d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e

Analysis

max time kernel
149s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
Size

4.1MB
MD5

18605fa8c14105445e0a8f92c8ba20e4
SHA1

234826971935ddef29bbd1b2ac917aaf932c5636
SHA256

d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e
SHA512

9ac577c4a63fd0466225b7ad90d9c89570cc2562a141a3c1f56833bf310bad33369e9f4db6affbc4d0df204324178df330cb336528ed520bb6f55c1e3d30de44
SSDEEP

98304:+R0pI/IQlUoMPdmpSpZ4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmy5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1460	xbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc7R\\xbodec.exe"	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxKS\\dobxsys.exe"	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
1460	xbodec.exe
1460	xbodec.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
1460	xbodec.exe
1460	xbodec.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
1460	xbodec.exe
1460	xbodec.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
1460	xbodec.exe
1460	xbodec.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
1460	xbodec.exe
1460	xbodec.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
1460	xbodec.exe
1460	xbodec.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
1460	xbodec.exe
1460	xbodec.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
1460	xbodec.exe
1460	xbodec.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
1460	xbodec.exe
1460	xbodec.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
1460	xbodec.exe
1460	xbodec.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
1460	xbodec.exe
1460	xbodec.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
1460	xbodec.exe
1460	xbodec.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
1460	xbodec.exe
1460	xbodec.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
1460	xbodec.exe
1460	xbodec.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
1460	xbodec.exe
1460	xbodec.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 1460	4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe	86
PID 4800 wrote to memory of 1460	4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe	86
PID 4800 wrote to memory of 1460	4800	d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe	86

C:\Users\Admin\AppData\Local\Temp\d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe
"C:\Users\Admin\AppData\Local\Temp\d661014b3a15e003694981227fb7a09490779cc9623e1a400b4bf4ff7fe72c9e.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Intelproc7R\xbodec.exe
  C:\Intelproc7R\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxKS\dobxsys.exe

Filesize
4.1MB

MD5
3f0133993f8f6e437039393ac9d5a513

SHA1
f09148d3747cbf2e5283c05992e1449d93883166

SHA256
6ea09a48052218930d0b5addabc3ca96726eb7a5ba60419e42975962bfb80f11

SHA512
7d8a7406db0a9e65c68d3ab76029a4e980ccf0e33fc84300bba6a0c84841fbb0b611d654398e772db7970e798513dfb700b7f4d55b1bdf8b6b0f78f9fd9acca2

Download Submit
C:\Intelproc7R\xbodec.exe

Filesize
4.1MB

MD5
9c56f688e4f709311b16fa6af0b66b37

SHA1
32859cdad58a18fab13b1e2ff17d41d92fc9a393

SHA256
2f81da80701eeefda747a2ef5a0dbb9de60dd6f3b652b3133bb1edb84380ff46

SHA512
fa471602f452402400bd5c5670c7a7883d3dfc78519080b070d0b73dbc488863e57fb98ba99b52d9ae10c8ed500b20b7519eebc5f18ac8299041d5186346251f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
ca9fedaa955a47c1d1c90d4dbe6e9dbb

SHA1
a8a4b2f9994956f0e19728f528f3ddf63d82baa0

SHA256
385c5c4f9f48791cc52989c99bb783aba9f15d16d4a4d20f3e48e17c435fc9e7

SHA512
1fdf7cbcddb35c2e85744044188ce8389f3b804cc5c78de6c0c4de123f4896e01f7bfee9321f89bf3e8516c27858816bbe150f6ea11581567abcb02dee5271ef

Download Submit