c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe
Size

2.6MB
MD5

fd31ea45aa1aa63450a52ad57d20ad06
SHA1

71378f4186e13d606df52c1784dda9d4dfcc954d
SHA256

c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7
SHA512

6c582c1870d7b7aad8da185de6a343e58d9b7484b3e307f35aa1fd0e9213665e5414c073963a8af670259cb352b04b22ce9a31f734ae5eabe3066e33c47a6b36
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSq:sxX7QnxrloE5dpUpJbV

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe

Executes dropped EXE 2 IoCs

pid	Process
1708	sysabod.exe
60	xdobloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocIA\\xdobloc.exe"	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidXD\\optidevec.exe"	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3048	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe
3048	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe
3048	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe
3048	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe
1708	sysabod.exe
1708	sysabod.exe
60	xdobloc.exe
60	xdobloc.exe
1708	sysabod.exe
1708	sysabod.exe
60	xdobloc.exe
60	xdobloc.exe
1708	sysabod.exe
1708	sysabod.exe
60	xdobloc.exe
60	xdobloc.exe
1708	sysabod.exe
1708	sysabod.exe
60	xdobloc.exe
60	xdobloc.exe
1708	sysabod.exe
1708	sysabod.exe
60	xdobloc.exe
60	xdobloc.exe
1708	sysabod.exe
1708	sysabod.exe
60	xdobloc.exe
60	xdobloc.exe
1708	sysabod.exe
1708	sysabod.exe
60	xdobloc.exe
60	xdobloc.exe
1708	sysabod.exe
1708	sysabod.exe
60	xdobloc.exe
60	xdobloc.exe
1708	sysabod.exe
1708	sysabod.exe
60	xdobloc.exe
60	xdobloc.exe
1708	sysabod.exe
1708	sysabod.exe
60	xdobloc.exe
60	xdobloc.exe
1708	sysabod.exe
1708	sysabod.exe
60	xdobloc.exe
60	xdobloc.exe
1708	sysabod.exe
1708	sysabod.exe
60	xdobloc.exe
60	xdobloc.exe
1708	sysabod.exe
1708	sysabod.exe
60	xdobloc.exe
60	xdobloc.exe
1708	sysabod.exe
1708	sysabod.exe
60	xdobloc.exe
60	xdobloc.exe
1708	sysabod.exe
1708	sysabod.exe
60	xdobloc.exe
60	xdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 1708	3048	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe	89
PID 3048 wrote to memory of 1708	3048	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe	89
PID 3048 wrote to memory of 1708	3048	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe	89
PID 3048 wrote to memory of 60	3048	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe	90
PID 3048 wrote to memory of 60	3048	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe	90
PID 3048 wrote to memory of 60	3048	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe	90

C:\Users\Admin\AppData\Local\Temp\c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe
"C:\Users\Admin\AppData\Local\Temp\c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1708
- C:\IntelprocIA\xdobloc.exe
  C:\IntelprocIA\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocIA\xdobloc.exe

Filesize
256B

MD5
bae5eb085a9f023b8d36e2a083933bdd

SHA1
c8f3b383d6ce74e8606027a03db4b0ae08c513b1

SHA256
b505b72bbec0ac5ef11559a9e1cd5d9b176f6b03b0dc9296023c144e105605ab

SHA512
93d15b5bec81644cf4030f24c5941cb76efb1e539e47e25ee9c722db4b1b52b8ec129fef26b9080ad23fe6b7d1f0752e3a263040aa5557656967acd4d5e485f3

Download Submit
C:\IntelprocIA\xdobloc.exe

Filesize
2.6MB

MD5
0ccf03b090071604a9d5c5d2b51635a1

SHA1
2f67801b0f980f0a5367b0bc73419b55135667f3

SHA256
99a37269e208ff6f0a146ec07ce965f06228b3426c94f6ecd0f5d829e1eb2717

SHA512
52343aceebf166d389c663bea8b517bbe4eafa556063f14c1be16a2ef612fb7acbb671f2e757207ef385b13ac75f9f040e09dc71d8e6b5c09d05a79166ee24d3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
57c4ee025621dd41009dc0b2bfcb808d

SHA1
6d0a4a9f62b69f79cf0793eae7ba1d16ae678210

SHA256
f23e82e21c4b2a5c1a27258e2d34edc622bcdaa2742e6c5314881bb91c41701b

SHA512
76bd84a579425833d3c79136533e4e3f2cf281c6a69d8ff275f06293879e493045fe328484c83c1351b007ae977e9e78ae5f22ba657c6462f02a0928f046ddf0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
fba6bdbbbd547a364f17c615b1402ae4

SHA1
21c849a38fa288e468a84ad4e4f9ad8876281f82

SHA256
0587d48bd2041df3fc925ffd1fdd3e70d4c6657ca7969b03ff123d1d2a7a39cb

SHA512
1da555edae369e291d505cac93bd1adf84d787ce03f7a66cd8b76d23cfc92349a0990d530fc42d013207200d04d38d5ff68814ace61e4663140d01175a08ecf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
2.6MB

MD5
25be632dda53e0c2c8d9946138ccd752

SHA1
fb3072eace276bc829799a482f4bb77f4eb5f757

SHA256
de2b1515a9964f00f1956231df874e1b00030268b221d21c9c8d0150c84b0e8e

SHA512
bbd6afaa357d7b8420d878157dbd247903ac0ab9a6a5fa3636edb68cc243d90dee3a0b2eda9f784f27323da797069909ac0b72c93ea5a3d061b34feac0b9febf

Download Submit
C:\VidXD\optidevec.exe

Filesize
36KB

MD5
5adb04ffd8167f30cc78fcd98c884983

SHA1
a3aec3e9a64b42f4de6b7c15cb16969392be09ad

SHA256
4e3977db457b0a6f76194c0dc6a3a120d08cc0c5808d9dd675b1d389b3f158d6

SHA512
f1647f28befcbc36f343e86f1f450d89ca656d1d2c300d65b94fa4379f099370ef9d0ba8d64886e5a0b83e039748117c54ee59b4e64d3068799ccd73bed8842a

Download Submit
C:\VidXD\optidevec.exe

Filesize
2.6MB

MD5
f320dcb91d19f4d3dd26f2bb62ae1ae1

SHA1
391fbd149a9e4626f494a995353f0ca7fb3243a9

SHA256
69c2cbbb303bb7dd5828c59b1e86c94e99c837b2a382ea5bff09e97ae7e74ab6

SHA512
8cd3ee511f205e4d0fbd5a3cc0de7a02e2905d40739afb34a0c15e5e2ce246dbdd954ccba2f5781deee24df4f853d9bf68f53ec884c0394143ffa16dd4c336cc

Download Submit