d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
29/04/2024, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
Size

4.1MB
MD5

18605fa8c14105445e0a8f92c8ba20e4
SHA1

234826971935ddef29bbd1b2ac917aaf932c5636
SHA256

d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e
SHA512

9ac577c4a63fd0466225b7ad90d9c89570cc2562a141a3c1f56833bf310bad33369e9f4db6affbc4d0df204324178df330cb336528ed520bb6f55c1e3d30de44
SSDEEP

98304:+R0pI/IQlUoMPdmpSpZ4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmy5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
464	xbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotPD\\xbodec.exe"	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZEW\\boddevsys.exe"	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
464	xbodec.exe
2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 464	2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe	28
PID 2912 wrote to memory of 464	2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe	28
PID 2912 wrote to memory of 464	2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe	28
PID 2912 wrote to memory of 464	2912	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe	28

C:\Users\Admin\AppData\Local\Temp\d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
"C:\Users\Admin\AppData\Local\Temp\d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912
- C:\UserDotPD\xbodec.exe
  C:\UserDotPD\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZEW\boddevsys.exe

Filesize
3.4MB

MD5
7c290510a99a058b90b6ea1977848b7e

SHA1
802932c6b2125a4b16f42697469efa8ca9d09046

SHA256
4554285c39b91d6a3c37038414d27ce68065a665f605fe7c6ed5f9a3728748f6

SHA512
bd4608f5f9b4ffc8efd7c363e83efc685f771488a89c42287cde3ee25af52385dc0055ac68139c36ed02920b5f67b7aad212e7cbebf466c86f75e3ce0bfa0752

Download Submit
C:\LabZEW\boddevsys.exe

Filesize
4.1MB

MD5
90b022ed3a2d70d3418bd0081b0c0909

SHA1
c10a7be560c68727a4ee4dd9ce8505ca1a414526

SHA256
9669890de0a45a61c4ccad94f7b0f0d11407d7a7e40da13d398b3b65d0840012

SHA512
e126f310ce6624907f9dd300a824b836982a09911764af251fe1d457215fee95323baa55eefe6e22293d532cdf93def4d2db015e7c2305bd7b1227410194d68c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
ead53d2c717f392e799a5dcbf17ace73

SHA1
db07c8d4d7128458b36cfccc8c56684dcd0d1965

SHA256
8f8b6cbb5f327bd93250e9497b742a808b858352e9d2527d10c054b2430ab8ba

SHA512
a672029b1c78d77f4029ae00eaad94830bee4ceb91f36a13d550bba128a302905230dde6d12cae4b4bc8bd6fad20c980b933ef3a14f9eff05c5262700308f066

Download Submit
\UserDotPD\xbodec.exe

Filesize
4.1MB

MD5
324fe2e0b7f12dcb6dcc988a1687f03c

SHA1
5f434f82f1d21a3cd3ee117191e0cc3058d37306

SHA256
c0fbcebec75aa4ec90febab00d6d27e1b29c714a0382fbd5a1b097720ecd4fa9

SHA512
95e1a539da0e5bc70657979a7e0a9fb5408957f16901aa06c392735e8298b997c8213a1307006fa7b51ecf391b187de33f57ceced162b83f7352917d03fa0e2b

Download Submit