c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745

General

Target

c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
Size

4.1MB
MD5

98caf36703d26d7f905fd26e1f00ab6e
SHA1

fa95b63c32340b2f1e5bac252954ccd8b63cf81b
SHA256

c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745
SHA512

ecd9f6cae68095fd5c850e7d58e69e2d53791e691a2034d0998c261a655487f955abdcab868f40c9ef78834f8485aeeec1c9579794bc67c63590148a262aea69
SSDEEP

98304:+R0pI/IQlUoMPdmpSp84ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmr5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

xbodec.exe

pid process

1236 xbodec.exe

pid	process
1236	xbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files1W\\xbodec.exe"	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidKC\\dobasys.exe"	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exexbodec.exe

pid	process
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
1236	xbodec.exe
1236	xbodec.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
1236	xbodec.exe
1236	xbodec.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
1236	xbodec.exe
1236	xbodec.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
1236	xbodec.exe
1236	xbodec.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
1236	xbodec.exe
1236	xbodec.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
1236	xbodec.exe
1236	xbodec.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
1236	xbodec.exe
1236	xbodec.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
1236	xbodec.exe
1236	xbodec.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
1236	xbodec.exe
1236	xbodec.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
1236	xbodec.exe
1236	xbodec.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
1236	xbodec.exe
1236	xbodec.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
1236	xbodec.exe
1236	xbodec.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
1236	xbodec.exe
1236	xbodec.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
1236	xbodec.exe
1236	xbodec.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
1236	xbodec.exe
1236	xbodec.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe

description	pid	process	target process
PID 2604 wrote to memory of 1236	2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe	xbodec.exe
PID 2604 wrote to memory of 1236	2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe	xbodec.exe
PID 2604 wrote to memory of 1236	2604	c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe	xbodec.exe

C:\Users\Admin\AppData\Local\Temp\c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe
"C:\Users\Admin\AppData\Local\Temp\c05abc07c83e2bdbe725cd5b71b5805a1e086fd44a14409eaf6800119b8c3745.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604

C:\Files1W\xbodec.exe
C:\Files1W\xbodec.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:4804

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files1W\xbodec.exe
Filesize
4.1MB

MD5
8aa04b9aca6754e82dbbeeb735bc62db

SHA1
47503e1bf417c0f1c5e9649b51aafce00749e808

SHA256
7cc1c2ca1d3b99528433e37a2a4b730ffebc6584864e99d7c2ac9b43adcae2f4

SHA512
511d9dd0718cd7adfdcac7ed8877e5defd1394177bb0a450b7138e6fb77f01917493a0ea73f9b0e907350628d8d2bf4fdfb8a698aa9a691c098d93df0b0c45ca

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
198B

MD5
6744318cf6e1ebfea6b74a1157eec381

SHA1
1471b240a713ddf7e9aae3f4ef8182d0c2a49d84

SHA256
e3c9ef03f258c4ca41200f077f117a655458770fbda8ba6594b35cf055a7e074

SHA512
72e93a01cc714f4f0d6790a404f3a2264ffa76c41124b289d097979503335bcf04522b5c8d003fe8fb3c899ef571863066494f3ab97c44759c9574bcc84cd316

Download Submit
C:\VidKC\dobasys.exe
Filesize
4.1MB

MD5
efe80c1433e2c86cc13c6b4b8be656dc

SHA1
92a87295cbd463ea643891f76ed39aa6c84b6c7d

SHA256
ef87c5560a4ee275aaea68d5f9005c0757fb65938b5616ef29f56a1840e9d41d

SHA512
e6d6528b30e7ddbaca1ff8b4bdd509750148909728184fb339f835838f23afac1fa10ed5bdc51eec442df99b699428f1bfdf9fb673f537e8ef487c1c0f48d473

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads