Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    20/05/2024, 20:13

General

  • Target

    2337312fb03434e72f2a9483ffacf02caabc2943367e203bba79aa01ac456870.exe

  • Size

    2.7MB

  • MD5

    b22f7f038af0054ac4bb78111af3be72

  • SHA1

    7df948218d07e92cc1e1fb1e3e081cc39d05a1f0

  • SHA256

    2337312fb03434e72f2a9483ffacf02caabc2943367e203bba79aa01ac456870

  • SHA512

    32961a43ee4e2ee1ee6a365eaf00b4b8e699928edd358888f667a3221ab187ad74c213f2bb73e513f60be5805adf3be856624041d9b622e53c6ad72860a75fae

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBJ9w4Sx:+R0pI/IQlUoMPdmpSpZ4

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2337312fb03434e72f2a9483ffacf02caabc2943367e203bba79aa01ac456870.exe
    "C:\Users\Admin\AppData\Local\Temp\2337312fb03434e72f2a9483ffacf02caabc2943367e203bba79aa01ac456870.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\UserDotJR\xbodloc.exe
      C:\UserDotJR\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2476

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\LabZJW\bodxec.exe

          Filesize

          2.7MB

          MD5

          2559d643ed1ce01ea245dd9d40e178aa

          SHA1

          806f609300382a27a4a4ebc85544283aa9616db6

          SHA256

          d31a899865b574ac81acbbba95f5de56d506a76312e6c00272302db191629130

          SHA512

          6f29d7ca82add0802585d7e6e1a3f441e08e57515a5bb45ce7c6b1bc3242d3fc2bf9be5328ed923b415d588e1bd8458137c469c247e208ec395d5352a6077ed5

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          200B

          MD5

          0b3841003313a917ca04396fd9b00e49

          SHA1

          a7a811a5e6e5ed0bfc8b65307baf15378f715e9a

          SHA256

          a56a02d04fe4689d1faede33936df0c8ae5b4310377ac13d6cfad75699a67fdb

          SHA512

          52c9068a4482ea1c706f2fb1c6510a94288d13dabe3fd05d02793a8efd3fdad0fdad2bd46f56f172e6960270dbd9af8a19e08c391a1073bf8d125498cc8d8358

        • \UserDotJR\xbodloc.exe

          Filesize

          2.7MB

          MD5

          71cdaf88817caa7ba22fba8f22ba1ef9

          SHA1

          1565c055d92cb8dc354ae7e7154f19aa25c94f74

          SHA256

          cfba1921fb03a70b776d0ada1aad6bee138a3b3c641819d78dee2e95e1761615

          SHA512

          90eb7795b1a9a63a538f2fbbc3f72c5c7fd0a3deaec91c228b2e888c24df305530bd38b2da0ff762f16ca7631b466ae5e790380e745e93d366250938c4de009a