fcabe8d7a7f3e5558628f8f9151d07fd8b3371e04189c0.exe
"C:\Users\Admin\AppData\Local\Temp\83fb7c417e544ceb18fcabe8d7a7f3e5558628f8f9151d07fd8b3371e04189c0.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2740
- C:\IntelprocUS\xbodsys.exe
  C:\IntelprocUS\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocUS\xbodsys.exe

Filesize
2.6MB

MD5
fee4ef1ab5c991878f77916365ea41c2

SHA1
c8c81595ef7d69923498d20cd9781abecd876d30

SHA256
4701621752c1a31495a18607720901900761affd1b9af66b2bb35451cea0a3e4

SHA512
1965bcbecf2f221e0667779ae9c653a50f074f3a55566e02a077d4c4368c9bcd88c5c26853967f471c529a5615525ac38039c0e6420a8a1649f833b3c3f472c7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
74a5c07d3109f1d052d9e91ce8ab4b17

SHA1
36dffa2ef2b8377d59f079f69fb83ca1e8db2fc1

SHA256
6ee8a66ee63266f9a917ce4c271ff4561f1c61680389400c563683468728b3bd

SHA512
dece9f649fb5e009509c5cd8a13dccfbcf0f04794f56ef23538d8e47be2b65dc2f1bf0af1a40f751f32cb94923b0efa27c2f1d07c6643aabcb429c54b6e57071

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
0691fb4efd326acf4d768ac939bb51f5

SHA1
93d2ee692c47f7974f984b43433f2fcb40e1c383

SHA256
b7b75febdb2164380f4b73383d997586d9b6280da762e07da988a9c041ede0c4

SHA512
b91f70b8b333aae396c6d5feb0bbc2cb1e4cb1ed18f247643db0051679a88ad9edcbc5a8bff732864dabd149738737e12376a338a253c0a477b4576823e0d015

Download Submit
C:\VidHO\dobaec.exe

Filesize
2.6MB

MD5
12a9b479953970454b9b0a4416165eb1

SHA1
5ac25711d39fc53ca60c9b0a0f0ee61898cc7e6e

SHA256
0a7b452c9ded3459cd0bbf8718eed65e3e07312596b2bb56c14fa6717ae864dd

SHA512
5d278d2bcbe4fec1da6e75ca503138e41ecad46f9411e7f5bd475614cb1eeeeb996f5ff3e3b746dbb08fcaeee6a1090bf6a735175eae4286c590f0943afd08d0

Download Submit
C:\VidHO\dobaec.exe

Filesize
2.6MB

MD5
fb90f7cd58d7cf8a8a848b3b7eb6acdf

SHA1
87960b9727af8301969e1ff108a58d6f1316bd94

SHA256
42ee3b2bf40f71253b4940a92512ae593da02b852c621ef80cf4e768beb02500

SHA512
e25acd09b85c4833ee5da50a9ed50cfd8060bd18425fd03c6a944ab5552895c88155d25e474d8d33f895c84860c38a00cfc0c2a6510d9817247ea3ec9bc8ffad

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
2.6MB

MD5
8e8b0056bc665d7007f5a3fe68fd266f

SHA1
ce6ec42b3c3095ad99b938bbb7d3b7ece7217162

SHA256
0d49d37f3c5b839077da07fad38de592f0112e970a18c7411e82fa43eb57c634

SHA512
18c8465098ed72144875a689249c91c5e010c4157b73aeba381565928ff6d4738550108435d661b9ce918ffd21959a818bdbac463978948e18da3a790250fde5

Download Submit