7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
Size

2.7MB
MD5

3ecbdbed8fa410f1ee39fe3efe46593b
SHA1

f4353c9db000b9e9673beaefdfe6ad83300538c7
SHA256

7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee
SHA512

78d347fb9136907d2387089c8567b1d40187daf621a3dafc3eeb211f0ef08b489ac6108a3ad121d52e964b1c2340a7574e5b10a57230f4d1bbadf7e8c7d1171f
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB59w4Sx:+R0pI/IQlUoMPdmpSp54

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3040	xbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files5H\\xbodloc.exe"	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidHZ\\dobdevec.exe"	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
3040	xbodloc.exe
1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 3040	1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe	28
PID 1644 wrote to memory of 3040	1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe	28
PID 1644 wrote to memory of 3040	1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe	28
PID 1644 wrote to memory of 3040	1644	7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe	28

C:\Users\Admin\AppData\Local\Temp\7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe
"C:\Users\Admin\AppData\Local\Temp\7648be6059d9b0a96e9be1d91a423927c791ed72adfe2d1714ac3e251deb95ee.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Files5H\xbodloc.exe
  C:\Files5H\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
65e0970c44b2150debfdb41f34186af7

SHA1
89f2e5605791053a3e626fa3320f73a8b1c2990b

SHA256
db63bc8a05082f45f7f503f3496f8dde6f53db5181e73a41ff467b3933bbd33f

SHA512
388ec53bd455cffa9ec9c2d2b854dffb3547ece61f6b66799d881b61c8bf457918c138ac9ee425f0ed064f76ba95b44c99455e62c48e28fada28e0a48a883190

Download Submit
C:\VidHZ\dobdevec.exe

Filesize
2.7MB

MD5
1f3e655e43c75b8efe59519190d37e7f

SHA1
bedd035fab615c6879304341687d54a1fcaa1990

SHA256
dd70f1dc102d52a213f5ce1c66e35a4927ebcf5474fa06402496850fac13ed14

SHA512
8086f9bb1bfaf553859e52e9e6799a710d6aebb3a6937d09e3c731fb247c0049b30c01ad285bd87c77c145dc918e8d5301d77c26e830ee2c87906b9c06bb9e2c

Download Submit
\Files5H\xbodloc.exe

Filesize
2.7MB

MD5
fa2c723dd78964d321f14e05690a0f84

SHA1
5853886a86c64e367d50e3aa84bb50690cef22f1

SHA256
2f69d2475b9d4ef7411648fa9e758df33cb67dd91e6ea8158f40166251b17105

SHA512
9e1567b5e3aea477e3afc01e36015a42ff02b9092b89863d0718d8cc80157d9974290af3f025181965c9f62e102a37a16014c4167a7ddab22970df6b2360f755

Download Submit