e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe
Size

2.6MB
MD5

5fb0ab2b779a5b43e46b727207ac8204
SHA1

484c83491794b078ce5d1a8c35eb9ff19ceaa4a8
SHA256

e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8
SHA512

e9e377e63ceaed4ed54c00bd2f123e4ffbdce0e79c42c9f39eed6d2990db15adb1a70531dd8141ace3d669981d1d34c3e6e9fea35b0557603ade75b6337d2fba
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqn:sxX7QnxrloE5dpUp/bVn

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe

Executes dropped EXE 2 IoCs

pid	Process
4408	sysadob.exe
1068	xdobsys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesL4\\xdobsys.exe"	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZAE\\bodaec.exe"	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4672	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe
4672	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe
4672	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe
4672	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe
4408	sysadob.exe
4408	sysadob.exe
1068	xdobsys.exe
1068	xdobsys.exe
4408	sysadob.exe
4408	sysadob.exe
1068	xdobsys.exe
1068	xdobsys.exe
4408	sysadob.exe
4408	sysadob.exe
1068	xdobsys.exe
1068	xdobsys.exe
4408	sysadob.exe
4408	sysadob.exe
1068	xdobsys.exe
1068	xdobsys.exe
4408	sysadob.exe
4408	sysadob.exe
1068	xdobsys.exe
1068	xdobsys.exe
4408	sysadob.exe
4408	sysadob.exe
1068	xdobsys.exe
1068	xdobsys.exe
4408	sysadob.exe
4408	sysadob.exe
1068	xdobsys.exe
1068	xdobsys.exe
4408	sysadob.exe
4408	sysadob.exe
1068	xdobsys.exe
1068	xdobsys.exe
4408	sysadob.exe
4408	sysadob.exe
1068	xdobsys.exe
1068	xdobsys.exe
4408	sysadob.exe
4408	sysadob.exe
1068	xdobsys.exe
1068	xdobsys.exe
4408	sysadob.exe
4408	sysadob.exe
1068	xdobsys.exe
1068	xdobsys.exe
4408	sysadob.exe
4408	sysadob.exe
1068	xdobsys.exe
1068	xdobsys.exe
4408	sysadob.exe
4408	sysadob.exe
1068	xdobsys.exe
1068	xdobsys.exe
4408	sysadob.exe
4408	sysadob.exe
1068	xdobsys.exe
1068	xdobsys.exe
4408	sysadob.exe
4408	sysadob.exe
1068	xdobsys.exe
1068	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 4408	4672	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe	83
PID 4672 wrote to memory of 4408	4672	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe	83
PID 4672 wrote to memory of 4408	4672	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe	83
PID 4672 wrote to memory of 1068	4672	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe	84
PID 4672 wrote to memory of 1068	4672	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe	84
PID 4672 wrote to memory of 1068	4672	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe	84

C:\Users\Admin\AppData\Local\Temp\e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe
"C:\Users\Admin\AppData\Local\Temp\e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4408
- C:\FilesL4\xdobsys.exe
  C:\FilesL4\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesL4\xdobsys.exe

Filesize
2.6MB

MD5
cb452766ec66f54627ca013511265b58

SHA1
b894c274e93d80bff4036adf4774a7172ad3af79

SHA256
62a6258505cb7d6dac1fbbc290e1451bd1d23d4a58e19797771860149363116f

SHA512
57fd1d22d9c700c8cfb51a957e816623e115f15e4790b01606a263f5ba19ec88bdce973333868ce9b3ba2f0ed72f47364700345cf8a9bce6fa8d5549c1853d5a

Download Submit
C:\LabZAE\bodaec.exe

Filesize
2.6MB

MD5
4755bcbff6d10149ba3c124166cec16a

SHA1
e1a91c7afacb9195eade37ae2f7948e9b0a63369

SHA256
12bd9cdccb4742be2db6fab5c0f981f66969dca4c41e1d2654c7a53991065afd

SHA512
8ae91b0c607f390aa846c1adc3bb49dfd47a12f7a95015aa65a301795a955c321eee88fa95f53b2cef8d7aca636ec2665d09b2812492e6b5a275d7446ed3901a

Download Submit
C:\LabZAE\bodaec.exe

Filesize
964KB

MD5
9f4eca3ec0b2c32fe999166604f3f66e

SHA1
ae27136510f2b05f23e8e61e1ce74c7220cf72b0

SHA256
49627d355dca34d04220f6410bfd3bd4e7fd2fa64201a866f97e0a72de6c382a

SHA512
e339ede5748e913c46a2d7167504973200f45456df614945df94ea9b4edb0d039e3bb5a250e5da061a0bfdb6defb77a14764c7df65f5c5c5c5867285b43c8c99

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
199B

MD5
c86850b5a00faed4b3eaadea1e4fcb29

SHA1
5e4b5a7beed5d49a4f50eea0de06147d94bdacac

SHA256
7c161a64462e6f45441c10d6eff92d164dc6b57519f4428633e94815bd0e8ad3

SHA512
e754d518baf267e712d23e3bdd984936dfcd16f8fc20a9dd552e61c101b51d592576b617fd36874ec75d02e766a38bd330a57bad20b37fb948454b31ac0093b3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
167B

MD5
3289404dae35060c5ee45d2931ec1aac

SHA1
49705e9203d38b26af19b2143ac8756dfbf56f92

SHA256
18af16f810fc285e631bc7dde453bb4bd86303c566e7a794dee11f99bf454bb3

SHA512
29dd5b41146353f41dea3fc5e139d5dbbc3205ff087682213bf9594aaeaec90a118ed8e334fcf000ad8ca7190ebb2b6bd779523ce314af0671a7b7f0ff27f4a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
2.6MB

MD5
7419e95011be671969b7454f8edbcb90

SHA1
9a18aa104a4f4b897d40e4256e2167bf0ff40b57

SHA256
bb1b4afb9a79aa34743721be1c06caa5c30f99be895a1be2dc8ef7517c464acb

SHA512
8a4e74a8c213da734484941238d88bafe28aaaa176a72a0a7edd0adab9543b007cd54ff4a0c29a9bfbae28312f29942d77a71f0e51507e0496edcd6db936c63b

Download Submit