4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453

Analysis

max time kernel
119s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe
Size

2.6MB
MD5

5f75770cd1b4f0c75cf21010124e6050
SHA1

acd5d13cfeb9dffbe029d7f8f1cd8d4f56e7ce4f
SHA256

4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453
SHA512

5c7fde930976f6b75f9d2c6336a8ecfd65e7167a245781b770fce949992009a16915f048f5ddbbc8c96996f04e1b0c0729a8b32948ee5684ab59566358d0c9a4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bS:sxX7QnxrloE5dpUpNb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe

Executes dropped EXE 2 IoCs

pid	Process
3892	sysxdob.exe
3436	xbodec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotFP\\xbodec.exe"	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintV8\\dobaec.exe"	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1996	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe
1996	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe
1996	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe
1996	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe
3892	sysxdob.exe
3892	sysxdob.exe
3436	xbodec.exe
3436	xbodec.exe
3892	sysxdob.exe
3892	sysxdob.exe
3436	xbodec.exe
3436	xbodec.exe
3892	sysxdob.exe
3892	sysxdob.exe
3436	xbodec.exe
3436	xbodec.exe
3892	sysxdob.exe
3892	sysxdob.exe
3436	xbodec.exe
3436	xbodec.exe
3892	sysxdob.exe
3892	sysxdob.exe
3436	xbodec.exe
3436	xbodec.exe
3892	sysxdob.exe
3892	sysxdob.exe
3436	xbodec.exe
3436	xbodec.exe
3892	sysxdob.exe
3892	sysxdob.exe
3436	xbodec.exe
3436	xbodec.exe
3892	sysxdob.exe
3892	sysxdob.exe
3436	xbodec.exe
3436	xbodec.exe
3892	sysxdob.exe
3892	sysxdob.exe
3436	xbodec.exe
3436	xbodec.exe
3892	sysxdob.exe
3892	sysxdob.exe
3436	xbodec.exe
3436	xbodec.exe
3892	sysxdob.exe
3892	sysxdob.exe
3436	xbodec.exe
3436	xbodec.exe
3892	sysxdob.exe
3892	sysxdob.exe
3436	xbodec.exe
3436	xbodec.exe
3892	sysxdob.exe
3892	sysxdob.exe
3436	xbodec.exe
3436	xbodec.exe
3892	sysxdob.exe
3892	sysxdob.exe
3436	xbodec.exe
3436	xbodec.exe
3892	sysxdob.exe
3892	sysxdob.exe
3436	xbodec.exe
3436	xbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 3892	1996	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe	84
PID 1996 wrote to memory of 3892	1996	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe	84
PID 1996 wrote to memory of 3892	1996	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe	84
PID 1996 wrote to memory of 3436	1996	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe	85
PID 1996 wrote to memory of 3436	1996	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe	85
PID 1996 wrote to memory of 3436	1996	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe	85

C:\Users\Admin\AppData\Local\Temp\4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe
"C:\Users\Admin\AppData\Local\Temp\4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3892
- C:\UserDotFP\xbodec.exe
  C:\UserDotFP\xbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintV8\dobaec.exe

Filesize
1.8MB

MD5
5f56cd14a7959bb3ef7c4ba2068597b0

SHA1
940f6e5f63b389a331d1c601710fbc8630743852

SHA256
afa755b16d2c49b41651d22a1aac301992bcb690b0c6fde777fb7ff7d5e5b580

SHA512
1c82509c99fb08cccf54fbd17787a7e3ff49b848af0d052cabeb64ea6ba3d22aaad3cac701200773fb6e2965622926b70a6ddb6e07f7bf34c2d04b6b905d1fdb

Download Submit
C:\MintV8\dobaec.exe

Filesize
2.6MB

MD5
082ede6c21ed12e10b6638fe1ab8ae57

SHA1
5e1a6e21e013cac84567a4aa0e81396e324b7039

SHA256
9e550301ab37defa7589c0297ed312ce697594aa4749ea658f04fe93c0af9aca

SHA512
66e6aabbabb56b9f323eab489da6fd38a1352082526f5a3f8910ffd86bc051213c2df68b5c2c3c502d56362903e0d5161320c37884f5c849b07a8a9113b1ca64

Download Submit
C:\UserDotFP\xbodec.exe

Filesize
18KB

MD5
7b3af07912640805489e8c5cf4d13cdd

SHA1
ebbf740092a005c3977c248e866e368bd740fabe

SHA256
796cd64f663a3cf7a7152674d09a6e15ce855b7bcc484e09032d93e380273de8

SHA512
f38bc3460dcba201e04314f8585733c0305f097921a1c45a98e6211fcaa629f95a25f4bb5248e9228ee4cfb91a86eb34bb42b10cb8f1733aa492b0f8ec1da96d

Download Submit
C:\UserDotFP\xbodec.exe

Filesize
2.6MB

MD5
91fdd11897a3b0419a3a072aff163002

SHA1
bf86133c9913fb8434f3e7fe122f59e3c5052893

SHA256
51d8b98b47a5ba85aea0911329bd880399fefbb97a4ad7f96ba0ac97275717c7

SHA512
00dadc3e3f554a1c2cb70196affe1434b82e28d9388c3ec8f4f336f84722e04f592b78dfe95541fb4ffe7343963da193bdcffc3c8876b511e3d1d1b9bae69506

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
0bf40e4d687a5aab43ed4e273222f39a

SHA1
e5494b94fb0a27010675ccb9527a3d19bd1abe6f

SHA256
03a1638138f6dc5f5857f3838d6b59bb8385c0d7032cae8ba87a53d656aaf006

SHA512
ee485649b3106cf7bcf696d4a64db51d927bd556b2c5e6fed64d59415e06f840e5bec2a00f39ddc7da1fa79cd3ae523e57fe3855639eb18cb2399db6437e7630

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
ffc7d599e6cf7b2deca03c55b77ef468

SHA1
fc13b5d737ee2e5e382274c0f60eb3a0748ff698

SHA256
3b16ea547d0f1ee08704b9bfd0a3daab1a4702383ce908d4e5cbe681be0f2365

SHA512
8d2a9c906b27f602bb83d8808b513a8ff1be1f12b8ab380807402a6f798fd49812c4e42e5c3fc298a347877b38dc50f1a0e1f4fd157ed500f9b096d65e2e394a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.6MB

MD5
0998accdaf544844f1d102e688491595

SHA1
c26596f8a486bd883967fc91597266aaea532310

SHA256
c06af43142a817ac75d897581dc662421833a2edbcfdf549e8b58cd9d314745b

SHA512
16e7f50c26cda14e8f52c074c0eee9507639791d334eb05f16909f479c5dd3ead6b0370112676292158bce48771b30db8482677e9d479f3053896bd97cb654b0

Download Submit