0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c

Analysis

max time kernel
149s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2024 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
Size

4.1MB
MD5

acf6cc95c592bf1c4b11a0db357c6178
SHA1

a168407ab78929ef872c0b873e7e351dc2b16eb3
SHA256

0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c
SHA512

9de87b5797c269da5f99984f974cc2c8fbccb3fc260ce040c3e5c9f37cf4bd62a75f9269bf9c274d657ddb43c8cd5f0ef4880be7cf7b91e36695f01aa07d89b5
SSDEEP

98304:+R0pI/IQlUoMPdmpSpn4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmM5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1916	xbodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesM8\\xbodsys.exe"	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidX2\\dobaec.exe"	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
1916	xbodsys.exe
1916	xbodsys.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
1916	xbodsys.exe
1916	xbodsys.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
1916	xbodsys.exe
1916	xbodsys.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
1916	xbodsys.exe
1916	xbodsys.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
1916	xbodsys.exe
1916	xbodsys.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
1916	xbodsys.exe
1916	xbodsys.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
1916	xbodsys.exe
1916	xbodsys.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
1916	xbodsys.exe
1916	xbodsys.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
1916	xbodsys.exe
1916	xbodsys.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
1916	xbodsys.exe
1916	xbodsys.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
1916	xbodsys.exe
1916	xbodsys.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
1916	xbodsys.exe
1916	xbodsys.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
1916	xbodsys.exe
1916	xbodsys.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
1916	xbodsys.exe
1916	xbodsys.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
1916	xbodsys.exe
1916	xbodsys.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 1916	3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe	89
PID 3852 wrote to memory of 1916	3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe	89
PID 3852 wrote to memory of 1916	3852	0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe	89

C:\Users\Admin\AppData\Local\Temp\0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe
"C:\Users\Admin\AppData\Local\Temp\0ee3e5e938e28ad4c693f5360fa8361dfdc81382fdbd57cc770ac20a736de65c.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3852
- C:\FilesM8\xbodsys.exe
  C:\FilesM8\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesM8\xbodsys.exe

Filesize
4.1MB

MD5
baa38e0185e6be9c0187c2b07f2ee9f8

SHA1
3ec1b0a5b71065ca33a41652355c515af00677e0

SHA256
3b7db2b0f622945c13e4841b3d12e4a54ee1afd4859ae118d1a8a2fa12cee372

SHA512
b49cb6732a961684f9ae71de08bd69abcf845c531d1e95a4b52780f9848da80a951f229be7a9638388d694c7672de519e675e73885e0a7ee560a92e062e6b6e7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
58b7de8775a0eb3300184a3b32c9f03d

SHA1
558701f03a6b692ef1cfed9b0511c2d47be5703a

SHA256
cdccf5bce9bcde2e2b728a3486b5b2ce990a3a2281ae369bc82ad1fa0ff9c558

SHA512
579a2b728a9aac615dfabeaadf006a95630b469c4faf4e3bf14ac6e6e81e16d945e1d42e98d75ec154736f839dc63b32cb797cbdd56a179423bf970e230a4425

Download Submit
C:\VidX2\dobaec.exe

Filesize
4KB

MD5
8eb2b86d56c013adbcd0b59d7e011880

SHA1
9b7f8fbb657667bab646452f48a1348653e81d45

SHA256
51d699bdd3b8d14f372ba605ae8f322f9959039c6c6b29c39093d7fc670bb4cf

SHA512
3a426dc07f6f46f499b36769e2137da9d589f16bd4cdfbbe6b28b02e5e4adb04cdfb8a021f5e2591100e81c24f3e87ef8f767c5736721391fb8906ce287ae05d

Download Submit