20cb361ae4f9d5f64b6759cd7a593bab144ba95daf38403d6712d8240644c9be

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 19:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0b07a8b28b47b6397f45970bd9ac393c.exe
Size

2.7MB
MD5

0b07a8b28b47b6397f45970bd9ac393c
SHA1

67f56c2b1477edc32adfd8defb81754a353a9744
SHA256

20cb361ae4f9d5f64b6759cd7a593bab144ba95daf38403d6712d8240644c9be
SHA512

236b58c6abb8ea25ffcab7c1b7b53c863ae74e48f85e38799a4d6dbc12d11cab1dc2e2becf93ea4be928e76ee3d062c052a4b479d6f8243e6d3c77bc14d10298
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB79w4Sx:+R0pI/IQlUoMPdmpSpL4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2228	xbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
2892	0b07a8b28b47b6397f45970bd9ac393c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotQU\\xbodec.exe"	0b07a8b28b47b6397f45970bd9ac393c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid8B\\boddevec.exe"	0b07a8b28b47b6397f45970bd9ac393c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe
2228	xbodec.exe
2892	0b07a8b28b47b6397f45970bd9ac393c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2228	2892	0b07a8b28b47b6397f45970bd9ac393c.exe	28
PID 2892 wrote to memory of 2228	2892	0b07a8b28b47b6397f45970bd9ac393c.exe	28
PID 2892 wrote to memory of 2228	2892	0b07a8b28b47b6397f45970bd9ac393c.exe	28
PID 2892 wrote to memory of 2228	2892	0b07a8b28b47b6397f45970bd9ac393c.exe	28

C:\Users\Admin\AppData\Local\Temp\0b07a8b28b47b6397f45970bd9ac393c.exe
"C:\Users\Admin\AppData\Local\Temp\0b07a8b28b47b6397f45970bd9ac393c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2892
- C:\UserDotQU\xbodec.exe
  C:\UserDotQU\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotQU\xbodec.exe

Filesize
2.7MB

MD5
e58c098df011b0bc69879233769445b2

SHA1
dfcd4b0e27b1eb9e40349ce39cea6150694beea3

SHA256
17a2b1dee527abaca122c139db1e5facfe5c49d80ce1dabbd02b058807ee8731

SHA512
7241b331261aeed8aae5c176c9a0e5f6d6d3dd63020869df9c397d8195d257a7bcd5be83171f397b2867e86f10ba1535e39cef6122e3a948fee02095b0f3f7bd

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
ac89b0348c7748534e45d33bdf7c8bcc

SHA1
06147f583df693a355f6b5dd96ca2c1d1fab16ea

SHA256
15118210e1cc2cdf5b9b8d07b695ecdb3c159d8e8c3a139ec8da182d64f5ef23

SHA512
b4902b3080be5558c4ebf4c26bf56a690f5318753de840a24c59f087d1f98adc855a019e90721c105bf7af48009334fd69453a973d3e69a9edba57782b9d8577

Download Submit
C:\Vid8B\boddevec.exe

Filesize
2.7MB

MD5
bf0614f39cf61cce296c210058c44b0d

SHA1
b526e196cccc09c5458b70859ae9498b0184e0a4

SHA256
686740e5f55999a63c38658a23c5151c0114c9b768cded78d8ce914c645b04ef

SHA512
0c5a75b1da099f328cb884b9f5da2223564fbbdafdcff65c87a1c91883d18dc57374256360e101393b10e6ed733f40641fa754bbeebc38e740cf3628f956dffe

Download Submit