Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/01/2025, 22:55
Static task
static1
Behavioral task
behavioral1
Sample
ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe
Resource
win10v2004-20241007-en
General
-
Target
ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe
-
Size
3.1MB
-
MD5
2410c92d917a12b2d18a6742a7d69a20
-
SHA1
385ec8d713f39b691ff3a86559d07d3a04742347
-
SHA256
ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5
-
SHA512
dc5d6622aacc9bfe92f283df7df6e464145195713f62ec76d58964903ef75e1d36fe434e27f2a10b0725bf8580ad06d242b88ca79135d56bdf5cecaf16896181
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpabVz8eLFc
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe -
Executes dropped EXE 2 IoCs
pid Process 2900 sysxdob.exe 4420 xbodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotFP\\xbodec.exe" ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintV8\\dobaec.exe" ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4572 ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe 4572 ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe 4572 ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe 4572 ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe 2900 sysxdob.exe 2900 sysxdob.exe 4420 xbodec.exe 4420 xbodec.exe 2900 sysxdob.exe 2900 sysxdob.exe 4420 xbodec.exe 4420 xbodec.exe 2900 sysxdob.exe 2900 sysxdob.exe 4420 xbodec.exe 4420 xbodec.exe 2900 sysxdob.exe 2900 sysxdob.exe 4420 xbodec.exe 4420 xbodec.exe 2900 sysxdob.exe 2900 sysxdob.exe 4420 xbodec.exe 4420 xbodec.exe 2900 sysxdob.exe 2900 sysxdob.exe 4420 xbodec.exe 4420 xbodec.exe 2900 sysxdob.exe 2900 sysxdob.exe 4420 xbodec.exe 4420 xbodec.exe 2900 sysxdob.exe 2900 sysxdob.exe 4420 xbodec.exe 4420 xbodec.exe 2900 sysxdob.exe 2900 sysxdob.exe 4420 xbodec.exe 4420 xbodec.exe 2900 sysxdob.exe 2900 sysxdob.exe 4420 xbodec.exe 4420 xbodec.exe 2900 sysxdob.exe 2900 sysxdob.exe 4420 xbodec.exe 4420 xbodec.exe 2900 sysxdob.exe 2900 sysxdob.exe 4420 xbodec.exe 4420 xbodec.exe 2900 sysxdob.exe 2900 sysxdob.exe 4420 xbodec.exe 4420 xbodec.exe 2900 sysxdob.exe 2900 sysxdob.exe 4420 xbodec.exe 4420 xbodec.exe 2900 sysxdob.exe 2900 sysxdob.exe 4420 xbodec.exe 4420 xbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4572 wrote to memory of 2900 4572 ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe 86 PID 4572 wrote to memory of 2900 4572 ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe 86 PID 4572 wrote to memory of 2900 4572 ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe 86 PID 4572 wrote to memory of 4420 4572 ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe 87 PID 4572 wrote to memory of 4420 4572 ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe 87 PID 4572 wrote to memory of 4420 4572 ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe"C:\Users\Admin\AppData\Local\Temp\ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2900
-
-
C:\UserDotFP\xbodec.exeC:\UserDotFP\xbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4420
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5b3b7a9f5f3d17e3555825a59df9f2a7a
SHA16161f42b3651f2a4691dd863f579bacae1a8da4b
SHA2569b8a5165f6ec39bf0e94858053b926663bff0d17eacc6095aa35c73a48e8e911
SHA5125b907b41c898f42947fdafcdc4aad87678845fdd5349c6af1e82a3f2586cd17401c2a5621c3b4893aa92813ac1f0ced6b6f591d23027580837ced8108b4c3c05
-
Filesize
1.7MB
MD5ced5548eab3b7ac2d65dfe4e79582ed8
SHA178674c5faddf5a35f2f09867cb5edead7a524bad
SHA256e2b09e6b04e2c6d4183916ddcd2d02d16c47d6cb0c14772879c035ab642235f0
SHA5121498c396d3ce702ae43428b9bc92f8fe5de3e675bda0701b9e7393b6c3b9ee5e6640d4a89a4dbc7c6410e3a2ae45315486e678b1814e2a048ce7f9d2ceb4a529
-
Filesize
344KB
MD58e8e820925103b3b2c083de15dd4fd1c
SHA1aa18a08d1ecddb360e575e01031d95610bbeee91
SHA2560005f03ffdb99aa9fada1ba622f464f235a8753c264f5602ca0c117e923bc155
SHA512fda6d18e11d14947d4da5dbcbea8832355421c7688442975ef3aabf3db71fdca0b4f3e46f409cc7360914bd7dab11ed898afd8b23dd33dd247f0b20609f64fee
-
Filesize
3.1MB
MD50076d5f0cedd9343247fa2668549d1f5
SHA1c22f8b37cd090c1b86e8a228be20614b71c6064d
SHA256c3f200af03d9e719ecee4742f49f715062c3ecc67a1af15e96c2eb0229892159
SHA51277b8bf4b2ec9031c84c3490fbecee3d7d6dfb03e36f0187337491b96a7d949417e5dc59bc152c215c5b6ddbb2cb02b2a082e38e1618a3a1a9dfe48495be09b31
-
Filesize
200B
MD50bf40e4d687a5aab43ed4e273222f39a
SHA1e5494b94fb0a27010675ccb9527a3d19bd1abe6f
SHA25603a1638138f6dc5f5857f3838d6b59bb8385c0d7032cae8ba87a53d656aaf006
SHA512ee485649b3106cf7bcf696d4a64db51d927bd556b2c5e6fed64d59415e06f840e5bec2a00f39ddc7da1fa79cd3ae523e57fe3855639eb18cb2399db6437e7630
-
Filesize
168B
MD5ffc7d599e6cf7b2deca03c55b77ef468
SHA1fc13b5d737ee2e5e382274c0f60eb3a0748ff698
SHA2563b16ea547d0f1ee08704b9bfd0a3daab1a4702383ce908d4e5cbe681be0f2365
SHA5128d2a9c906b27f602bb83d8808b513a8ff1be1f12b8ab380807402a6f798fd49812c4e42e5c3fc298a347877b38dc50f1a0e1f4fd157ed500f9b096d65e2e394a
-
Filesize
3.1MB
MD59467251cfa809c9b6de8477a33868a13
SHA1d6c66cf7c12f54d90da33c0de2f3be68f4a15c64
SHA2567f140aa47479eee52119cbfac9919d93e742c76444019ca6aa9510464ce04295
SHA512ab6abb5114c389060bb9c552481ab7a414c7e75737d47f3207c80b36ca3e1814d543b126d91a7ddbab0a319b9353a1fe7d3439d60230486a8c9018408f7225f6