eb3d5eecec4baf786a32cfd0775b7eba116e4adf88cd3ea6ae81ab3e4ee27cc5

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
15/11/2023, 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2e92fe0646a18adb6018399f1a019280.exe
Size

4.1MB
MD5

2e92fe0646a18adb6018399f1a019280
SHA1

09f681bec48b7979f20fcc42c3805c06a53cb7ec
SHA256

eb3d5eecec4baf786a32cfd0775b7eba116e4adf88cd3ea6ae81ab3e4ee27cc5
SHA512

2b438332fa752703dc91abcc7ec4248e699f6dba49cdbd1372f9083f462bcade1fb99d2edea04c8f58cec23fa6d5519711f0609c53276848a72e33153b08b953
SSDEEP

98304:+R0pI/IQlUoMPdmpSp+4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm15n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2236	xbodsys.exe

Loads dropped DLL 1 IoCs

pid	Process
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocW3\\xbodsys.exe"	NEAS.2e92fe0646a18adb6018399f1a019280.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidUF\\bodxloc.exe"	NEAS.2e92fe0646a18adb6018399f1a019280.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe
2236	xbodsys.exe
1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 2236	1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe	28
PID 1580 wrote to memory of 2236	1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe	28
PID 1580 wrote to memory of 2236	1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe	28
PID 1580 wrote to memory of 2236	1580	NEAS.2e92fe0646a18adb6018399f1a019280.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.2e92fe0646a18adb6018399f1a019280.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2e92fe0646a18adb6018399f1a019280.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1580
- C:\IntelprocW3\xbodsys.exe
  C:\IntelprocW3\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocW3\xbodsys.exe

Filesize
4.1MB

MD5
4fd515be993d49bad2f0d8ed7b2f460c

SHA1
a7ff01b82efdb136f296d09df9048cdfc0d18f29

SHA256
a4813ae7f75d4245ee79f97bdda037e84e67364b240c170f0b5bf00d31411e61

SHA512
75ad5a40100f558259a1a29b939db090c90951ceef04c36d82f31ac5ef1771aa1f687f778b846d0caabb3b6a16dcbcb9ce1f456e854b4987a6178f341e48d378

Download Submit
C:\IntelprocW3\xbodsys.exe

Filesize
4.1MB

MD5
4fd515be993d49bad2f0d8ed7b2f460c

SHA1
a7ff01b82efdb136f296d09df9048cdfc0d18f29

SHA256
a4813ae7f75d4245ee79f97bdda037e84e67364b240c170f0b5bf00d31411e61

SHA512
75ad5a40100f558259a1a29b939db090c90951ceef04c36d82f31ac5ef1771aa1f687f778b846d0caabb3b6a16dcbcb9ce1f456e854b4987a6178f341e48d378

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
f3a674b883315c3392adcda0919028b4

SHA1
fb32dd1dd2a7cf78949449eb443f7f4baea84a4f

SHA256
bb4299576eb6c87a9bde944e8be7e60aa416af5df14c37f38d43aee67e96b303

SHA512
12a7e1ab1f81b323433d19095f8a526baa34289a4f5ffe45e9197882a90f5fd46e78bdde6e4f8a7b3f3615df04562ab4fb80e81972171aacd9c3abf34f4b46a1

Download Submit
C:\VidUF\bodxloc.exe

Filesize
4.1MB

MD5
79d7280949bbc3988c498553f0d3f632

SHA1
550cc779f71cf8d1c6773b664ca156826e88d46a

SHA256
fde0d7ad47ead33398bcd16337d938400fa04f758bdca0fe8aeeaacace135dcb

SHA512
3a4bde212f46a513e5510c15021b5b85a143d5c411bc74f31455d8c93c3fd80a7d9752ec9f51d572148c9e49d8aac05f8dfd848e887e709dff311b045a2c6e91

Download Submit
C:\VidUF\bodxloc.exe

Filesize
4.1MB

MD5
79d7280949bbc3988c498553f0d3f632

SHA1
550cc779f71cf8d1c6773b664ca156826e88d46a

SHA256
fde0d7ad47ead33398bcd16337d938400fa04f758bdca0fe8aeeaacace135dcb

SHA512
3a4bde212f46a513e5510c15021b5b85a143d5c411bc74f31455d8c93c3fd80a7d9752ec9f51d572148c9e49d8aac05f8dfd848e887e709dff311b045a2c6e91

Download Submit
\IntelprocW3\xbodsys.exe

Filesize
4.1MB

MD5
4fd515be993d49bad2f0d8ed7b2f460c

SHA1
a7ff01b82efdb136f296d09df9048cdfc0d18f29

SHA256
a4813ae7f75d4245ee79f97bdda037e84e67364b240c170f0b5bf00d31411e61

SHA512
75ad5a40100f558259a1a29b939db090c90951ceef04c36d82f31ac5ef1771aa1f687f778b846d0caabb3b6a16dcbcb9ce1f456e854b4987a6178f341e48d378

Download Submit