234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8d

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe
Size

2.6MB
MD5

158fe4ac75d099fe8b6d4b6cefaddda0
SHA1

9e6d3d9e787eb244763c21ac9401745f3c84c781
SHA256

234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8d
SHA512

dbeed827ad7846fd75a0266bc2f0df4b0a41808553584eb1fd44ab1d95ef5a561562e6f3c468ee58d97153ac0435debc85867b216c7b6d2102267f617bb288c7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bS:sxX7QnxrloE5dpUpob

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe

Executes dropped EXE 2 IoCs

pid	Process
3084	sysabod.exe
2840	xbodsys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocR2\\xbodsys.exe"	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZCB\\bodasys.exe"	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4824	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe
4824	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe
4824	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe
4824	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe
3084	sysabod.exe
3084	sysabod.exe
2840	xbodsys.exe
2840	xbodsys.exe
3084	sysabod.exe
3084	sysabod.exe
2840	xbodsys.exe
2840	xbodsys.exe
3084	sysabod.exe
3084	sysabod.exe
2840	xbodsys.exe
2840	xbodsys.exe
3084	sysabod.exe
3084	sysabod.exe
2840	xbodsys.exe
2840	xbodsys.exe
3084	sysabod.exe
3084	sysabod.exe
2840	xbodsys.exe
2840	xbodsys.exe
3084	sysabod.exe
3084	sysabod.exe
2840	xbodsys.exe
2840	xbodsys.exe
3084	sysabod.exe
3084	sysabod.exe
2840	xbodsys.exe
2840	xbodsys.exe
3084	sysabod.exe
3084	sysabod.exe
2840	xbodsys.exe
2840	xbodsys.exe
3084	sysabod.exe
3084	sysabod.exe
2840	xbodsys.exe
2840	xbodsys.exe
3084	sysabod.exe
3084	sysabod.exe
2840	xbodsys.exe
2840	xbodsys.exe
3084	sysabod.exe
3084	sysabod.exe
2840	xbodsys.exe
2840	xbodsys.exe
3084	sysabod.exe
3084	sysabod.exe
2840	xbodsys.exe
2840	xbodsys.exe
3084	sysabod.exe
3084	sysabod.exe
2840	xbodsys.exe
2840	xbodsys.exe
3084	sysabod.exe
3084	sysabod.exe
2840	xbodsys.exe
2840	xbodsys.exe
3084	sysabod.exe
3084	sysabod.exe
2840	xbodsys.exe
2840	xbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 3084	4824	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe	87
PID 4824 wrote to memory of 3084	4824	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe	87
PID 4824 wrote to memory of 3084	4824	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe	87
PID 4824 wrote to memory of 2840	4824	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe	89
PID 4824 wrote to memory of 2840	4824	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe	89
PID 4824 wrote to memory of 2840	4824	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe	89

C:\Users\Admin\AppData\Local\Temp\234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe
"C:\Users\Admin\AppData\Local\Temp\234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3084
- C:\IntelprocR2\xbodsys.exe
  C:\IntelprocR2\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocR2\xbodsys.exe

Filesize
2.6MB

MD5
6e55eec379812488444c5e7816bdf653

SHA1
ef1d8ac84fd8d64a9c6448e7b52c893337db57ad

SHA256
8a050277b17c93af5b7fb744aacfeefad7ed0875184b76807e036009ceda9c02

SHA512
c151dfce96d085eca107eb37585aa256ef68731d62864c5e740b7872dfe0466d11cb0cf704a1f2f617fdf70c8158da90d565d9b45b05ff8728f9cdcf0431c626

Download Submit
C:\LabZCB\bodasys.exe

Filesize
2.6MB

MD5
c86888293f66d3b280b04088d8f01929

SHA1
a6254f10477ff80581897e7713f115ad12a23482

SHA256
11e429fea61468054eff7085c4c82c298e055172297d7920620e2df51563578b

SHA512
7f2cafa2b2fe573857ea48148b66a736a34ff4bcea70359d89d84e0f44ad3fe1943c1b914907bd35c3a8e6f58d198d012acd7da863598e40c48d3683071a60fa

Download Submit
C:\LabZCB\bodasys.exe

Filesize
1.6MB

MD5
bee4f311779b19e6e69956b0dff9042a

SHA1
21e287d70a2dbb228f83fc546c77e86d9a67778f

SHA256
f275609adf4565cb71228f42c4587be2b9691c1f2c50c11cd3f0b1a946bd8ee7

SHA512
e95bef581a9c7a529b5288678cdda92f4fcfc18f0e588ee5a151eab72c6c264240cbd5a9d48f4d0c10e7146acb417ca0ec1c87e4a43e6e1d6374cf619b815fdb

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
5284062d4602e56528fb68fcc7fe2bce

SHA1
eec42f786a65642b0e76d16f877b0bc494bb7bc5

SHA256
7c899a53542b818bc3799fa3126a00bb00d512dac1c2196661c29ae452b0136c

SHA512
9c53857020a6ace7154aca48d54a91dede0a660b36e864e6dfbc18de539090584f8799c68877d76e4bd6bb7f4673d874ca118eac7e309539ad732912df0b10c1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
1d372e63bb9b1552315b734df1d10421

SHA1
b27948785003c9f4056aa623584063a5b865ed78

SHA256
b7a9845d495b7ce123775f99646e3a42eb8bb137c32654f4c9843fde2a9aeb93

SHA512
8acce8af2f6bde3ecf304402e11692b168da45046c774ce64f95817f3fc6a2458e09c989e0d201e905c9a9f1baeb39d181f7fd4aa87d19eb726ee0b49e8685ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
2.6MB

MD5
7f3e4c77fad7602ef65706a504d816f3

SHA1
19e1016504bd0f1aa11a732e93c977358ac0c37a

SHA256
7d6e2d5b72895ae808a3199cdd4b498417e952adac04eea4d22ae32566942d80

SHA512
125c23395aba01629ae97d2c6f47a36e0631fc22be21bb40cf3a4848e21e40886224d6862c6b98411d82a8ff2d79bcf6a589fcf898aa0ba67ea3538b4fbe5f65

Download Submit