9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/04/2024, 01:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
Size

4.1MB
MD5

60e87dab4cfbc8dfa37be5d93f502800
SHA1

43eebb6adf64db230c72f3c7a6ff56fc2b236781
SHA256

9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f
SHA512

39c27c0106f45ed600c1d2b074ee04f8f94d85b834467c0fb980f1373602d8e4446c2ff014624e3ded80e4ea5c5d2b9cc4b799dfa50503c501ebdadec7074450
SSDEEP

98304:+R0pI/IQlUoMPdmpSps4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmX5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
868	xbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesUB\\xbodloc.exe"	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxOE\\boddevec.exe"	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
868	xbodloc.exe
1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 868	1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe	28
PID 1684 wrote to memory of 868	1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe	28
PID 1684 wrote to memory of 868	1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe	28
PID 1684 wrote to memory of 868	1684	9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe	28

C:\Users\Admin\AppData\Local\Temp\9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe
"C:\Users\Admin\AppData\Local\Temp\9551c68ab6f509db0163206caaed7d072d7300ebd07aff4eadc15ed2a22f8e2f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1684
- C:\FilesUB\xbodloc.exe
  C:\FilesUB\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxOE\boddevec.exe

Filesize
4.1MB

MD5
fdba4cb5f604a6bb1439e610efe525b8

SHA1
af6660541574ff133cb14b0f018d86a1556aa3d9

SHA256
a65d0f9bfa7e6677c54cc2cdefd00d7fec40cf6cd22969e035de3ae730f4161d

SHA512
fccff226ee634f394a2d9620d368be864512d952853c73cdd6b4431686449493270760e712a8c34c85e8e82ecf33fffac557e170424fd13021b22433ba039965

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
14a1f4f965eab9e4254194c3a0452d37

SHA1
afc2227d6453e8ff4b02da7b2485f4427255ab90

SHA256
d93407cc0abdd7af491b8fab81f080b9c0cba78c5d5b2e3b80ddf9750a54bd1a

SHA512
9062967f8be45ac078fcb1e7bdd566d721d2b275c7046106161a28d91dc0f0bec5110aec353379eade2bc6b233950d934f71ec8ebffa7da0241420ed2c3dac65

Download Submit
\FilesUB\xbodloc.exe

Filesize
4.1MB

MD5
4eee28f2800be4e534682f54ea4ef8cc

SHA1
c896fa709f2f0b31700eb1788e43c6bd04cfb332

SHA256
ab169f5ccb63c007af7ef08766c20af67e2025c021f74f8c86e843271afa85a3

SHA512
a50dc9dd3807505396ae19c3eea45d8144e151556ca0cf3e76f6cccae59f7ab165849da01d03d4a44d8a3eec486291337a46639a8ec530ef3211907255e77d70

Download Submit