Analysis
-
max time kernel
101s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 16:12
Static task
static1
Behavioral task
behavioral1
Sample
26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exe
Resource
win10v2004-20220414-en
General
-
Target
26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exe
-
Size
1.2MB
-
MD5
b5c62f489422f627cff6c315b8556a2f
-
SHA1
afbef151e8d4037c68c00c51094aadf2d733b136
-
SHA256
26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0
-
SHA512
18ec6e684301732d94f018438174939eaf6681328f567a6659a74c380eb389f5510bbbd6c9151276ad1a110c4cd61b6e05f63986b642d7190cf364ced7e97d4d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bobyse.exepid process 964 bobyse.exe -
Loads dropped DLL 2 IoCs
Processes:
26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exepid process 1552 26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exe 1552 26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exe -
NTFS ADS 1 IoCs
Processes:
26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\bodbof\bobyse.exe:ZoneIdentifier 26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exepid process 1552 26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exedescription pid process target process PID 1552 wrote to memory of 964 1552 26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exe bobyse.exe PID 1552 wrote to memory of 964 1552 26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exe bobyse.exe PID 1552 wrote to memory of 964 1552 26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exe bobyse.exe PID 1552 wrote to memory of 964 1552 26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exe bobyse.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exe"C:\Users\Admin\AppData\Local\Temp\26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exe"1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\bodbof\bobyse.exe"C:\Users\Admin\AppData\Roaming\bodbof\bobyse.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\bodbof\bobyse.exeFilesize
1.2MB
MD5b5c62f489422f627cff6c315b8556a2f
SHA1afbef151e8d4037c68c00c51094aadf2d733b136
SHA25626c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0
SHA51218ec6e684301732d94f018438174939eaf6681328f567a6659a74c380eb389f5510bbbd6c9151276ad1a110c4cd61b6e05f63986b642d7190cf364ced7e97d4d
-
\Users\Admin\AppData\Roaming\bodbof\bobyse.exeFilesize
1.2MB
MD5b5c62f489422f627cff6c315b8556a2f
SHA1afbef151e8d4037c68c00c51094aadf2d733b136
SHA25626c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0
SHA51218ec6e684301732d94f018438174939eaf6681328f567a6659a74c380eb389f5510bbbd6c9151276ad1a110c4cd61b6e05f63986b642d7190cf364ced7e97d4d
-
\Users\Admin\AppData\Roaming\bodbof\bobyse.exeFilesize
1.2MB
MD5b5c62f489422f627cff6c315b8556a2f
SHA1afbef151e8d4037c68c00c51094aadf2d733b136
SHA25626c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0
SHA51218ec6e684301732d94f018438174939eaf6681328f567a6659a74c380eb389f5510bbbd6c9151276ad1a110c4cd61b6e05f63986b642d7190cf364ced7e97d4d
-
memory/964-57-0x0000000000000000-mapping.dmp
-
memory/1552-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmpFilesize
8KB