b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9

Analysis

max time kernel
149s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe
Size

2.6MB
MD5

46f2073cd4364076c502b75e34d8829e
SHA1

3bf44dfe40442f7b0a4bc3eaffa054ab1649746f
SHA256

b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9
SHA512

ab684220b166397bb19bd4e2ed6ebb65bbac6987f2a4262987eb6401935e2348c65fa602bd9eefc26296b3ea70ece86b78c6ec1a348866f7cf6e2136f2e3d1c1
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpCb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe

Executes dropped EXE 2 IoCs

pid	Process
1984	sysxbod.exe
1764	devdobloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeNT\\devdobloc.exe"	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint6E\\boddevec.exe"	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2292	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe
2292	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe
2292	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe
2292	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe
1984	sysxbod.exe
1984	sysxbod.exe
1764	devdobloc.exe
1764	devdobloc.exe
1984	sysxbod.exe
1984	sysxbod.exe
1764	devdobloc.exe
1764	devdobloc.exe
1984	sysxbod.exe
1984	sysxbod.exe
1764	devdobloc.exe
1764	devdobloc.exe
1984	sysxbod.exe
1984	sysxbod.exe
1764	devdobloc.exe
1764	devdobloc.exe
1984	sysxbod.exe
1984	sysxbod.exe
1764	devdobloc.exe
1764	devdobloc.exe
1984	sysxbod.exe
1984	sysxbod.exe
1764	devdobloc.exe
1764	devdobloc.exe
1984	sysxbod.exe
1984	sysxbod.exe
1764	devdobloc.exe
1764	devdobloc.exe
1984	sysxbod.exe
1984	sysxbod.exe
1764	devdobloc.exe
1764	devdobloc.exe
1984	sysxbod.exe
1984	sysxbod.exe
1764	devdobloc.exe
1764	devdobloc.exe
1984	sysxbod.exe
1984	sysxbod.exe
1764	devdobloc.exe
1764	devdobloc.exe
1984	sysxbod.exe
1984	sysxbod.exe
1764	devdobloc.exe
1764	devdobloc.exe
1984	sysxbod.exe
1984	sysxbod.exe
1764	devdobloc.exe
1764	devdobloc.exe
1984	sysxbod.exe
1984	sysxbod.exe
1764	devdobloc.exe
1764	devdobloc.exe
1984	sysxbod.exe
1984	sysxbod.exe
1764	devdobloc.exe
1764	devdobloc.exe
1984	sysxbod.exe
1984	sysxbod.exe
1764	devdobloc.exe
1764	devdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 1984	2292	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe	86
PID 2292 wrote to memory of 1984	2292	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe	86
PID 2292 wrote to memory of 1984	2292	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe	86
PID 2292 wrote to memory of 1764	2292	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe	87
PID 2292 wrote to memory of 1764	2292	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe	87
PID 2292 wrote to memory of 1764	2292	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe	87

C:\Users\Admin\AppData\Local\Temp\b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe
"C:\Users\Admin\AppData\Local\Temp\b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1984
- C:\AdobeNT\devdobloc.exe
  C:\AdobeNT\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeNT\devdobloc.exe

Filesize
5KB

MD5
35d5f2180b8da2eaecad0679e66dc251

SHA1
3e782e20becd6567750bacb04faafd148aadac06

SHA256
2060beef29432b8908a388df4a1a966c34d69e51cbf1f836ab07935d52f94700

SHA512
15f574e8e815c44b4444d3eb87af7e00b262eebc14f1ab886d4912aae01cf910dc7d4f769f884a3659bce05e28faa5a23be0190cf13a203cff0f3afdb951c493

Download Submit
C:\AdobeNT\devdobloc.exe

Filesize
2.6MB

MD5
11d13be3fc20a0b56ce1cfc580e02798

SHA1
cbd2bb196c112c257b566c3cc23de7e16827b7ba

SHA256
a51386d382966dca01eb3a5115c7d484af2dd011650e041ec0f5ad8b0ff3e737

SHA512
52dd824f929c66906678b5ab2dfda7e0ca070ebe040211166925dd76ddff0f77a7c74e95db13ffa1c567068f4fc204beb8ee50eff71a0023cfb201e5b469a0c0

Download Submit
C:\Mint6E\boddevec.exe

Filesize
2.6MB

MD5
f3c312050e2c2514375d4ba0d6272eeb

SHA1
4d7ff0fd3ca8077292481b6dfdbe60410b6e26d0

SHA256
5630798fdcf27af6ea167a0273b4c4dfc70187f1510cef2dce628b0dc6368e98

SHA512
d4ca08e054fe2095591b2853df149e2b4407a890de6e88da40e6435aa6fc38c59b9f75bacb10f65a28226c6911e6052764cc74c97f781aeb884e248a5536a07c

Download Submit
C:\Mint6E\boddevec.exe

Filesize
6KB

MD5
eca5ea25f6a32a95c09d2d11f140c43b

SHA1
fc7c4ffc46b345747cc079073a62c80c129f2442

SHA256
7d956fbd2f73b9d56dbb1fa91bb438857ce1495cd868cdc6d6daea38edfcff17

SHA512
27d28a94c6c9d88714e07d1c5d856b348aaffe7164a680aa4aa760c4a738cf9fed9f373ea895b3dfa3e80ea1b8702679ff32bafeb7e84ada4fe30ff30b1add61

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
c5b7167da0d8f756b2c01015dafabc31

SHA1
cdecd18f433f84905df193bbe8765b560b56aa46

SHA256
b00a8e186898f78f5a750c7a3a1c531feeea0b67da3609e3a62e7927172da60d

SHA512
33472ab063d02bdbb375a68237b473611102c0700f3c3cb81c41271fa0e0914930fcf1d5f842f33b22a60002fe78486c8b9fa64f0360da2c3d484539caf77541

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
8a5e5ab157bd34e5a529548a18da06b0

SHA1
7cbc2a436aed87023f91615c6e510ae9d787fedb

SHA256
bfc22f096e0e9f12f99e65c9ab883bdd7c9746cd29c296e052e0572e7736458d

SHA512
ffb903d2333a163d8451a2c37b820c97ec89b531c5d8ca88c4e5cbd145ea6e59c316fab99e6c314719d584d1add101ee133d9c68bf727abd181b08e39fc52085

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
2.6MB

MD5
1590ba1d94d50889f1414b2bcdb063b8

SHA1
6fc3d35c24fbfad4d280106a61b61440cded5a61

SHA256
19991d0b82431e299c726bfa45ae67b595714b05842af9c3e1f0e308458a4b3c

SHA512
2df27de8719985fae08a8260702960cbb034ddc0934e55825655534e5a9a4e4c1c731ffaec0a94bd13b54aadf2005618a24d9be5c962427da6315a17b4073aee

Download Submit