5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/05/2024, 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
Size

2.7MB
MD5

328e17734d8135a5bc6019a75d1dc6e9
SHA1

68a7039fd581266072dc7ba7a9a80d92ec96a56c
SHA256

5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47
SHA512

659e5b5b5969f19a75888767eb4d08b1fa9e2ed1d06eed4d1436ca40ea40c0cf1a327f2e529549d1436e585d51528ecb2a26462acbd08859cf97bb82869e5769
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB49w4Sx:+R0pI/IQlUoMPdmpSpW4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2152	xbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotJR\\xbodloc.exe"	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZJW\\bodxec.exe"	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
2152	xbodloc.exe
1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2152	1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe	28
PID 1976 wrote to memory of 2152	1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe	28
PID 1976 wrote to memory of 2152	1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe	28
PID 1976 wrote to memory of 2152	1976	5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe	28

C:\Users\Admin\AppData\Local\Temp\5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe
"C:\Users\Admin\AppData\Local\Temp\5e8ea0ee967245a7823b715a7483ef525eaed22498daf83fcb7229c9bcb36d47.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976
- C:\UserDotJR\xbodloc.exe
  C:\UserDotJR\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZJW\bodxec.exe

Filesize
2.7MB

MD5
a804fd7e120942ee989b56b0615464b8

SHA1
637cdcdeb8b06a3cd0636e3703df34818faa9d62

SHA256
35544c7696c3819e2c64a818557be2ba607025f0e3bcc3edbfc9feeb7fb473dd

SHA512
03ae667e50e86e4211b618efaa0e43c89e6e385cf6de8cb5de1e88ea1abcd3f21fa197619aabf02a6dc992cd16465466ea1188c68b19194ff9290a02894be59c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
9822ae288b17a78ad7ff1bfdc79f2f12

SHA1
ee8e7c440163293dd8a81a73536744791d5496c0

SHA256
dcacf3d372819b94ea8c809e6442acdff0df10e57f2725dc85c443e8c4e42b68

SHA512
b1684b7c438267dca9163ab4fbad2aaa01895713e44c58ec47259980ff8cf3c5e043afd675dc2e9f4a4f44d5243ab8617e350504349ae2062d3db0e1d64a2e8f

Download Submit
\UserDotJR\xbodloc.exe

Filesize
2.7MB

MD5
28636bfc9edbb3ce6d7323795679742b

SHA1
73582ebdf7694fa74f23a3389bec82d04b619835

SHA256
c4cd99ce96b48c7582f2cd7c3322c33f101015068329a21db74982d69946a87d

SHA512
0ec1f1b5cf31f70c25de00c616c6109a188857913433c2167a0f3b0bca4a75051153f731682bf8928764484b11ee54caec437b8a53d9c4d0671f57a5335aaa6a

Download Submit